#45 kde-kdesktopfile-command-injection

Closed
opened 7 months ago by sunjob · 11 comments
sunjob commented 7 months ago
https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt
sunjob commented 7 months ago
Poster

confirm bug

  • TDE-3.5.13
  • TDE-14.0.6
confirm bug - TDE-3.5.13 - TDE-14.0.6
sunjob commented 7 months ago
Poster

I apologize for the freestyle (English is not my native language)

I apologize for the freestyle (English is not my native language)
SlavekB added the
SL/critical
label 7 months ago
SlavekB added this to the R14.0.7 release milestone 7 months ago
sunjob commented 7 months ago
Poster

The problem is not the availability of this functionality, but that it should be allowed only for trusted paths:

/usr/... /usr/local/... /etc/... $XDG_CONFIG_HOME etc

And instead of implementing it as it should, you just deleted this functionality now. Wow...

The problem is not the availability of this functionality, but that it should be allowed only for trusted paths: /usr/... /usr/local/... /etc/... $XDG_CONFIG_HOME etc And instead of implementing it as it should, you just deleted this functionality now. Wow...
sunjob commented 7 months ago
Poster

although maybe it's better than having such a big hole :о)

although maybe it's better than having such a big hole :о)
SlavekB commented 7 months ago
Owner

Thank you for reporting. Now it is merged for all branches – master, r14.0.x and v3.5.13-sru.

Thank you for reporting. Now it is merged for all branches – master, r14.0.x and v3.5.13-sru.
sunjob commented 7 months ago
Poster

question, about this patch: “merged for all branches – master, r14.0.x and v3.5.13-sru”... how and where can I download these, fuzzy versions? I think no one is updating the archives now?) thank

question, about this patch: "merged for all branches – master, r14.0.x and v3.5.13-sru"... how and where can I download these, fuzzy versions? I think no one is updating the archives now?) thank
MicheleC commented 7 months ago
Owner

it means merged into the development branches for those versions. They are not released yet in their final form.

If you want, you can close the code from gitea and build your own versions. If you are on a debian-like distros, there are PSB and PTB repositories from Slavek where packages are updated on the go.

it means merged into the development branches for those versions. They are not released yet in their final form. If you want, you can close the code from gitea and build your own versions. If you are on a debian-like distros, there are PSB and PTB repositories from Slavek where packages are updated on the go.
sunjob commented 7 months ago
Poster

excuse me, for the clarity of thinking and understanding of the situation: o) I am a simple user, not an IT professional. I use slackware. There are no latest TDE packages for Slackware. I collect TDE myself.

It used to be simple: you need version TDE-3.5.12, downloaded the archive 3.5.12-complete.tar from the official site, collect the packages! Now: we’ve done everything that is necessary and convenient for developers, but, unfortunately, it’s almost impossible or very difficult for an ordinary person to figure it out.

explain to me on a simple, on fingers ?! at the moment I am collecting TDE-14.0.6, I downloaded the sources according to the recipe https://www.linuxquestions.org/questions/slackware-14/tde-trinity-14-0-4-for-slackware-14-2-x64-4175597797/page4.html#post5981903

how to be now (in relation to this KDE-bug)? manually patch tdelibs? (I do it myself now) or can I download the patched sources? TDE14.0.6?

I am aware that there is an archive for TDE-14.0.6: http://ftp.mirrorservice.org/sites/trinitydesktop.org/trinity/releases/R14.0.6/R14.0.6-complete.tar http://217.30.75.106/trinity/releases/R14.0.6/R14.0.6-complete.tar

