cadence: fix CVE-2023-{43782,43783}

oSoWoSo · Oct 5, 2023 · 808672a · 808672a
1 parent d7c16c7
commit 808672a
Show file tree

Hide file tree

Showing 4 changed files with 140 additions and 15 deletions.
diff --git a/srcpkgs/cadence/patches/CVE-2023-43782.patch b/srcpkgs/cadence/patches/CVE-2023-43782.patch
@@ -0,0 +1,89 @@
+From 986a26147fa85fc3b2727a13c478b12994555e4a Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <[email protected]>
+Date: Tue, 22 Aug 2023 14:06:40 +0200
+Subject: [PATCH] cadence_aloop_daemon: place lockfile into non-public
+ directory
+
+The fixed /tmp path for the lock / shutdown handling of the daemon is
+problematic security wise, since any other user in the system can block
+this path. This also makes parallel instances for multiple user accounts
+impossible.
+
+Select a location in the user's /run directory or in its home directory
+(as a fallback).
+---
+ src/cadence.py              | 3 ++-
+ src/cadence_aloop_daemon.py | 5 +++--
+ src/shared.py               | 8 ++++++++
+ 3 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/src/cadence.py b/src/cadence.py
+index 87a14a8..714e2d6 100755
+--- a/src/cadence.py
++++ b/src/cadence.py
+@@ -38,6 +38,7 @@ import ui_cadence_tb_alsa
+ import ui_cadence_tb_a2j
+ import ui_cadence_tb_pa
+ import ui_cadence_rwait
++from shared import getDaemonLockfile
+ from shared_cadence import *
+ from shared_canvasjack import *
+ from shared_settings import *
+@@ -1710,7 +1711,7 @@ class CadenceMainW(QMainWindow, ui_cadence.Ui_CadenceMainW):
+
+     @pyqtSlot()
+     def slot_AlsaBridgeStop(self):
+-        checkFile = "/tmp/.cadence-aloop-daemon.x"
++        checkFile = self.getDaemonLockfile("cadence-aloop-daemon")
+         if os.path.exists(checkFile):
+             os.remove(checkFile)
+
+diff --git a/src/cadence_aloop_daemon.py b/src/cadence_aloop_daemon.py
+index c8408ef..b53f64d 100755
+--- a/src/cadence_aloop_daemon.py
++++ b/src/cadence_aloop_daemon.py
+@@ -33,6 +33,7 @@ else:
+ # Imports (Custom Stuff)
+
+ import jacklib
++from shared import getDaemonLockfile
+
+ # --------------------------------------------------
+ # Auto re-activate if on good kernel
+@@ -50,7 +51,7 @@ doRunNow  = True
+ useZita   = False
+ procIn    = QProcess()
+ procOut   = QProcess()
+-checkFile = "/tmp/.cadence-aloop-daemon.x"
++checkFile = getDaemonLockfile("cadence-aloop-daemon")
+
+ # --------------------------------------------------
+ # Global JACK variables
+@@ -161,7 +162,7 @@ if __name__ == '__main__':
+     client = jacklib.client_open("cadence-aloop-daemon", jacklib.JackUseExactName, None)
+
+     if not client:
+-        print("cadence-aloop-daemon is already running, delete \"/tmp/.cadence-aloop-daemon.x\" to close it")
++        print("cadence-aloop-daemon is already running, delete \"{}\" to close it".format(checkFile))
+         quit()
+
+     if jacklib.JACK2:
+diff --git a/src/shared.py b/src/shared.py
+index 2df4d54..e65d292 100644
+--- a/src/shared.py
++++ b/src/shared.py
+@@ -312,3 +312,11 @@ def setIcons(self_, modes):
+     if "misc" in modes:
+         gGui.ui.act_quit.setIcon(getIcon("application-exit"))
+         gGui.ui.act_configure.setIcon(getIcon("configure"))
++
++def getDaemonLockfile(base):
++    lockdir = os.environ.get("XDG_RUNTIME_DIR", None)
++    if not lockdir:
++        lockdir = os.path.expanduser("~")
++
++    return os.path.join(lockdir, "{}-lock".format(base))
++
+-- 
+2.41.0
+
diff --git a/srcpkgs/cadence/patches/CVE-2023-43783.patch b/srcpkgs/cadence/patches/CVE-2023-43783.patch
@@ -0,0 +1,46 @@
+From 3fdff274c40795ad6a24891066358aa7a3953962 Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <[email protected]>
+Date: Tue, 22 Aug 2023 14:28:33 +0200
+Subject: [PATCH] cadence.py: wine ASIO settings: use safe tempfile
+
+This fixed tempfile path poses a security issue that even might allow
+other users on the system to inject arbitrary wine registry settings, if
+protect_symlinks and protect_regular kernel protection is not enabled.
+
+Use a proper NamedTemporaryFile to pass the data to regedit to fix this.
+---
+ src/cadence.py | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/src/cadence.py b/src/cadence.py
+index 714e2d6..fddadfb 100755
+--- a/src/cadence.py
++++ b/src/cadence.py
+@@ -47,6 +47,8 @@ from shared_settings import *
+ # Import getoutput
+
+ from subprocess import getoutput
++import tempfile
++import subprocess
+
+ # ------------------------------------------------------------------------------------------------------------
+ # Try Import DBus
+@@ -2095,11 +2097,10 @@ class CadenceMainW(QMainWindow, ui_cadence.Ui_CadenceMainW):
+             REGFILE += '"Number of outputs"=dword:000000%s\n' % smartHex(self.sb_wineasio_outs.value(), 2)
+             REGFILE += '"Preferred buffersize"=dword:0000%s\n' % smartHex(int(self.cb_wineasio_bsizes.currentText()), 4)
+
+-            writeFile = open("/tmp/cadence-wineasio.reg", "w")
+-            writeFile.write(REGFILE)
+-            writeFile.close()
+-
+-            os.system("regedit /tmp/cadence-wineasio.reg")
++            with tempfile.NamedTemporaryFile('w') as tmpfile:
++                tmpfile.write(REGFILE)
++                tmpfile.flush()
++                subprocess.run(["regedit", tmpfile.name])
+
+         self.settings_changed_types = []
+         self.frame_tweaks_settings.setVisible(False)
+-- 
+2.41.0
+
diff --git a/srcpkgs/cadence/patches/QPainterPath.patch b/srcpkgs/cadence/patches/QPainterPath.patch
@@ -1,5 +1,5 @@
---- a/c++/patchcanvas/canvasbezierline.cpp	2019-11-17 21:34:05.000000000 +0100
-+++ b/c++/patchcanvas/canvasbezierline.cpp	2020-09-02 13:13:34.042234477 +0200
+--- a/c++/patchcanvas/canvasbezierline.cpp
++++ b/c++/patchcanvas/canvasbezierline.cpp
 @@ -18,6 +18,7 @@
  #include "canvasbezierline.h"
 
