Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 618108 (CVE-2017-8422) - <kde-frameworks/kauth-5.29.0-r1, <kde-frameworks/kdelibs-4.14.32: service invoking dbus is not properly checked and allows local privilege escalation
Summary: <kde-frameworks/kauth-5.29.0-r1, <kde-frameworks/kdelibs-4.14.32: service in...
Status: RESOLVED FIXED
Alias: CVE-2017-8422
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B1 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-10 13:06 UTC by Agostino Sarubbo
Modified: 2017-06-27 10:07 UTC (History)
1 user (show)

See Also:
Package list:
kde-frameworks/kauth-5.29.0-r1 kde-frameworks/kdelibs-4.14.32
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-05-10 13:06:45 UTC
From ${URL} :

KAuth contains a logic flaw in which the service invoking dbus is not properly checked. This allows spoofing the identity of the caller and with some carefully crafted calls can lead to gaining root 
from an unprivileged account.

Affected versions: kauth < 5.34, kdelibs < 4.14.32

Upstream patches:

kauth: https://commits.kde.org/kauth/df875f725293af53399f5146362eb158b4f9216a
kdelibs: https://commits.kde.org/kdelibs/264e97625abe2e0334f97de17f6ffb52582888ab

External References:

https://www.kde.org/info/security/advisory-20170510-1.txt
http://seclists.org/oss-sec/2017/q2/240


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Andreas Sturmlechner gentoo-dev 2017-05-10 13:15:56 UTC
Backported fix and bumped to 5.29.0-r1 in git commit c208b4b8abec754d3d2937317b413bfe3f9ac919
Comment 2 Andreas Sturmlechner gentoo-dev 2017-05-10 18:12:40 UTC
(5.29.0-r1 is ready for stabilisation)
Comment 3 Agostino Sarubbo gentoo-dev 2017-05-11 07:51:53 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-05-11 08:38:02 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 5 Andreas Sturmlechner gentoo-dev 2017-05-11 15:01:10 UTC
kdelibs-4.14.32 bumped in git commit 142a861308f82867004d811f3d8f5c881a351548, please stabilise - the security fix is the only change to 4.14.31 which would have been long enough in tree already.
Comment 6 Thomas Deutschmann gentoo-dev Security 2017-05-11 18:05:22 UTC
@ Arches, we forgot to add kde-frameworks/kdelibs so please run this bug again.
Comment 7 Agostino Sarubbo gentoo-dev 2017-05-12 07:58:20 UTC
(In reply to Thomas Deutschmann from comment #6)
> @ Arches, we forgot to add kde-frameworks/kdelibs so please run this bug
> again.

no problem...
Comment 8 Agostino Sarubbo gentoo-dev 2017-05-12 08:39:44 UTC
amd64 stable
Comment 9 Linubie 2017-05-12 16:04:34 UTC
kde-frameworks/kdelibs-4.14.32

fails to compile for me

 emerge --info
Portage 2.3.5 (python 3.4.5-final-0, default/linux/amd64/13.0/desktop/plasma/systemd, gcc-5.4.0, glibc-2.23-r3, 4.10.13-gentoo x86_64)
=================================================================
System uname: Linux-4.10.13-gentoo-x86_64-AMD_Phenom-tm-_II_X4_925_Processor-with-gentoo-2.3
KiB Mem:     8174732 total,    271192 free
KiB Swap:     819196 total,    809104 free
Timestamp of repository gentoo: Fri, 12 May 2017 14:30:01 +0000
sh bash 4.3_p48-r1
ld GNU ld (Gentoo 2.26.1 p1.0) 2.26.1
app-shells/bash:          4.3_p48-r1::gentoo
dev-java/java-config:     2.2.0-r3::gentoo
dev-lang/perl:            5.24.1-r1::gentoo
dev-lang/python:          2.7.12::gentoo, 3.4.5::gentoo
dev-util/cmake:           3.7.2::gentoo
dev-util/pkgconfig:       0.28-r2::gentoo
sys-apps/baselayout:      2.3::gentoo
sys-apps/openrc:          0.24.2::gentoo
sys-apps/sandbox:         2.10-r3::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69::gentoo
sys-devel/automake:       1.11.6-r1::gentoo, 1.15-r2::gentoo
sys-devel/binutils:       2.26.1::gentoo
sys-devel/gcc:            5.4.0-r3::gentoo
sys-devel/gcc-config:     1.7.3::gentoo
sys-devel/libtool:        2.4.6-r3::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers)
sys-libs/glibc:           2.23-r3::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000