excuse me, for the clarity of thinking and understanding of the situation: o) I am a simple user, not an IT professional. I use slackware. There are no latest TDE packages for Slackware. I collect TDE myself. It used to be simple: you need version TDE-3.5.12, downloaded the archive 3.5.12-complete.tar from the official site, collect the packages! Now: we’ve done everything that is necessary and convenient for developers, but, unfortunately, it’s almost impossible or very difficult for an ordinary person to figure it out. explain to me on a simple, on fingers ?! at the moment I am collecting TDE-14.0.6, I downloaded the sources according to the recipe https://www.linuxquestions.org/questions/slackware-14/tde-trinity-14-0-4-for-slackware-14-2-x64-4175597797/page4.html#post5981903 how to be now (in relation to this KDE-bug)? manually patch tdelibs? (I do it myself now) or can I download the patched sources? TDE14.0.6? I am aware that there is an archive for TDE-14.0.6: http://ftp.mirrorservice.org/sites/trinitydesktop.org/trinity/releases/R14.0.6/R14.0.6-complete.tar http://217.30.75.106/trinity/releases/R14.0.6/R14.0.6-complete.tar
MicheleC commented 7 months ago
Owner

Hi sunjob,
to get the latest code it is actually much simpler than you may think. TGW hosts all the source code of TDE, both the development branches and the released versions. Using git, you can clone (== copy to your computer) the required version and then build from there. This webpage will give you an introduction to using TGW and how to get the latest code. After that you can build the required package on your computer.
https://wiki.trinitydesktop.org/TDE_Gitea_Workspace
(please note it is currently down at the time of writing, I guess a temporary access problem with the main server).
Regarding this issue, the fix has been merged into the master branch, so by cloning it you will have the fix in the source code. If you use R14.0.x, you need to clone the r14.0.x branch instead of the master branch.

TGW has really simplified the workflow and code sharing, once you get used to it you will find much better than downloading tarballs :smile:

Hi sunjob,<br> to get the latest code it is actually much simpler than you may think. TGW hosts all the source code of TDE, both the development branches and the released versions. Using git, you can clone (== copy to your computer) the required version and then build from there. This webpage will give you an introduction to using TGW and how to get the latest code. After that you can build the required package on your computer.<br> https://wiki.trinitydesktop.org/TDE_Gitea_Workspace<br> (please note it is currently down at the time of writing, I guess a temporary access problem with the main server).<br> Regarding this issue, the fix has been merged into the master branch, so by cloning it you will have the fix in the source code. If you use R14.0.x, you need to clone the r14.0.x branch instead of the master branch.<br> TGW has really simplified the workflow and code sharing, once you get used to it you will find much better than downloading tarballs :smile:
SlavekB commented 7 months ago
Owner

Hi @sunjob

here is a clear principle: Tarballs for individual versions are simply final and will not be changed. Therefore, commits to the GIT repository will never integrate into existing tarballs.

You therefore have three options:

  1. Wait for the new release (final R14.0.7) that will include patches of interest to you.
  2. If you want to use tarballs from the latest stable release, you can add the required commits to your packaging system as additional patches.
  3. Use stable branch from GIT repository – now branch r14.0.x
Hi @sunjob here is a clear principle: Tarballs for individual versions are simply final and will not be changed. Therefore, commits to the GIT repository will never integrate into existing tarballs. You therefore have three options: 1. Wait for the new release (final R14.0.7) that will include patches of interest to you. 2. If you want to use tarballs from the latest stable release, you can add the required commits to your packaging system as additional patches. 3. Use stable branch from GIT repository – now branch r14.0.x
MicheleC commented 7 months ago
Owner

It seems the main web site and wiki is back online now, so the link above is active. See section 3.1 on how to get the latest code. Just remember to switch from “master” to “r14.0.x” branch if you want to use the R14.0.x stable branch. Instead if you are happy with R14.1.x development branch, you can stay on “master”.

https://wiki.trinitydesktop.org/TDE_Gitea_Workspace#To_access_the_TDE_source_code

It seems the main web site and wiki is back online now, so the link above is active. See section 3.1 on how to get the latest code. Just remember to switch from "master" to "r14.0.x" branch if you want to use the R14.0.x stable branch. Instead if you are happy with R14.1.x development branch, you can stay on "master". https://wiki.trinitydesktop.org/TDE_Gitea_Workspace#To_access_the_TDE_source_code
Sign in to join this conversation.
No Milestone
No Assignees
3 Participants
Due Date

No due date set.

Loading…
Cancel
Save
There is no content yet.