2 files changed, 114 insertions, 0 deletions

diff --git a/x11/kde4-workspace/Makefile b/x11/kde4-workspace/Makefile
index 27b3c08df361..5a3fd6090fec 100644
--- a/x11/kde4-workspace/Makefile
+++ b/x11/kde4-workspace/Makefile
@@ -2,6 +2,7 @@
 
 PORTNAME=	kde-workspace
 PORTVERSION=	${KDE4_WORKSPACE_VERSION}
+PORTREVISION=	1
 CATEGORIES=	x11 kde
 MASTER_SITES=	KDE/${KDE4_BRANCH}/${KDE4_VERSION}/src
 DIST_SUBDIR=	KDE/${PORTVERSION}
diff --git a/x11/kde4-workspace/files/patch-CVE-2014-8651 b/x11/kde4-workspace/files/patch-CVE-2014-8651
new file mode 100644
index 000000000000..288b8afb99f1
--- /dev/null
+++ b/x11/kde4-workspace/files/patch-CVE-2014-8651
@@ -0,0 +1,113 @@
+commit eebcb17746d9fa86ea8c5a7344709ef6750781cf
+Author: David Edmundson <kde@davidedmundson.co.uk>
+Date:   Tue Nov 4 13:57:59 2014 +0100
+
+    Do not pass ntpUtility as an argument to datetime helper
+    
+    Passing the name of a binary to run to a polkit helper is a security
+    risk as it allows any arbitrary process to be executed.
+    
+    This patch moves the detection of ntp utility location into the helper
+    function.
+    
+    REVIEW: 120977
+
+--- kcontrol/dateandtime/dtime.cpp
++++ kcontrol/dateandtime/dtime.cpp
+@@ -142,27 +142,15 @@ void Dtime::serverTimeCheck() {
+   //kclock->setEnabled(enabled);
+ }
+ 
+-void Dtime::findNTPutility(){
+-  QByteArray envpath = qgetenv("PATH");
+-  if (!envpath.isEmpty() && envpath[0] == ':') {
+-    envpath = envpath.mid(1);
+-  }
+-
+-  QString path = "/sbin:/usr/sbin:";
+-  if (!envpath.isEmpty()) {
+-    path += QString::fromLocal8Bit(envpath);
+-  } else {
+-    path += QLatin1String("/bin:/usr/bin");
+-  }
+-
+-  foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) {
+-    if( !((ntpUtility = KStandardDirs::findExe(possible_ntputility, path)).isEmpty()) ) {
+-      kDebug() << "ntpUtility = " << ntpUtility;
+-      return;
++void Dtime::findNTPutility()
++{
++    const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin");
++    foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) {
++        ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath);
++        if (!ntpUtility.isEmpty()) {
++            return;
++        }
+     }
+-  }
+-
+-  kDebug() << "ntpUtility not found!";
+ }
+ 
+ void Dtime::set_time()
+@@ -238,7 +226,6 @@ void Dtime::save( QVariantMap& helperargs )
+   helperargs["ntp"] = true;
+   helperargs["ntpServers"] = list;
+   helperargs["ntpEnabled"] = setDateTimeAuto->isChecked();
+-  helperargs["ntpUtility"] = ntpUtility;
+ 
+   if(setDateTimeAuto->isChecked() && !ntpUtility.isEmpty()){
+     // NTP Time setting - done in helper
+--- kcontrol/dateandtime/helper.cpp
++++ kcontrol/dateandtime/helper.cpp
+@@ -52,8 +52,18 @@
+ // clears it. So we have to use a reasonable default.
+ static const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin");
+ 
+-int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled,
+-                      const QString& ntpUtility )
++static QString findNtpUtility()
++{
++    foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) {
++        const QString ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath);
++        if (!ntpUtility.isEmpty()) {
++            return ntpUtility;
++        }
++    }
++    return QString();
++}
++
++int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled )
+ {
+   int ret = 0;
+ 
+@@ -69,6 +79,8 @@ int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled,
+   config.writeEntry("servers", ntpServers );
+   config.writeEntry("enabled", ntpEnabled );
+ 
++  QString ntpUtility(findNtpUtility());
++
+   if ( ntpEnabled && !ntpUtility.isEmpty() ) {
+     // NTP Time setting
+     QString timeServer = ntpServers.first();
+@@ -227,7 +239,7 @@ ActionReply ClockHelper::save(const QVariantMap &args)
+   int ret = 0; // error code
+ //  The order here is important
+   if( _ntp )
+-    ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool(), args.value("ntpUtility").toString() );
++    ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool());
+   if( _date )
+     ret |= date( args.value("newdate").toString(), args.value("olddate").toString() );
+   if( _tz )
+--- kcontrol/dateandtime/helper.h
++++ kcontrol/dateandtime/helper.h
+@@ -42,8 +42,7 @@ class ClockHelper : public QObject
+         ActionReply save(const QVariantMap &map);
+ 
+     private:
+-        int ntp(const QStringList& ntpServers, bool ntpEnabled,
+-                const QString& ntpUtility);
++        int ntp(const QStringList& ntpServers, bool ntpEnabled);
+         int date(const QString& newdate, const QString& olddate);
+         int tz(const QString& selectedzone);
+         int tzreset();