community/kconfig: fix CVE-2019-14744

2 files changed, 156 insertions, 3 deletions

diff --git a/community/kconfig/APKBUILD b/community/kconfig/APKBUILD
index d7706c98dc..1fd51bfbcf 100644
--- a/community/kconfig/APKBUILD
+++ b/community/kconfig/APKBUILD
@@ -2,16 +2,21 @@
 # Maintainer: Bart Ribbers <bribbers@disroot.org>
 pkgname=kconfig
 pkgver=5.60.0
-pkgrel=0
+pkgrel=1
 pkgdesc="Configuration system"
 arch="all"
 url="https://community.kde.org/Frameworks"
 license="LGPL-2.0-or-later AND LGPL-2.0-only AND LGPL-2.1-or-later"
 makedepends="extra-cmake-modules qt5-qttools-dev doxygen"
 checkdepends="xvfb-run"
-source="https://download.kde.org/stable/frameworks/${pkgver%.*}/$pkgname-$pkgver.tar.xz"
+source="https://download.kde.org/stable/frameworks/${pkgver%.*}/$pkgname-$pkgver.tar.xz
+	CVE-2019-14744.patch"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
 
+# secfixes:
+#   5.60.0-r1:
+#     - CVE-2019-14744
+
 build() {
 	cmake \
 		-DCMAKE_BUILD_TYPE=RelWithDebInfo \
@@ -29,4 +34,5 @@ package() {
 	DESTDIR="$pkgdir" make install
 }
 
