Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 833152

Summary: <kde-apps/kate-21.12.1: untrusted binary execution
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://kde.org/info/security/advisory-20220131-1.txt
Whiteboard: B2 [stable?]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 833154    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-12 03:45:08 UTC
Alias:
CVE-2022-23853:

The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries to execute the associated LSP server binary when opening a file of a given type. If this binary is absent from the PATH, it will try running the LSP server binary in the directory of the file that was just opened (due to a misunderstanding of the QProcess API, that was never intended). This can be an untrusted directory.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-02-12 03:56:40 UTC
I thought I'd filed bugs for this but note that (thanks to asturm for pointing it out) it's one or t'other -- the frameworks fix covers Kate too.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-16 18:40:55 UTC

*** This bug has been marked as a duplicate of bug 832447 ***