Hello community, here is the log from the commit of package kconfig for openSUSE:Factory checked in at 2019-08-09 16:51:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kconfig (Old) and /work/SRC/openSUSE:Factory/.kconfig.new.9556 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "kconfig" Fri Aug 9 16:51:03 2019 rev:72 rq:721476 version:5.60.0 Changes: -------- --- /work/SRC/openSUSE:Factory/kconfig/kconfig.changes 2019-07-26 12:11:18.406842611 +0200 +++ /work/SRC/openSUSE:Factory/.kconfig.new.9556/kconfig.changes 2019-08-09 16:51:09.137500043 +0200 @@ -1,0 +2,6 @@ +Wed Aug 7 08:30:37 UTC 2019 - Fabian Vogt <fabian@ritter-vogt.de> + +- Add patch to drop involuntary command execution (boo#1144600): + * 0001-Security-remove-support-for-.-in-config-keys-with-e-.patch + +------------------------------------------------------------------- New: ---- 0001-Security-remove-support-for-.-in-config-keys-with-e-.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kconfig.spec ++++++ --- /var/tmp/diff_new_pack.38sChn/_old 2019-08-09 16:51:10.609499752 +0200 +++ /var/tmp/diff_new_pack.38sChn/_new 2019-08-09 16:51:10.613499751 +0200 @@ -34,6 +34,8 @@ Source1: baselibs.conf # PATCH-FEATURE-OPENSUSE Patch0: kconfig-desktop-translations.patch +# PATCH-FIX-UPSTREAM +Patch1: 0001-Security-remove-support-for-.-in-config-keys-with-e-.patch BuildRequires: cmake >= 3.0 BuildRequires: extra-cmake-modules >= %{_kf5_bugfix_version} BuildRequires: fdupes @@ -129,6 +131,7 @@ %prep %setup -q %patch0 -p1 +%patch1 -p1 %if 0%{?suse_version} == 1500 sed -i -e "s/^set *(REQUIRED_QT_VERSION 5.10.0)$/set(REQUIRED_QT_VERSION 5.9.0)/" CMakeLists.txt %endif ++++++ 0001-Security-remove-support-for-.-in-config-keys-with-e-.patch ++++++

From 61908d25d56aceabba76694c2af94a78e558b501 Mon Sep 17 00:00:00 2001 From: David Faure <faure@kde.org> Date: Wed, 7 Aug 2019 10:22:16 +0200 Subject: [PATCH] Security: remove support for $(...) in config keys with [$e] marker.

Summary: It is very unclear at this point what a valid use case for this feature would possibly be. The old documentation only mentions $(hostname) as an example, which can be done with $HOSTNAME instead. Note that $(...) is still supported in Exec lines of desktop files, this does not require [$e] anyway (and actually works better without it, otherwise the $ signs need to be doubled to obey kconfig $e escaping rules...). Test Plan: ctest passes; various testcases with $(...) in desktop files, directory files, and config files, no longer execute commands. Reviewers: mdawson, aacid, broulik, davidedmundson, kossebau, apol, sitter, security-team Reviewed By: davidedmundson Subscribers: fvogt, ngraham, kde-frameworks-devel Tags: #frameworks Differential Revision: https://phabricator.kde.org/D22979 --- autotests/kconfigtest.cpp | 10 ++-------- docs/options.md | 11 ++++------- src/core/kconfig.cpp | 37 +------------------------------------ 3 files changed, 7 insertions(+), 51 deletions(-) diff --git a/autotests/kconfigtest.cpp b/autotests/kconfigtest.cpp index 64c6223..4d97c56 100644 --- a/autotests/kconfigtest.cpp +++ b/autotests/kconfigtest.cpp @@ -38,7 +38,7 @@ #include <utime.h> #endif #ifndef Q_OS_WIN -#include <unistd.h> // gethostname +#include <unistd.h> // getuid #endif KCONFIGGROUP_DECLARE_ENUM_QOBJECT(KConfigTest, Testing) @@ -545,14 +545,8 @@ void KConfigTest::testPath() QCOMPARE(group.readPathEntry("withBraces", QString()), QString("file://" + HOMEPATH)); QVERIFY(group.hasKey("URL")); QCOMPARE(group.readEntry("URL", QString()), QString("file://" + HOMEPATH)); -#if !defined(Q_OS_WIN32) && !defined(Q_OS_MAC) - // I don't know if this will work on windows - // This test hangs on OS X QVERIFY(group.hasKey("hostname")); - char hostname[256]; - QVERIFY(::gethostname(hostname, sizeof(hostname)) == 0); - QCOMPARE(group.readEntry("hostname", QString()), QString::fromLatin1(hostname)); -#endif + QCOMPARE(group.readEntry("hostname", QString()), QStringLiteral("(hostname)")); // the $ got removed because empty var name QVERIFY(group.hasKey("noeol")); QCOMPARE(group.readEntry("noeol", QString()), QString("foo")); diff --git a/docs/options.md b/docs/options.md index fab22e1..85abea4 100644 --- a/docs/options.md +++ b/docs/options.md @@ -67,18 +67,15 @@ environment variables (and `XDG_CONFIG_HOME` in particular). Shell Expansion --------------- -If an entry is marked with `$e`, environment variables and shell commands will -be expanded. +If an entry is marked with `$e`, environment variables will be expanded. Name[$e]=$USER - Host[$e]=$(hostname) When the "Name" entry is read `$USER` will be replaced with the value of the -`$USER` environment variable, and `$(hostname)` will be replaced with the output -of the `hostname` command. +`$USER` environment variable. -Note that the application will replace `$USER` and `$(hostname)` with their -respective expanded values after saving. To prevent this combine the `$e` option +Note that the application will replace `$USER` with its +expanded value after saving. To prevent this combine the `$e` option with `$i` (immmutable) option. For example: Name[$ei]=$USER diff --git a/src/core/kconfig.cpp b/src/core/kconfig.cpp index bc2871c..560d73a 100644 --- a/src/core/kconfig.cpp +++ b/src/core/kconfig.cpp @@ -28,19 +28,6 @@ #include <cstdlib> #include <fcntl.h> -#ifdef _MSC_VER -static inline FILE *popen(const char *cmd, const char *mode) -{ - return _popen(cmd, mode); -} -static inline int pclose(FILE *stream) -{ - return _pclose(stream); -} -#else -#include <unistd.h> -#endif - #include "kconfigbackend_p.h" #include "kconfiggroup.h" @@ -183,29 +170,7 @@ QString KConfigPrivate::expandString(const QString &value) int nDollarPos = aValue.indexOf(QLatin1Char('$')); while (nDollarPos != -1 && nDollarPos + 1 < aValue.length()) { // there is at least one $ - if (aValue[nDollarPos + 1] == QLatin1Char('(')) { - int nEndPos = nDollarPos + 1; - // the next character is not $ - while ((nEndPos <= aValue.length()) && (aValue[nEndPos] != QLatin1Char(')'))) { - nEndPos++; - } - nEndPos++; - QString cmd = aValue.mid(nDollarPos + 2, nEndPos - nDollarPos - 3); - - QString result; - -// FIXME: wince does not have pipes -#ifndef _WIN32_WCE - FILE *fs = popen(QFile::encodeName(cmd).data(), "r"); - if (fs) { - QTextStream ts(fs, QIODevice::ReadOnly); - result = ts.readAll().trimmed(); - pclose(fs); - } -#endif - aValue.replace(nDollarPos, nEndPos - nDollarPos, result); - nDollarPos += result.length(); - } else if (aValue[nDollarPos + 1] != QLatin1Char('$')) { + if (aValue[nDollarPos + 1] != QLatin1Char('$')) { int nEndPos = nDollarPos + 1; // the next character is not $ QStringRef aVarName; -- 2.22.0