From 808672a2dccb7f29b09e4e652a2bdc1ba1449a5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?= Date: Thu, 5 Oct 2023 20:18:48 +0700 Subject: [PATCH] cadence: fix CVE-2023-{43782,43783} --- srcpkgs/cadence/patches/CVE-2023-43782.patch | 89 ++++++++++++++++++++ srcpkgs/cadence/patches/CVE-2023-43783.patch | 46 ++++++++++ srcpkgs/cadence/patches/QPainterPath.patch | 18 +--- srcpkgs/cadence/template | 2 +- 4 files changed, 140 insertions(+), 15 deletions(-) create mode 100644 srcpkgs/cadence/patches/CVE-2023-43782.patch create mode 100644 srcpkgs/cadence/patches/CVE-2023-43783.patch diff --git a/srcpkgs/cadence/patches/CVE-2023-43782.patch b/srcpkgs/cadence/patches/CVE-2023-43782.patch new file mode 100644 index 00000000000..94b252e645c --- /dev/null +++ b/srcpkgs/cadence/patches/CVE-2023-43782.patch @@ -0,0 +1,89 @@ +From 986a26147fa85fc3b2727a13c478b12994555e4a Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Tue, 22 Aug 2023 14:06:40 +0200 +Subject: [PATCH] cadence_aloop_daemon: place lockfile into non-public + directory + +The fixed /tmp path for the lock / shutdown handling of the daemon is +problematic security wise, since any other user in the system can block +this path. This also makes parallel instances for multiple user accounts +impossible. + +Select a location in the user's /run directory or in its home directory +(as a fallback). +--- + src/cadence.py | 3 ++- + src/cadence_aloop_daemon.py | 5 +++-- + src/shared.py | 8 ++++++++ + 3 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/src/cadence.py b/src/cadence.py +index 87a14a8..714e2d6 100755 +--- a/src/cadence.py ++++ b/src/cadence.py +@@ -38,6 +38,7 @@ import ui_cadence_tb_alsa + import ui_cadence_tb_a2j + import ui_cadence_tb_pa + import ui_cadence_rwait ++from shared import getDaemonLockfile + from shared_cadence import * + from shared_canvasjack import * + from shared_settings import * +@@ -1710,7 +1711,7 @@ class CadenceMainW(QMainWindow, ui_cadence.Ui_CadenceMainW): + + @pyqtSlot() + def slot_AlsaBridgeStop(self): +- checkFile = "/tmp/.cadence-aloop-daemon.x" ++ checkFile = self.getDaemonLockfile("cadence-aloop-daemon") + if os.path.exists(checkFile): + os.remove(checkFile) + +diff --git a/src/cadence_aloop_daemon.py b/src/cadence_aloop_daemon.py +index c8408ef..b53f64d 100755 +--- a/src/cadence_aloop_daemon.py ++++ b/src/cadence_aloop_daemon.py +@@ -33,6 +33,7 @@ else: + # Imports (Custom Stuff) + + import jacklib ++from shared import getDaemonLockfile + + # -------------------------------------------------- + # Auto re-activate if on good kernel +@@ -50,7 +51,7 @@ doRunNow = True + useZita = False + procIn = QProcess() + procOut = QProcess() +-checkFile = "/tmp/.cadence-aloop-daemon.x" ++checkFile = getDaemonLockfile("cadence-aloop-daemon") + + # -------------------------------------------------- + # Global JACK variables +@@ -161,7 +162,7 @@ if __name__ == '__main__': + client = jacklib.client_open("cadence-aloop-daemon", jacklib.JackUseExactName, None) + + if not client: +- print("cadence-aloop-daemon is already running, delete \"/tmp/.cadence-aloop-daemon.x\" to close it") ++ print("cadence-aloop-daemon is already running, delete \"{}\" to close it".format(checkFile)) + quit() + + if jacklib.JACK2: +diff --git a/src/shared.py b/src/shared.py +index 2df4d54..e65d292 100644 +--- a/src/shared.py ++++ b/src/shared.py +@@ -312,3 +312,11 @@ def setIcons(self_, modes): + if "misc" in modes: + gGui.ui.act_quit.setIcon(getIcon("application-exit")) + gGui.ui.act_configure.setIcon(getIcon("configure")) ++ ++def getDaemonLockfile(base): ++ lockdir = os.environ.get("XDG_RUNTIME_DIR", None) ++ if not