"kpmcore_externalcommand helper contains a logic flaw in which the service invoking dbus is not properly checked. An attacker on your local machine can replace /etc/fstab, execute mount and other partitioning related commands while KDE Partition Manager is running. mount command can then be used to gain full root privileges." "KDE Partition Manager 4.2.0 fixes this issue. You can apply the following patches on top of KPMcore 4.1.0: https://invent.kde.org/system/kpmcore/-/commit/c466c5db11b5cee546d1ec0594c2f1105a354fed (fix) https://invent.kde.org/system/kpmcore/-/commit/7ec4b611dcf822439b081613cca4184689266454 (removes KF5 5.73 dependency)"
Let us know when ready for stabilisation (is this the right version?)
Sanity check failed: > sys-block/partitionmanager-4.2.0 > depend amd64 stable profile default/linux/amd64/17.0 (39 total) > >=sys-libs/kpmcore-4.2.0:5= > depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total) > >=sys-libs/kpmcore-4.2.0:5= > rdepend amd64 stable profile default/linux/amd64/17.0 (39 total) > >=sys-libs/kpmcore-4.2.0:5= > rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total) > >=sys-libs/kpmcore-4.2.0:5=
sys-libs/kpmcore-4.2.0 should be stabilized as well. In fact vulnerability is in kpmcore.
(In reply to Andrius Štikonas from comment #3) > sys-libs/kpmcore-4.2.0 should be stabilized as well. In fact vulnerability > is in kpmcore. Do you think it is safe to stabilise already?
All sanity-check issues have been resolved
(In reply to Andreas Sturmlechner from comment #4) > (In reply to Andrius Štikonas from comment #3) > > sys-libs/kpmcore-4.2.0 should be stabilized as well. In fact vulnerability > > is in kpmcore. > Do you think it is safe to stabilise already? So far I was only told about two issues: 1) There is a dependency on KDE Frameworks 5.73 (CMakeLlists.txt checks for lower version). We already have 5.74 stabilized, so this does not matter. 2)There is unfortunately a small API breakage that slipped in during KAuth->Polkit port and =app-admin/calamares-3.2.28.3 fails to compile with kpmcore-4.2.0. Calamares has no stable keywords but it might be a good idea to pull in latest version 3.2.32.1 which fixes this. Other than that it seems to work quite well.
(In reply to Andreas Sturmlechner from comment #4) > (In reply to Andrius Štikonas from comment #3) > > sys-libs/kpmcore-4.2.0 should be stabilized as well. In fact vulnerability > > is in kpmcore. > Do you think it is safe to stabilise already? Still no new reports about new version, which is I think a good sign. calamares is also in tree now. Maybe time to start stabilization?
x86 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4c2298e2fa4e31208cec545a3fa752b0cfb276f commit e4c2298e2fa4e31208cec545a3fa752b0cfb276f Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-10-26 13:17:04 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-10-26 13:55:47 +0000 sys-libs/kpmcore: Drop vulnerable 4.1.0 Bug: https://bugs.gentoo.org/749822 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> sys-libs/kpmcore/Manifest | 1 - sys-libs/kpmcore/kpmcore-4.1.0.ebuild | 41 ----------------------------------- 2 files changed, 42 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4eb89c9b673d4699feff9d09653f5d2abebe299b commit 4eb89c9b673d4699feff9d09653f5d2abebe299b Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-10-26 13:16:13 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-10-26 13:55:46 +0000 sys-block/partitionmanager: 4.2.0 amd64 stable Bug: https://bugs.gentoo.org/749822 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> sys-block/partitionmanager/partitionmanager-4.2.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8be95d0054f4f315915be317e6226eeacd8b8844 commit 8be95d0054f4f315915be317e6226eeacd8b8844 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-10-26 13:16:01 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-10-26 13:55:46 +0000 sys-libs/kpmcore: 4.2.0 amd64 stable Bug: https://bugs.gentoo.org/749822 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> sys-libs/kpmcore/kpmcore-4.2.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
kde is done here anyway.
This issue was resolved and addressed in GLSA 202011-03 at https://security.gentoo.org/glsa/202011-03 by GLSA coordinator Sam James (sam_c).
