标签 里程碑

创建工单

kde-kdesktopfile-command-injection #45

已关闭

由 sunjob 于 5 年前创建 · 11 条评论

sunjob 评论于 5 年前

64aa3d3027/kde-kdesktopfile-command-injection.txt

https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt

sunjob 评论于 5 年前

发布者

confirm bug

• TDE-3.5.13
• TDE-14.0.6

confirm bug - TDE-3.5.13 - TDE-14.0.6

sunjob 评论于 5 年前

发布者

I apologize for the freestyle (English is not my native language)

I apologize for the freestyle (English is not my native language)

SlavekB 于 5 年前 添加了标签 SL/critical

SlavekB 于 5 年前 在代码提交中引用了该工单

Security: remove support for $(...) in config keys with [$e] marker. It is very unclear at this point what a valid use case for this feature would possibly be. The old documentation only mentions $(hostname) as an example, which can be done with $HOSTNAME instead. Note that $(...) is still supported in Exec lines of desktop files, this does not require [$e] anyway (and actually works better without it, otherwise the $ signs need to be doubled to obey tdeconfig $e escaping rules...). Based on KDE Frameworks 5 kconfig patch for CVE-2019-14744. This resolves issue #45. Signed-off-by: Slávek Banko <slavek.banko@axis.cz>

SlavekB 于 5 年前 添加了里程碑 R14.0.7 release

SlavekB 添加了一个新的依赖项 5 年前

#46 Security: remove support for $(...) in config keys with [$e] marker.

sunjob 评论于 5 年前

发布者

The problem is not the availability of this functionality, but that it should be allowed only for trusted paths:

/usr/...
/usr/local/...
/etc/...
$XDG_CONFIG_HOME
etc

And instead of implementing it as it should, you just deleted this functionality now. Wow...

The problem is not the availability of this functionality, but that it should be allowed only for trusted paths: /usr/... /usr/local/... /etc/... $XDG_CONFIG_HOME etc And instead of implementing it as it should, you just deleted this functionality now. Wow...

sunjob 评论于 5 年前

发布者

although maybe it's better than having such a big hole :о)

although maybe it's better than having such a big hole :о)

SlavekB 于 5 年前 在代码提交中引用了该工单

Security: remove support for $(...) in config keys with [$e] marker. It is very unclear at this point what a valid use case for this feature would possibly be. The old documentation only mentions $(hostname) as an example, which can be done with $HOSTNAME instead. Note that $(...) is still supported in Exec lines of desktop files, this does not require [$e] anyway (and actually works better without it, otherwise the $ signs need to be doubled to obey tdeconfig $e escaping rules...). Based on KDE Frameworks 5 kconfig patch for CVE-2019-14744. This resolves issue #45. Signed-off-by: Slávek Banko <slavek.banko@axis.cz> (cherry picked from commit 1074eb033654bd5462677ffe694eda7805390284)

SlavekB 于 5 年前 在代码提交中引用了该工单

Security: remove support for $(...) in config keys with [$e] marker. It is very unclear at this point what a valid use case for this feature would possibly be. The old documentation only mentions $(hostname) as an example, which can be done with $HOSTNAME instead. Note that $(...) is still supported in Exec lines of desktop files, this does not require [$e] anyway (and actually works better without it, otherwise the $ signs need to be doubled to obey kconfig $e escaping rules...). Based on KDE Frameworks 5 kconfig patch for CVE-2019-14744. This resolves issue #45. Signed-off-by: Slávek Banko <slavek.banko@axis.cz> (cherry picked from commit 1074eb033654bd5462677ffe694eda7805390284)

SlavekB 评论于 5 年前

所有者

Thank you for reporting. Now it is merged for all branches – master, r14.0.x and v3.5.13-sru.

Thank you for reporting. Now it is merged for all branches – master, r14.0.x and v3.5.13-sru.

SlavekB 于 5 年前 关闭此工单

sunjob 评论于 5 年前

发布者

question, about this patch: "merged for all branches – master, r14.0.x and v3.5.13-sru"...
how and where can I download these, fuzzy versions? I think no one is updating the archives now?) thank

question, about this patch: "merged for all branches – master, r14.0.x and v3.5.13-sru"... how and where can I download these, fuzzy versions? I think no one is updating the archives now?) thank

MicheleC 评论于 5 年前

所有者

it means merged into the development branches for those versions. They are not released yet in their final form.

If you want, you can close the code from gitea and build your own versions. If you are on a debian-like distros, there are PSB and PTB repositories from Slavek where packages are updated on the go.

it means merged into the development branches for those versions. They are not released yet in their final form. If you want, you can close the code from gitea and build your own versions. If you are on a debian-like distros, there are PSB and PTB repositories from Slavek where packages are updated on the go.

sunjob 评论于 5 年前

发布者

excuse me, for the clarity of thinking and understanding of the situation: o)
I am a simple user, not an IT professional. I use slackware. There are no latest TDE packages for Slackware. I collect TDE myself.