-sha512sums="76aa15e9e1630c687ff7cc6b77060c74472f307442d07ae09d5f4aa61d7b6f29f3f1d270218c6d7fea8e86eb9dda43c96821d19d827a781c7f71da6135d98753  kconfig-5.60.0.tar.xz"
+sha512sums="76aa15e9e1630c687ff7cc6b77060c74472f307442d07ae09d5f4aa61d7b6f29f3f1d270218c6d7fea8e86eb9dda43c96821d19d827a781c7f71da6135d98753  kconfig-5.60.0.tar.xz
+0265a6e02e1ac6a7bb30e75eb169c83a69237e2dd2f80a4be18b47ecd758aa27dbcecc45d2e18a52df049b32313dfd5b5432bfcfa39611279194d2c9b48dc35e  CVE-2019-14744.patch"
diff --git a/community/kconfig/CVE-2019-14744.patch b/community/kconfig/CVE-2019-14744.patch
new file mode 100644
index 0000000000..e8a799ca5d
--- /dev/null
+++ b/community/kconfig/CVE-2019-14744.patch
@@ -0,0 +1,147 @@
+From 5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22 Mon Sep 17 00:00:00 2001
+From: David Faure <faure@kde.org>
+Date: Wed, 7 Aug 2019 09:35:36 +0200
+Subject: Security: remove support for $(...) in config keys with [$e] marker.
+
+Summary:
+It is very unclear at this point what a valid use case for this feature
+would possibly be. The old documentation only mentions $(hostname) as
+an example, which can be done with $HOSTNAME instead.
+
+Note that $(...) is still supported in Exec lines of desktop files,
+this does not require [$e] anyway (and actually works better without it,
+otherwise the $ signs need to be doubled to obey kconfig $e escaping rules...).
+
+Test Plan:
+ctest passes; various testcases with $(...) in desktop files,
+directory files, and config files, no longer execute commands.
+
+Reviewers: mdawson, aacid, broulik, davidedmundson, kossebau, apol, sitter, security-team
+
+Reviewed By: mdawson, davidedmundson
+
+Subscribers: ZaWertun, rikmills, fvogt, ngraham, kde-frameworks-devel
+
+Tags: #frameworks
+
+Differential Revision: https://phabricator.kde.org/D22979
+---
+ autotests/kconfigtest.cpp | 10 ++--------
+ docs/options.md           | 11 ++++-------
+ src/core/kconfig.cpp      | 37 +------------------------------------
+ 3 files changed, 7 insertions(+), 51 deletions(-)
+
+diff --git a/autotests/kconfigtest.cpp b/autotests/kconfigtest.cpp
+index 410b5b8..9af3b46 100644
+--- a/autotests/kconfigtest.cpp
++++ b/autotests/kconfigtest.cpp
+@@ -38,7 +38,7 @@
+ #include <utime.h>
+ #endif
+ #ifndef Q_OS_WIN
+-#include <unistd.h> // gethostname
++#include <unistd.h> // getuid
+ #endif
+ 
+ KCONFIGGROUP_DECLARE_ENUM_QOBJECT(KConfigTest, Testing)
+@@ -546,14 +546,8 @@ void KConfigTest::testPath()
+     QCOMPARE(group.readPathEntry("withBraces", QString()), QString("file://" + HOMEPATH));
+     QVERIFY(group.hasKey("URL"));
+     QCOMPARE(group.readEntry("URL", QString()), QString("file://" + HOMEPATH));
+-#if !defined(Q_OS_WIN32) && !defined(Q_OS_MAC)
+-    // I don't know if this will work on windows
+-    // This test hangs on OS X
+     QVERIFY(group.hasKey("hostname"));
+-    char hostname[256];
+-    QVERIFY(::gethostname(hostname, sizeof(hostname)) == 0);
+-    QCOMPARE(group.readEntry("hostname", QString()), QString::fromLatin1(hostname));
+-#endif
++    QCOMPARE(group.readEntry("hostname", QString()), QStringLiteral("(hostname)")); // the $ got removed because empty var name
+     QVERIFY(group.hasKey("noeol"));
+     QCOMPARE(group.readEntry("noeol", QString()), QString("foo"));
+ 
+diff --git a/docs/options.md b/docs/options.md
+index c634c00..4a6e9bc 100644
+--- a/docs/options.md
++++ b/docs/options.md
+@@ -67,18 +67,15 @@ environment variables (and `XDG_CONFIG_HOME` in particular).
+ Shell Expansion
+ ---------------
+ 
+-If an entry is marked with `$e`, environment variables and shell commands will
+-be expanded.
++If an entry is marked with `$e`, environment variables will be expanded.
+ 
+     Name[$e]=$USER
+-    Host[$e]=$(hostname)
+ 
+ When the "Name" entry is read `$USER` will be replaced with the value of the
+-`$USER` environment variable, and `$(hostname)` will be replaced with the output
+-of the `hostname` command.
++`$USER` environment variable.
+ 
+-Note that the application will replace `$USER` and `$(hostname)` with their
+-respective expanded values after saving. To prevent this combine the `$e` option
++Note that the application will replace `$USER` with its
++expanded value after saving. To prevent this combine the `$e` option
+ with `$i` (immmutable) option.  For example:
+ 
+     Name[$ei]=$USER
+diff --git a/src/core/kconfig.cpp b/src/core/kconfig.cpp
+index e1b11ed..f6824ce 100644
+--- a/src/core/kconfig.cpp
++++ b/src/core/kconfig.cpp
+@@ -28,19 +28,6 @@
+ #include <cstdlib>
+ #include <fcntl.h>
+ 
+-#ifdef _MSC_VER
+-static inline FILE *popen(const char *cmd, const char *mode)
+-{
+-    return _popen(cmd, mode);
+-}
+-static inline int pclose(FILE *stream)
+-{
+-    return _pclose(stream);
+-}
+-#else
+-#include <unistd.h>
+-#endif
+-
+ #include "kconfigbackend_p.h"
+ #include "kconfiggroup.h"
+ 
+@@ -183,29 +170,7 @@ QString KConfigPrivate::expandString(const QString &value)
+     int nDollarPos = aValue.indexOf(QLatin1Char('$'));
+     while (nDollarPos != -1 && nDollarPos + 1 < aValue.length()) {
+         // there is at least one $
+-        if (aValue[nDollarPos + 1] == QLatin1Char('(')) {
+-            int nEndPos = nDollarPos + 1;
+-            // the next character is not $
+-            while ((nEndPos <= aValue.length()) && (aValue[nEndPos] != QLatin1Char(')'))) {
+-                nEndPos++;
+-            }
+-            nEndPos++;
+-            QString cmd = aValue.mid(nDollarPos + 2, nEndPos - nDollarPos - 3);
+-
+-            QString result;
+-
+-// FIXME: wince does not have pipes
+-#ifndef _WIN32_WCE
+-            FILE *fs = popen(QFile::encodeName(cmd).data(), "r");
+-            if (fs) {
+-                QTextStream ts(fs, QIODevice::ReadOnly);
+-                result = ts.readAll().trimmed();
+-                pclose(fs);
+-            }
+-#endif
+-            aValue.replace(nDollarPos, nEndPos - nDollarPos, result);
+-            nDollarPos += result.length();
+-        } else if (aValue[nDollarPos + 1] != QLatin1Char('$')) {
++        if (aValue[nDollarPos + 1] != QLatin1Char('$')) {
+             int nEndPos = nDollarPos + 1;
+             // the next character is not $
+             QStringRef aVarName;
+-- 
+cgit v1.1
+