@@ -8,8 +8,8 @@
 
  #include "canvasport.h"
  #include "canvasportglow.h"
---- a/c++/patchcanvas/canvasbezierlinemov.cpp	2019-11-17 21:34:05.000000000 +0100
-+++ b/c++/patchcanvas/canvasbezierlinemov.cpp	2020-09-02 13:13:27.093234119 +0200
+--- a/c++/patchcanvas/canvasbezierlinemov.cpp
++++ b/c++/patchcanvas/canvasbezierlinemov.cpp
 @@ -18,6 +18,7 @@
  #include "canvasbezierlinemov.h"
 
@@ -18,13 +18,3 @@
 
  #include "canvasport.h"
 
---- a/c++/widgets/pixmapdial.cpp	2019-11-17 21:34:05.000000000 +0100
-+++ b/c++/widgets/pixmapdial.cpp	2020-09-02 13:13:16.853233591 +0200
-@@ -21,6 +21,7 @@
-
- #include <QtCore/QTimer>
- #include <QtGui/QPainter>
-+#include <QtGui/QPainterPath>
- #include <QtGui/QPaintEvent>
-
- PixmapDial::PixmapDial(QWidget* parent)
diff --git a/srcpkgs/cadence/template b/srcpkgs/cadence/template
@@ -1,7 +1,7 @@
 # Template file for 'cadence'
 pkgname=cadence
 version=0.9.2
-revision=3
+revision=4
 build_style=gnu-makefile
 pycompile_dirs="usr/share/cadence/src"
 hostmakedepends="pkg-config qt5-host-tools python3-PyQt5-devel-tools"