Package: kde-runtime / 4:17.08.3-2.1

Make-sure-people-are-not-trying-to-sneak-invisible-charac.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
From: Maximiliano Curia <maxy@gnuservers.com.ar>
Date: Mon, 20 Mar 2017 16:54:06 +0100
Subject: Make sure people are not trying to sneak invisible characters on the
 kdesu label

This is a backport of
5eda179a099ba68a20dc21dc0da63e85a565a171#diff-281a78cc7558547bc7507f1cabd3cfc9
from kde-cli-tools to kde-runtime in order to close CVE-2016-7787.
---
 kdesu/kdesu/kdesu.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/kdesu/kdesu/kdesu.cpp b/kdesu/kdesu/kdesu.cpp
index e3fe99c690..c03a3b2745 100644
--- a/kdesu/kdesu/kdesu.cpp
+++ b/kdesu/kdesu/kdesu.cpp
@@ -141,6 +141,10 @@ int main(int argc, char *argv[])
     {
         KMessageBox::sorry(0, i18n("Cannot execute command '%1'.", QString::fromLocal8Bit(command)));
     }
+    if (result == -2)
+    {
+        KMessageBox::sorry(0, i18n("Cannot execute command '%1'. It contains invalid characters.", QString::fromLocal8Bit(command)));
+    }
 
     return result;
 }
@@ -367,6 +371,12 @@ static int startApp()
         kDebug() << "Don't need password!!\n";
     }
 
+    for (const QChar character : QString::fromLocal8Bit(command)) {
+        if (!character.isPrint() && character.category() != QChar::Other_Surrogate) {
+            return -2;
+        }
+    }
+
     // Start the dialog
     QString password;
     if (needpw)