<table><tr><td style="">fvogt added a comment.
</td><a style="text-decoration: none; padding: 4px 8px; margin: 0 8px 8px; float: right; color: #464C5C; font-weight: bold; border-radius: 3px; background-color: #F7F7F9; background-image: linear-gradient(to bottom,#fff,#f1f0f1); display: inline-block; border: 1px solid rgba(71,87,120,.2);" href="https://phabricator.kde.org/D9966" rel="noreferrer">View Revision</a></tr></table><br /><div><div><p>Thanks for the quick reaction!</p>
<blockquote style="border-left: 3px solid #a7b5bf; color: #464c5c; font-style: italic; margin: 4px 0 12px 0; padding: 4px 12px; background-color: #f8f9fc;"><p>1.Fixes buffer overflow due to strcpy.</p></blockquote>
<p>Looks good, but I would prefer an exception or abort instead of silent truncation.</p>
<p>Also note that this makes it possible to delete an arbitrary file on non-linux platforms if <tt style="background: #ebebeb; font-size: 13px;">path</tt> is attacker-controlled, which needs to be fixed.</p>
<blockquote style="border-left: 3px solid #a7b5bf; color: #464c5c; font-style: italic; margin: 4px 0 12px 0; padding: 4px 12px; background-color: #f8f9fc;"><p>(BTW, SocketAddress::length should return the actual length of the buffer, currently it adds ~100 '\0' bytes to the end)</p></blockquote>
<p>Is not fixed, is this intentional?</p>
<blockquote style="border-left: 3px solid #a7b5bf; color: #464c5c; font-style: italic; margin: 4px 0 12px 0; padding: 4px 12px; background-color: #f8f9fc;"><p>2.Adds checks for socket credentials. Now a file descriptor will be received only if it was sent by a root owned process.</p></blockquote>
<p>Looks sensible, but it doesn't fix the other direction, which is:</p>
<ol class="remarkup-list">
<li class="remarkup-list-item">User asks the kauth helper to open a file as root</li>
<li class="remarkup-list-item">The kauth helper receives the socket address</li>
<li class="remarkup-list-item">file.so dies (reason does not matter)</li>
<li class="remarkup-list-item">Any process can now create a socket with the address the kauth helper connects to and receive the fd</li>
</ol>
<p>IMO the correct fix (which only applies to linux, according to the manpage) is to use a pathname socket in <tt style="background: #ebebeb; font-size: 13px;">$XDG_RUNTIME_DIR</tt> (or alternatively, somewhere returned by <tt style="background: #ebebeb; font-size: 13px;">mkdtemp</tt>).</p></div></div><br /><div><strong>REPOSITORY</strong><div><div>R241 KIO</div></div></div><br /><div><strong>REVISION DETAIL</strong><div><a href="https://phabricator.kde.org/D9966" rel="noreferrer">https://phabricator.kde.org/D9966</a></div></div><br /><div><strong>To: </strong>chinmoyr, Frameworks, thiago<br /><strong>Cc: </strong>ngraham, fvogt, lbeltrame, dfaure<br /></div>