lokales
    location: /usr/local/portage
    masters: gentoo
    priority: 0

palemoon
    location: /var/lib/layman/palemoon
    masters: gentoo
    priority: 50

steam-overlay
    location: /var/lib/layman/steam-overlay
    masters: gentoo
    priority: 50

torbrowser
    location: /var/lib/layman/torbrowser
    masters: gentoo
    priority: 50

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=native"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe -march=native"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps=y"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="rsync://ftp.halifax.rwth-aachen.de/gentoo/"
LANG="de_DE.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="3dnow 3dnowext 3ds X a52 aac aalib accessibility acl acpi aim akonadi alsa amd64 apm avx berkdb blender bluetooth branding bzip2 cairo cdda cddb cdinstall cdparanoia cdr clamav cli corefonts cracklib crypt css cups cxx dbus declarative dri dts dv dvd dvdnav dvdr ebics emboss encode equalizer exif expat fam ffmpeg fftw firefox flac fontconfig foomaticdb fortran ftp gd gdbm gif gimp git glamor gnutls gpg gphoto2 gpm gstreamer gtk gzip hbci hddtemp iconv icq ieee1394 imagemagick imlib ipv6 jabber jack joystick jpeg jpeg2k kde kerberos kwallet ladspa lame latex lcms libcaca libkms libnotify libsamplerate lm_sensors lua lua-cairo lua-imlib lzo mad midi mikmod mmap mms mmxext mng mod modplug modules motif mozilla mp3 mp4 mpeg mpi mplayer msn mtp multilib multislot musepack mysql ncurses nls nptl nsplugin nvidia ofx ogg openal openexr opengl openmp oscar pam pango pcre pdf perl phonon plasma png policykit portaudio ppds pulseaudio python qml qt3support qt4 qt5 quicktime rar raw rdesktop readline redeyes scanner sdl sdl-sound seamonkey seccomp session slp sndfile snmp soprano sound sox speex spell sql sqlite ssl startup-notification steamruntime svg symlink syslog system-libvpx systemd szip taglib tcl tcpd theora threads tiff timidity truetype udev udisks udissk unicode unzip upower usb uvm v4l vcd vdpau videos vnc vorbis vpx wavpack webkit widgets wmf wxwidgets x264 x265 xattr xcb xcomposite xft xine xinerama xml xmp xosd xpm xscreensaver xv xvid yahoo zlib" ABI_X86="64" ALSA_CARDS="emu10k1" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="3dnow 3dnowext mmx mmxext popcnt sse sse2 sse3 sse4a" CURL_SSL="gnutls" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" L10N="de" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="de" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python3_4" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby21 ruby22" USERLAND="GNU" VIDEO_CARDS="nv nvidia v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

log file is about 12 MB
https://www.dropbox.com/s/kqh9zmz2sty8pn8/build.log?dl=0
Comment 10 Andreas Sturmlechner gentoo-dev 2017-05-12 16:45:16 UTC
(In reply to Linubie from comment #9)
> kde-frameworks/kdelibs-4.14.32
> 
> fails to compile for me

This is completely unrelated to this bug and a local issue - you have a botched GCC-5 upgrade. Please don't file new bugs until you have successfully completed the instructions of the news item:

https://www.gentoo.org/support/news-items/2015-10-22-gcc-5-new-c++11-abi.html

And once you have done that, _never_ switch back to an older version of GCC.
Comment 11 Agostino Sarubbo gentoo-dev 2017-05-16 08:01:52 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 12 Andreas Sturmlechner gentoo-dev 2017-05-16 18:47:45 UTC
Thanks, final cleanup done in 3cde424f20a0e2de8fb7bb8bd0e7d8a609e84395
Comment 13 Thomas Deutschmann gentoo-dev Security 2017-06-06 14:26:54 UTC
New GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2017-06-27 10:07:10 UTC
This issue was resolved and addressed in
 GLSA 201706-29 at https://security.gentoo.org/glsa/201706-29
by GLSA coordinator Thomas Deutschmann (whissi).