It used to be simple: you need version TDE-3.5.12, downloaded the archive 3.5.12-complete.tar from the official site, collect the packages!
Now: we’ve done everything that is necessary and convenient for developers, but, unfortunately, it’s almost impossible or very difficult for an ordinary person to figure it out.

explain to me on a simple, on fingers ?! at the moment I am collecting TDE-14.0.6, I downloaded the sources according to the recipe
https://www.linuxquestions.org/questions/slackware-14/tde-trinity-14-0-4-for-slackware-14-2-x64-4175597797/page4.html#post5981903

how to be now (in relation to this KDE-bug)? manually patch tdelibs? (I do it myself now) or can I download the patched sources? TDE14.0.6?

I am aware that there is an archive for TDE-14.0.6:
http://ftp.mirrorservice.org/sites/trinitydesktop.org/trinity/releases/R14.0.6/R14.0.6-complete.tar
http://217.30.75.106/trinity/releases/R14.0.6/R14.0.6-complete.tar

excuse me, for the clarity of thinking and understanding of the situation: o) I am a simple user, not an IT professional. I use slackware. There are no latest TDE packages for Slackware. I collect TDE myself. It used to be simple: you need version TDE-3.5.12, downloaded the archive 3.5.12-complete.tar from the official site, collect the packages! Now: we’ve done everything that is necessary and convenient for developers, but, unfortunately, it’s almost impossible or very difficult for an ordinary person to figure it out. explain to me on a simple, on fingers ?! at the moment I am collecting TDE-14.0.6, I downloaded the sources according to the recipe https://www.linuxquestions.org/questions/slackware-14/tde-trinity-14-0-4-for-slackware-14-2-x64-4175597797/page4.html#post5981903 how to be now (in relation to this KDE-bug)? manually patch tdelibs? (I do it myself now) or can I download the patched sources? TDE14.0.6? I am aware that there is an archive for TDE-14.0.6: http://ftp.mirrorservice.org/sites/trinitydesktop.org/trinity/releases/R14.0.6/R14.0.6-complete.tar http://217.30.75.106/trinity/releases/R14.0.6/R14.0.6-complete.tar

MicheleC 评论于 5 年前

所有者

Hi sunjob,

to get the latest code it is actually much simpler than you may think. TGW hosts all the source code of TDE, both the development branches and the released versions. Using git, you can clone (== copy to your computer) the required version and then build from there. This webpage will give you an introduction to using TGW and how to get the latest code. After that you can build the required package on your computer.

https://wiki.trinitydesktop.org/TDE_Gitea_Workspace

(please note it is currently down at the time of writing, I guess a temporary access problem with the main server).

Regarding this issue, the fix has been merged into the master branch, so by cloning it you will have the fix in the source code. If you use R14.0.x, you need to clone the r14.0.x branch instead of the master branch.

TGW has really simplified the workflow and code sharing, once you get used to it you will find much better than downloading tarballs 😄

Hi sunjob,<br> to get the latest code it is actually much simpler than you may think. TGW hosts all the source code of TDE, both the development branches and the released versions. Using git, you can clone (== copy to your computer) the required version and then build from there. This webpage will give you an introduction to using TGW and how to get the latest code. After that you can build the required package on your computer.<br> https://wiki.trinitydesktop.org/TDE_Gitea_Workspace<br> (please note it is currently down at the time of writing, I guess a temporary access problem with the main server).<br> Regarding this issue, the fix has been merged into the master branch, so by cloning it you will have the fix in the source code. If you use R14.0.x, you need to clone the r14.0.x branch instead of the master branch.<br> TGW has really simplified the workflow and code sharing, once you get used to it you will find much better than downloading tarballs :smile:

SlavekB 评论于 5 年前

所有者

Hi @sunjob

here is a clear principle: Tarballs for individual versions are simply final and will not be changed. Therefore, commits to the GIT repository will never integrate into existing tarballs.

You therefore have three options:

1. Wait for the new release (final R14.0.7) that will include patches of interest to you.
2. If you want to use tarballs from the latest stable release, you can add the required commits to your packaging system as additional patches.
3. Use stable branch from GIT repository – now branch r14.0.x

Hi @sunjob here is a clear principle: Tarballs for individual versions are simply final and will not be changed. Therefore, commits to the GIT repository will never integrate into existing tarballs. You therefore have three options: 1. Wait for the new release (final R14.0.7) that will include patches of interest to you. 2. If you want to use tarballs from the latest stable release, you can add the required commits to your packaging system as additional patches. 3. Use stable branch from GIT repository – now branch r14.0.x

