<html>
<body>
<div style="font-family: Verdana, Arial, Helvetica, Sans-Serif;">
<table bgcolor="#f9f3c9" width="100%" cellpadding="12" style="border: 1px #c9c399 solid; border-radius: 6px; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tr>
<td>
This is an automatically generated e-mail. To reply, visit:
<a href="https://git.reviewboard.kde.org/r/123724/">https://git.reviewboard.kde.org/r/123724/</a>
</td>
</tr>
</table>
<br />
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
<p style="margin-top: 0;">On May 12th, 2015, 3:49 p.m. UTC, <b>Jan Kundrát</b> wrote:</p>
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"><p style="padding: 0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: inherit;">Was the old code a part of some release? If yes, this should get a CVE security announcement because it allows a local attacker to e.g. force you to overwirte some of your user's files.</p></pre>
</blockquote>
<p>On May 12th, 2015, 3:53 p.m. UTC, <b>Michael Palimaka</b> wrote:</p>
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"><p style="padding: 0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: inherit;">It looks like it was introduced in 999e774b3ce117598df2029364bd10f4347be81c and released in 0.2.0 and later.</p></pre>
</blockquote>
<p>On May 12th, 2015, 5:36 p.m. UTC, <b>Frank Reininghaus</b> wrote:</p>
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"><p style="padding: 0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: inherit;">Could you elaborate on how such an attack would work? Even if we ignore that the code in question is part of an autotest which is probably never installed anywhere, such that systems of packagers, developers and users who build from source are the only possible targets, I really don't see how an attacker could use the code to cause any unintended damage. Anyone who runs the test regularly creates and deletes the file /tmp/kpeople_test_db already, so what other damage could a local attacker cause?</p></pre>
</blockquote>
</blockquote>
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"><p style="padding: 0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: inherit;">I didn't realize that it's in autotests -- I apparently noticed just the basename of that file, observed that there's no "test" in what I saw, and concluded that it's exploitable. You're right that if it's unpackaged, then issuing a CVE doesn't make sense.</p>
<p style="padding: 0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: inherit;">On the other hand, if this wasn't in an autotest but instead a part of regular operation, something simple such as <code style="text-rendering: inherit;color: #4444cc;padding: 0;white-space: normal;margin: 0;line-height: inherit;">ln -s .ssh/id_rsa /tmp/kpeople_test_db</code> by an attacker would cause any app using this library to remove user's vital file.</p>
<p style="padding: 0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: inherit;">Sorry for noise.</p></pre>
<br />
<p>- Jan</p>
<br />
<p>On May 12th, 2015, 12:49 p.m. UTC, Michael Palimaka wrote:</p>
<table bgcolor="#fefadf" width="100%" cellspacing="0" cellpadding="12" style="border: 1px #888a85 solid; border-radius: 6px; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tr>
<td>
<div>Review request for KDE Frameworks and KDEPIM.</div>
<div>By Michael Palimaka.</div>
<p style="color: grey;"><i>Updated May 12, 2015, 12:49 p.m.</i></p>
<div style="margin-top: 1.5em;">
<b style="color: #575012; font-size: 10pt;">Repository: </b>
kpeople
</div>
<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Description </h1>
<table width="100%" bgcolor="#ffffff" cellspacing="0" cellpadding="10" style="border: 1px solid #b8b5a0">
<tr>
<td>
<pre style="margin: 0; padding: 0; white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"><p style="padding: 0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: inherit;">Hardcoding files like this seems like a bad idea.</p></pre>
</td>
</tr>
</table>
<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Testing </h1>
<table width="100%" bgcolor="#ffffff" cellspacing="0" cellpadding="10" style="border: 1px solid #b8b5a0">
<tr>
<td>
<pre style="margin: 0; padding: 0; white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"><p style="padding: 0;text-rendering: inherit;margin: 0;line-height: inherit;white-space: inherit;">Tests still pass.</p></pre>
</td>
</tr>
</table>
<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Diffs</b> </h1>
<ul style="margin-left: 3em; padding-left: 0;">
<li>autotests/persondatatests.h <span style="color: grey">(30eeeb5cd647c713f1b438543a54516ced9f3ede)</span></li>
<li>autotests/persondatatests.cpp <span style="color: grey">(73098d3717509ad80761bbd02000b4ce5060bbb2)</span></li>
<li>autotests/personsmodeltest.h <span style="color: grey">(5b8879521f334459c4f73c2708b3368c543e40a3)</span></li>
<li>autotests/personsmodeltest.cpp <span style="color: grey">(b19d1baf8a2c2e617d4b6128df29fbab3b8e61a7)</span></li>
</ul>
<p><a href="https://git.reviewboard.kde.org/r/123724/diff/" style="margin-left: 3em;">View Diff</a></p>
</td>
</tr>
</table>
</div>
</body>
</html>