833500 – (CVE-2022-24986) <kde-apps/kcron-21.12.2-r1: private task exposure

Bug 833500 (CVE-2022-24986) - <kde-apps/kcron-21.12.2-r1: private task exposure

Summary: <kde-apps/kcron-21.12.2-r1: private task exposure

Status:	RESOLVED FIXED

Alias:	CVE-2022-24986

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:	https://kde.org/info/security/advisor...
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2022-02-16 18:50 UTC by John Helmert III
Modified:	2022-02-16 19:10 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-02-16 18:50:35 UTC

"Overview
========

KCron is a module for the System Settings application.
The module identifies itself with the "Task Scheduler" user visible name.
It allows users to edit crontabs (both user-specific and system-wide) in a
GUI interface.

The code of the module doesn't use temporary files correctly neither when
reading the existing crontab nor when saving the new one.

Impact
======

Your private tasks may be exposed to other users of the system.
The system tasks may be replaced by other users of the system that don't
have rights to edit them."

Please bump to 21.12.3.

Comment 1 John Helmert III archtester

2022-02-16 18:57:12 UTC

Only unstable is affected according to asturm.

Comment 2 Larry the Git Cow gentoo-dev

2022-02-16 18:58:58 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf4fae8831448c205eb4572e5ce90074399f2beb

commit bf4fae8831448c205eb4572e5ce90074399f2beb
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-02-16 18:57:15 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-02-16 18:58:44 +0000

    kde-apps/kcron: Cleanup vulnerable 21.12.2 (r0)
    
    Bug: https://bugs.gentoo.org/833500
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-apps/kcron/kcron-21.12.2.ebuild | 32 --------------------------------
 1 file changed, 32 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f560da8a6e7041b35277af4f5b6576cd6799ee7f

commit f560da8a6e7041b35277af4f5b6576cd6799ee7f
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-02-16 18:46:51 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-02-16 18:58:43 +0000

    kde-apps/kcron: Fix CVE-2022-24986
    
    See also: https://kde.org/info/security/advisory-20220216-1.txt
    
    Bug: https://bugs.gentoo.org/833500
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 .../kcron/files/kcron-21.12.2-CVE-2022-24986.patch | 291 +++++++++++++++++++++
 .../kcron-21.12.2-KCronHelper-return-error.patch   |  44 ++++
 kde-apps/kcron/kcron-21.12.2-r1.ebuild             |  37 +++
 3 files changed, 372 insertions(+)

Comment 3 Andreas Sturmlechner gentoo-dev

2022-02-16 19:04:58 UTC

kde proj is done again.

Comment 4 John Helmert III archtester

2022-02-16 19:05:44 UTC

Very easy, all done!