Summary: | <sys-libs/kpmcore-4.2.0: Root privilege escalation (CVE-2020-27187) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | andrius |
Priority: | Normal | Keywords: | CC-ARCHES, STABLEREQ |
Version: | unspecified | Flags: | nattka:
sanity-check+
|
Hardware: | All | ||
OS: | Linux | ||
URL: | https://mail.kde.org/pipermail/kde-announce/2020-October/000124.html | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=749984 | ||
Whiteboard: | B1 [glsa+ cve] | ||
Package list: |
sys-block/partitionmanager-4.2.0
sys-libs/kpmcore-4.2.0
|
Runtime testing required: | --- |
Description
Sam James
2020-10-17 20:31:01 UTC
Let us know when ready for stabilisation (is this the right version?) Sanity check failed:
> sys-block/partitionmanager-4.2.0
> depend amd64 stable profile default/linux/amd64/17.0 (39 total)
> >=sys-libs/kpmcore-4.2.0:5=
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
> >=sys-libs/kpmcore-4.2.0:5=
> rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
> >=sys-libs/kpmcore-4.2.0:5=
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
> >=sys-libs/kpmcore-4.2.0:5=
sys-libs/kpmcore-4.2.0 should be stabilized as well. In fact vulnerability is in kpmcore. (In reply to Andrius Štikonas from comment #3) > sys-libs/kpmcore-4.2.0 should be stabilized as well. In fact vulnerability > is in kpmcore. Do you think it is safe to stabilise already? All sanity-check issues have been resolved (In reply to Andreas Sturmlechner from comment #4) > (In reply to Andrius Štikonas from comment #3) > > sys-libs/kpmcore-4.2.0 should be stabilized as well. In fact vulnerability > > is in kpmcore. > Do you think it is safe to stabilise already? So far I was only told about two issues: 1) There is a dependency on KDE Frameworks 5.73 (CMakeLlists.txt checks for lower version). We already have 5.74 stabilized, so this does not matter. 2)There is unfortunately a small API breakage that slipped in during KAuth->Polkit port and =app-admin/calamares-3.2.28.3 fails to compile with kpmcore-4.2.0. Calamares has no stable keywords but it might be a good idea to pull in latest version 3.2.32.1 which fixes this. Other than that it seems to work quite well. (In reply to Andreas Sturmlechner from comment #4) > (In reply to Andrius Štikonas from comment #3) > > sys-libs/kpmcore-4.2.0 should be stabilized as well. In fact vulnerability > > is in kpmcore. > Do you think it is safe to stabilise already? Still no new reports about new version, which is I think a good sign. calamares is also in tree now. Maybe time to start stabilization? x86 stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4c2298e2fa4e31208cec545a3fa752b0cfb276f commit e4c2298e2fa4e31208cec545a3fa752b0cfb276f Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-10-26 13:17:04 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-10-26 13:55:47 +0000 sys-libs/kpmcore: Drop vulnerable 4.1.0 Bug: https://bugs.gentoo.org/749822 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> sys-libs/kpmcore/Manifest | 1 - sys-libs/kpmcore/kpmcore-4.1.0.ebuild | 41 ----------------------------------- 2 files changed, 42 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4eb89c9b673d4699feff9d09653f5d2abebe299b commit 4eb89c9b673d4699feff9d09653f5d2abebe299b Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-10-26 13:16:13 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-10-26 13:55:46 +0000 sys-block/partitionmanager: 4.2.0 amd64 stable Bug: https://bugs.gentoo.org/749822 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> sys-block/partitionmanager/partitionmanager-4.2.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8be95d0054f4f315915be317e6226eeacd8b8844 commit 8be95d0054f4f315915be317e6226eeacd8b8844 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-10-26 13:16:01 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-10-26 13:55:46 +0000 sys-libs/kpmcore: 4.2.0 amd64 stable Bug: https://bugs.gentoo.org/749822 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> sys-libs/kpmcore/kpmcore-4.2.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) kde is done here anyway. This issue was resolved and addressed in GLSA 202011-03 at https://security.gentoo.org/glsa/202011-03 by GLSA coordinator Sam James (sam_c). |