kde-kdesktopfile-command-injection #45

Fechado
aberto por sunjob 5 anos atrás · 11 comentários
https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt
Autor

confirm bug

  • TDE-3.5.13
  • TDE-14.0.6
confirm bug - TDE-3.5.13 - TDE-14.0.6
Autor

I apologize for the freestyle (English is not my native language)

I apologize for the freestyle (English is not my native language)
SlavekB adicionou o rótulo SL/critical 5 anos atrás
SlavekB adicionou esta issue para o marco R14.0.7 release 5 anos atrás
Autor

The problem is not the availability of this functionality, but that it should be allowed only for trusted paths:

/usr/...
/usr/local/...
/etc/...
$XDG_CONFIG_HOME
etc

And instead of implementing it as it should, you just deleted this functionality now. Wow...

The problem is not the availability of this functionality, but that it should be allowed only for trusted paths: /usr/... /usr/local/... /etc/... $XDG_CONFIG_HOME etc And instead of implementing it as it should, you just deleted this functionality now. Wow...
Autor

although maybe it's better than having such a big hole :о)

although maybe it's better than having such a big hole :о)
Proprietário

Thank you for reporting. Now it is merged for all branches – master, r14.0.x and v3.5.13-sru.

Thank you for reporting. Now it is merged for all branches – master, r14.0.x and v3.5.13-sru.
SlavekB fechou esta issue 5 anos atrás
Autor

question, about this patch: "merged for all branches – master, r14.0.x and v3.5.13-sru"...
how and where can I download these, fuzzy versions? I think no one is updating the archives now?) thank

question, about this patch: "merged for all branches – master, r14.0.x and v3.5.13-sru"... how and where can I download these, fuzzy versions? I think no one is updating the archives now?) thank
Proprietário

it means merged into the development branches for those versions. They are not released yet in their final form.

If you want, you can close the code from gitea and build your own versions. If you are on a debian-like distros, there are PSB and PTB repositories from Slavek where packages are updated on the go.

it means merged into the development branches for those versions. They are not released yet in their final form. If you want, you can close the code from gitea and build your own versions. If you are on a debian-like distros, there are PSB and PTB repositories from Slavek where packages are updated on the go.
Autor

excuse me, for the clarity of thinking and understanding of the situation: o)
I am a simple user, not an IT professional. I use slackware. There are no latest TDE packages for Slackware. I collect TDE myself.

It used to be simple: you need version TDE-3.5.12, downloaded the archive 3.5.12-complete.tar from the official site, collect the packages!
Now: we’ve done everything that is necessary and convenient for developers, but, unfortunately, it’s almost impossible or very difficult for an ordinary person to figure it out.

explain to me on a simple, on fingers ?! at the moment I am collecting TDE-14.0.6, I downloaded the sources according to the recipe
https://www.linuxquestions.org/questions/slackware-14/tde-trinity-14-0-4-for-slackware-14-2-x64-4175597797/page4.html#post5981903

how to be now (in relation to this KDE-bug)? manually patch tdelibs? (I do it myself now) or can I download the patched sources? TDE14.0.6?

I am aware that there is an archive for TDE-14.0.6:
http://ftp.mirrorservice.org/sites/trinitydesktop.org/trinity/releases/R14.0.6/R14.0.6-complete.tar
http://217.30.75.106/trinity/releases/R14.0.6/R14.0.6-complete.tar