MicheleC 评论于 5 年前

所有者

It seems the main web site and wiki is back online now, so the link above is active. See section 3.1 on how to get the latest code. Just remember to switch from "master" to "r14.0.x" branch if you want to use the R14.0.x stable branch. Instead if you are happy with R14.1.x development branch, you can stay on "master".

https://wiki.trinitydesktop.org/TDE_Gitea_Workspace#To_access_the_TDE_source_code

It seems the main web site and wiki is back online now, so the link above is active. See section 3.1 on how to get the latest code. Just remember to switch from "master" to "r14.0.x" branch if you want to use the R14.0.x stable branch. Instead if you are happy with R14.1.x development branch, you can stay on "master". https://wiki.trinitydesktop.org/TDE_Gitea_Workspace#To_access_the_TDE_source_code

MicheleC 于 4 年前 在代码提交中引用了该工单

Security: remove support for $(...) in KRun which could have allowed execution of malicious code. This is similar to issue #45 for .desktop files. Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it>

MicheleC 于 4 年前 在代码提交中引用了该工单

Security: remove support for $(...) in KRun which could have allowed execution of malicious code. This is similar to issue #45 for .desktop files. Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it> (cherry picked from commit 8b8f5064f7094a713a16ade3bf37d8efec601949)

MicheleC 于 4 年前 在代码提交中引用了该工单

Security: remove support for in KRun which could have allowed execution of malicious code. This is similar to issue TDE/tdelibs#45 for .desktop files. Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it>

MicheleC 于 4 年前 在代码提交中引用了该工单

Security: remove support for in KRun which could have allowed execution of malicious code. This is similar to issue TDE/tdelibs#45 for .desktop files. Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it> (cherry picked from commit 2948d1cdf79e47b1c71b5565baae4178c8c1de39)

MicheleC 于 4 年前 在代码提交中引用了该工单

Security: remove support for in KRun which could have allowed execution of malicious code. This is similar to issue TDE/tdelibs#45 for .desktop files. Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it>

MicheleC 于 4 年前 在代码提交中引用了该工单

Security: remove support for in KRun which could have allowed execution of malicious code. This is similar to issue TDE/tdelibs#45 for .desktop files. Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it> (cherry picked from commit 4f961d77d6da693c51c5be16366dc172b45c96e0)

SlavekB 于 3 年前 在代码提交中引用了该工单

Security: remove support for $(...) in KRun which could have allowed

登录 并参与到对话中。

分支/标记未指定

分支列表 标签列表

r14.1.x

master

feat/kate/php-syntax-heredoc-ident

fix/tde-75

issue/270/tdelibs-V4

feat/new_hwcontrol

feat/tdeio-xattr-support

fix/api-for-python

r14.0.x

v3.5.13-sru

feat/tdehtml+svg

other/string-fixes

feat/fix-suspend-code

r14.1.1

r14.1.0

r14.0.13

r14.0.12

r14.0.11

r14.0.10

r14.0.9

r14.0.8

r14.0.7

r14.0.6

r14.0.5

r14.0.4

r14.0.3

r14.0.2

r14.0.1

r14.0.0

v3.5.13.2

v3.5.13.1

v3.5.13

标签

添加标签

清除选中标签

GE/need-info
General - need additional info from contributor PR/keep-branch
Pull request - do not delete branch after merging PR/not-ok
Pull request - need fixing PR/rfc
Pull request - request for comments PR/update-trans
Pull request - update to translation files needed PR/wip
Pull request - work in progress RS/R14.0.x
Related to R14.0.x series RS/R14.1.x
Related to R14.1.x series SL/critical
Severity level - critical SL/major
Severity level - major SL/minor
Severity level - minor SL/normal
Severity level - normal SL/regression
Severity level - regression from previous version SL/trivial
Severity level - trivial SL/wishlist
Severity level - wishlist request ST/duplicate
Status - duplicate of another issue ST/invalid
Status - invalid report ST/notourproblem
Status - not our problem ST/rejected
Status - rejected ST/wontfix
Status - won't fix ST/worksforme
Status - works for me, unable to reproduce

未选择标签 GE/need-info PR/keep-branch PR/not-ok PR/rfc PR/update-trans PR/wip RS/R14.0.x RS/R14.1.x SL/critical SL/major SL/minor SL/normal SL/regression SL/trivial SL/wishlist ST/duplicate ST/invalid ST/notourproblem ST/rejected ST/wontfix ST/worksforme

里程碑

设置里程碑

取消选中里程碑

无可选项

未选择里程碑

R14.0.7 release

指派成员

指派用户

取消指派成员

未指派成员

3 名参与者

通知

订阅

到期时间

到期日期无效或超出范围。请使用 'yyyy-mm-dd' 格式。

未设置到期时间。

依赖于

#46 Security: remove support for $(...) in config keys with [$e] marker.

TDE/tdelibs

参考：TDE/tdelibs#45

撰写 预览

正在加载...

取消

保存

这个人很懒，什么都没留下。