Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 749822 (CVE-2020-27187) - <sys-libs/kpmcore-4.2.0: Root privilege escalation (CVE-2020-27187)
Summary: <sys-libs/kpmcore-4.2.0: Root privilege escalation (CVE-2020-27187)
Status: RESOLVED FIXED
Alias: CVE-2020-27187
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://mail.kde.org/pipermail/kde-an...
Whiteboard: B1 [glsa+ cve]
Keywords: CC-ARCHES, STABLEREQ
Depends on:
Blocks:
 
Reported: 2020-10-17 20:31 UTC by Sam James
Modified: 2020-11-03 00:54 UTC (History)
1 user (show)

See Also:
Package list:
sys-block/partitionmanager-4.2.0 sys-libs/kpmcore-4.2.0
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-10-17 20:31:01 UTC
"kpmcore_externalcommand helper contains a logic flaw in which the service invoking dbus
is not properly checked. An attacker on your local machine can replace /etc/fstab,
execute mount and other partitioning related commands while KDE Partition Manager is running.
mount command can then be used to gain full root privileges."


"KDE Partition Manager 4.2.0 fixes this issue.

You can apply the following patches on top of KPMcore 4.1.0:
https://invent.kde.org/system/kpmcore/-/commit/c466c5db11b5cee546d1ec0594c2f1105a354fed (fix)
https://invent.kde.org/system/kpmcore/-/commit/7ec4b611dcf822439b081613cca4184689266454 (removes KF5 5.73 dependency)"
Comment 1 Sam James archtester gentoo-dev Security 2020-10-17 20:31:51 UTC
Let us know when ready for stabilisation (is this the right version?)
Comment 2 NATTkA bot gentoo-dev 2020-10-17 20:32:53 UTC
Sanity check failed:

> sys-block/partitionmanager-4.2.0
>   depend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >=sys-libs/kpmcore-4.2.0:5=
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >=sys-libs/kpmcore-4.2.0:5=
>   rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >=sys-libs/kpmcore-4.2.0:5=
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     >=sys-libs/kpmcore-4.2.0:5=
Comment 3 Andrius Štikonas 2020-10-17 22:00:05 UTC
sys-libs/kpmcore-4.2.0 should be stabilized as well. In fact vulnerability is in kpmcore.
Comment 4 Andreas Sturmlechner gentoo-dev 2020-10-18 16:53:32 UTC
(In reply to Andrius Štikonas from comment #3)
> sys-libs/kpmcore-4.2.0 should be stabilized as well. In fact vulnerability
> is in kpmcore.
Do you think it is safe to stabilise already?
Comment 5 NATTkA bot gentoo-dev 2020-10-18 16:56:53 UTC
All sanity-check issues have been resolved
Comment 6 Andrius Štikonas 2020-10-18 17:04:09 UTC
(In reply to Andreas Sturmlechner from comment #4)
> (In reply to Andrius Štikonas from comment #3)
> > sys-libs/kpmcore-4.2.0 should be stabilized as well. In fact vulnerability
> > is in kpmcore.
> Do you think it is safe to stabilise already?

So far I was only told about two issues:
1) There is a dependency on KDE Frameworks 5.73 (CMakeLlists.txt checks for lower version). We already have 5.74 stabilized, so this does not matter.

2)There is unfortunately a small API breakage that slipped in during KAuth->Polkit port and =app-admin/calamares-3.2.28.3 fails to compile with kpmcore-4.2.0. Calamares has no stable keywords but it might be a good idea to pull in latest version 3.2.32.1 which fixes this.

Other than that it seems to work quite well.
Comment 7 Andrius Štikonas 2020-10-22 17:13:24 UTC
(In reply to Andreas Sturmlechner from comment #4)
> (In reply to Andrius Štikonas from comment #3)
> > sys-libs/kpmcore-4.2.0 should be stabilized as well. In fact vulnerability
> > is in kpmcore.
> Do you think it is safe to stabilise already?

Still no new reports about new version, which is I think a good sign. calamares is also in tree now. Maybe time to start stabilization?
Comment 8 Thomas Deutschmann gentoo-dev Security 2020-10-25 23:09:11 UTC
x86 stable
Comment 9 Larry the Git Cow gentoo-dev 2020-10-26 13:56:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4c2298e2fa4e31208cec545a3fa752b0cfb276f

commit e4c2298e2fa4e31208cec545a3fa752b0cfb276f
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-10-26 13:17:04 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-10-26 13:55:47 +0000

    sys-libs/kpmcore: Drop vulnerable 4.1.0
    
    Bug: https://bugs.gentoo.org/749822
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 sys-libs/kpmcore/Manifest             |  1 -
 sys-libs/kpmcore/kpmcore-4.1.0.ebuild | 41 -----------------------------------
 2 files changed, 42 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4eb89c9b673d4699feff9d09653f5d2abebe299b

commit 4eb89c9b673d4699feff9d09653f5d2abebe299b
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-10-26 13:16:13 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-10-26 13:55:46 +0000

    sys-block/partitionmanager: 4.2.0 amd64 stable
    
    Bug: https://bugs.gentoo.org/749822
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 sys-block/partitionmanager/partitionmanager-4.2.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8be95d0054f4f315915be317e6226eeacd8b8844

commit 8be95d0054f4f315915be317e6226eeacd8b8844
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-10-26 13:16:01 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-10-26 13:55:46 +0000

    sys-libs/kpmcore: 4.2.0 amd64 stable
    
    Bug: https://bugs.gentoo.org/749822
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 sys-libs/kpmcore/kpmcore-4.2.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 10 Andreas Sturmlechner gentoo-dev 2020-10-29 10:50:24 UTC
kde is done here anyway.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2020-11-03 00:54:03 UTC
This issue was resolved and addressed in
 GLSA 202011-03 at https://security.gentoo.org/glsa/202011-03
by GLSA coordinator Sam James (sam_c).