excuse me, for the clarity of thinking and understanding of the situation: o) I am a simple user, not an IT professional. I use slackware. There are no latest TDE packages for Slackware. I collect TDE myself. It used to be simple: you need version TDE-3.5.12, downloaded the archive 3.5.12-complete.tar from the official site, collect the packages! Now: we’ve done everything that is necessary and convenient for developers, but, unfortunately, it’s almost impossible or very difficult for an ordinary person to figure it out. explain to me on a simple, on fingers ?! at the moment I am collecting TDE-14.0.6, I downloaded the sources according to the recipe https://www.linuxquestions.org/questions/slackware-14/tde-trinity-14-0-4-for-slackware-14-2-x64-4175597797/page4.html#post5981903 how to be now (in relation to this KDE-bug)? manually patch tdelibs? (I do it myself now) or can I download the patched sources? TDE14.0.6? I am aware that there is an archive for TDE-14.0.6: http://ftp.mirrorservice.org/sites/trinitydesktop.org/trinity/releases/R14.0.6/R14.0.6-complete.tar http://217.30.75.106/trinity/releases/R14.0.6/R14.0.6-complete.tar
Proprietário

Hi sunjob,

to get the latest code it is actually much simpler than you may think. TGW hosts all the source code of TDE, both the development branches and the released versions. Using git, you can clone (== copy to your computer) the required version and then build from there. This webpage will give you an introduction to using TGW and how to get the latest code. After that you can build the required package on your computer.

https://wiki.trinitydesktop.org/TDE_Gitea_Workspace

(please note it is currently down at the time of writing, I guess a temporary access problem with the main server).

Regarding this issue, the fix has been merged into the master branch, so by cloning it you will have the fix in the source code. If you use R14.0.x, you need to clone the r14.0.x branch instead of the master branch.

TGW has really simplified the workflow and code sharing, once you get used to it you will find much better than downloading tarballs 😄

Hi sunjob,<br> to get the latest code it is actually much simpler than you may think. TGW hosts all the source code of TDE, both the development branches and the released versions. Using git, you can clone (== copy to your computer) the required version and then build from there. This webpage will give you an introduction to using TGW and how to get the latest code. After that you can build the required package on your computer.<br> https://wiki.trinitydesktop.org/TDE_Gitea_Workspace<br> (please note it is currently down at the time of writing, I guess a temporary access problem with the main server).<br> Regarding this issue, the fix has been merged into the master branch, so by cloning it you will have the fix in the source code. If you use R14.0.x, you need to clone the r14.0.x branch instead of the master branch.<br> TGW has really simplified the workflow and code sharing, once you get used to it you will find much better than downloading tarballs :smile:
Proprietário

Hi @sunjob

here is a clear principle: Tarballs for individual versions are simply final and will not be changed. Therefore, commits to the GIT repository will never integrate into existing tarballs.

You therefore have three options:

  1. Wait for the new release (final R14.0.7) that will include patches of interest to you.
  2. If you want to use tarballs from the latest stable release, you can add the required commits to your packaging system as additional patches.
  3. Use stable branch from GIT repository – now branch r14.0.x
Hi @sunjob here is a clear principle: Tarballs for individual versions are simply final and will not be changed. Therefore, commits to the GIT repository will never integrate into existing tarballs. You therefore have three options: 1. Wait for the new release (final R14.0.7) that will include patches of interest to you. 2. If you want to use tarballs from the latest stable release, you can add the required commits to your packaging system as additional patches. 3. Use stable branch from GIT repository – now branch r14.0.x
Proprietário

It seems the main web site and wiki is back online now, so the link above is active. See section 3.1 on how to get the latest code. Just remember to switch from "master" to "r14.0.x" branch if you want to use the R14.0.x stable branch. Instead if you are happy with R14.1.x development branch, you can stay on "master".

https://wiki.trinitydesktop.org/TDE_Gitea_Workspace#To_access_the_TDE_source_code

It seems the main web site and wiki is back online now, so the link above is active. See section 3.1 on how to get the latest code. Just remember to switch from "master" to "r14.0.x" branch if you want to use the R14.0.x stable branch. Instead if you are happy with R14.1.x development branch, you can stay on "master". https://wiki.trinitydesktop.org/TDE_Gitea_Workspace#To_access_the_TDE_source_code
Acesse para participar desta conversação.
Sem responsável
3 participante(s)
Notificações
Data limite

Data limite não informada.

Referência: TDE/tdelibs#45
Carregando…
Ainda não há conteúdo.