I'll look into this.

Something else I noticed which isn't security-relevant: The computation of addresses in Packet::parseIPv6() is buggy: it's using & instead of | so IPv6 addresses will always be parsed as all-zero.

It also relies on implicit integer promotion of char to unsigned integer - so the upper bits of the address will be zero on platforms where an 'unsigned int' has less than 32bits.

Upstream responded with a patch: https://phabricator.kde.org/D24359

Can you have a look?

(In reply to Fabian Vogt from comment #6)
> Upstream responded with a patch: https://phabricator.kde.org/D24359
> 
> Can you have a look?

Note that the (soft) deadline for the final 5.17 is this Thursday, so having this merged until then would be good. Otherwise the final 5.17 would ship with the currently identified issues unfixed.

All of the found issues were fixed in 5.17.1 a while ago, so can this be whilelisted finally?

Fuzzing found one more bug [1]. I'll start the whitelisting process now, under the assumption that you'll include the patch in any submissions.


1: https://phabricator.kde.org/D25363

This is an autogenerated message for OBS integration:
This bug (1151190) was mentioned in
https://build.opensuse.org/request/show/749269 Factory / permissions

It appears like the path in the permissions package is wrong.

It has to be "/usr/lib64/libexec/ksysguard/ksgrd_network_helper", but the "lib64"/"lib" part is missing: https://github.com/openSUSE/permissions/blob/7f3d0e12f527632ced175b1f8c68ee80a40269d3/profiles/permissions.secure#L437

*** Bug 1161732 has been marked as a duplicate of this bug. ***

I can adjust the whitelisting, but isn't /usr/libexec actually the correct path? Did this get rolled back?

(In reply to Malte Kraus from comment #13)
> I can adjust the whitelisting, but isn't /usr/libexec actually the correct
> path? Did this get rolled back?

Apparently: https://build.opensuse.org/package/rdiff/Base:System/rpm?linkrev=base&rev=516

So it might change in the future, but for current TW and Leap 15.2 (which this is needed for as well), /usr/lib(64)/libexec is the right path.

Additionally, there's a bug in ksysguard.spec which uses /usr/lib(64)/libexec/kf5/... in the chkstat call, I'll fix that.

This is an autogenerated message for OBS integration:
This bug (1151190) was mentioned in
https://build.opensuse.org/request/show/767607 Factory / ksysguard5

The updated whitelisting with /usr/lib{64,}/libexec paths just got rejected:
https://build.opensuse.org/request/show/767672

Fabian, can you please talk with dimstar and figure out the correct paths?

(In reply to Malte Kraus from comment #17)
> The updated whitelisting with /usr/lib{64,}/libexec paths just got rejected:
> https://build.opensuse.org/request/show/767672
> 
> Fabian, can you please talk with dimstar and figure out the correct paths?

Done, please reopen/resubmit the sr - no change necessary.

closing

This is an autogenerated message for OBS integration:
This bug (1151190) was mentioned in
https://build.opensuse.org/request/show/848830 15.2 / permissions

openSUSE-RU-2020:1999-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1151190
CVE References: 
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    permissions-20181224-lp152.14.3.1, rpmlint-mini-1.10-lp152.7.3.1

This is an autogenerated message for OBS integration:
This bug (1151190) was mentioned in
https://build.opensuse.org/request/show/931965 15.3 / permissions

openSUSE-SU-2021:1520-1: An update that solves three vulnerabilities and has 27 fixes is now available.

Category: security (moderate)
Bug References: 1028975,1029961,1093414,1133678,1148788,1150345,1150366,1151190,1157498,1160285,1160764,1161335,1161779,1163588,1167163,1169614,1171164,1171173,1171569,1171580,1171686,1171879,1171882,1173221,1174504,1175720,1175867,1178475,1178476,1183669
CVE References: CVE-2019-3687,CVE-2019-3688,CVE-2020-8013
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    permissions-20200127-lp153.24.3.1