lockdir: ++ lockdir = os.path.expanduser("~") ++ ++ return os.path.join(lockdir, "{}-lock".format(base)) ++ +-- +2.41.0 + diff --git a/srcpkgs/cadence/patches/CVE-2023-43783.patch b/srcpkgs/cadence/patches/CVE-2023-43783.patch new file mode 100644 index 00000000000..418bb3bf84a --- /dev/null +++ b/srcpkgs/cadence/patches/CVE-2023-43783.patch @@ -0,0 +1,46 @@ +From 3fdff274c40795ad6a24891066358aa7a3953962 Mon Sep 17 00:00:00 2001 +From: Matthias Gerstner +Date: Tue, 22 Aug 2023 14:28:33 +0200 +Subject: [PATCH] cadence.py: wine ASIO settings: use safe tempfile + +This fixed tempfile path poses a security issue that even might allow +other users on the system to inject arbitrary wine registry settings, if +protect_symlinks and protect_regular kernel protection is not enabled. + +Use a proper NamedTemporaryFile to pass the data to regedit to fix this. +--- + src/cadence.py | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/src/cadence.py b/src/cadence.py +index 714e2d6..fddadfb 100755 +--- a/src/cadence.py ++++ b/src/cadence.py +@@ -47,6 +47,8 @@ from shared_settings import * + # Import getoutput + + from subprocess import getoutput ++import tempfile ++import subprocess + + # ------------------------------------------------------------------------------------------------------------ + # Try Import DBus +@@ -2095,11 +2097,10 @@ class CadenceMainW(QMainWindow, ui_cadence.Ui_CadenceMainW): + REGFILE += '"Number of outputs"=dword:000000%s\n' % smartHex(self.sb_wineasio_outs.value(), 2) + REGFILE += '"Preferred buffersize"=dword:0000%s\n' % smartHex(int(self.cb_wineasio_bsizes.currentText()), 4) + +- writeFile = open("/tmp/cadence-wineasio.reg", "w") +- writeFile.write(REGFILE) +- writeFile.close() +- +- os.system("regedit /tmp/cadence-wineasio.reg") ++ with tempfile.NamedTemporaryFile('w') as tmpfile: ++ tmpfile.write(REGFILE) ++ tmpfile.flush() ++ subprocess.run(["regedit", tmpfile.name]) + + self.settings_changed_types = [] + self.frame_tweaks_settings.setVisible(False) +-- +2.41.0 + diff --git a/srcpkgs/cadence/patches/QPainterPath.patch b/srcpkgs/cadence/patches/QPainterPath.patch index 6a6ba7cf21c..ff778cd71fe 100644 --- a/srcpkgs/cadence/patches/QPainterPath.patch +++ b/srcpkgs/cadence/patches/QPainterPath.patch @@ -1,5 +1,5 @@ ---- a/c++/patchcanvas/canvasbezierline.cpp 2019-11-17 21:34:05.000000000 +0100 -+++ b/c++/patchcanvas/canvasbezierline.cpp 2020-09-02 13:13:34.042234477 +0200 +--- a/c++/patchcanvas/canvasbezierline.cpp ++++ b/c++/patchcanvas/canvasbezierline.cpp @@ -18,6 +18,7 @@ #include "canvasbezierline.h" @@ -8,8 +8,8 @@ #include "canvasport.h" #include "canvasportglow.h" ---- a/c++/patchcanvas/canvasbezierlinemov.cpp 2019-11-17 21:34:05.000000000 +0100 -+++ b/c++/patchcanvas/canvasbezierlinemov.cpp 2020-09-02 13:13:27.093234119 +0200 +--- a/c++/patchcanvas/canvasbezierlinemov.cpp ++++ b/c++/patchcanvas/canvasbezierlinemov.cpp @@ -18,6 +18,7 @@ #include "canvasbezierlinemov.h" @@ -18,13 +18,3 @@ #include "canvasport.h" ---- a/c++/widgets/pixmapdial.cpp 2019-11-17 21:34:05.000000000 +0100 -+++ b/c++/widgets/pixmapdial.cpp 2020-09-02 13:13:16.853233591 +0200 -@@ -21,6 +21,7 @@ - - #include - #include -+#include - #include - - PixmapDial::PixmapDial(QWidget* parent) diff --git a/srcpkgs/cadence/template b/srcpkgs/cadence/template index ec1b51ee641..7b93e5738aa 100644 --- a/srcpkgs/cadence/template +++ b/srcpkgs/cadence/template @@ -1,7 +1,7 @@ # Template file for 'cadence' pkgname=cadence version=0.9.2 -revision=3 +revision=4 build_style=gnu-makefile pycompile_dirs="usr/share/cadence/src" hostmakedepends="pkg-config qt5-host-tools python3-PyQt5-devel-tools"