KTextEditor and Kate execute binaries without user interaction in a few cases.
Some examples are:
- KTextEditor will try to check on external file modification via invoking the "git" binary if the file is known in the repository with the new content.
- Kate will execute the LSP (language server protocol) server associated with the mime type of the files you open if the LSP plugin is active
- Kate will execute "git", "svn" and other version control tools on document open to retrieve project information if the project plugin is active
KTextEditor & Kate use QProcess for this process invocation.
The typical pattern is like:
p.setWorkingDirectory(xxx); // in some cases
As the binary name is in most cases passed as a non-absolute executable name, QProcess will execute a "binaryname" named executable
from the working directory (implicit that of the application or explicit that one set by setWorkingDirectory), if no matching executable is found
in the normal search path (PATH).
This allows attackers to put malicious executables with the right name for example in the document directory.
If the wanted executable is not in the search path, the malicious one will be executed.
Opening files might lead to the execution of malicious binaries if they are placed in the right directories.
Note that we don't need to patch Kate given we've patched KTextEditor, as per advisory. Patches are simpler for KTextEditor too.
The bug has been referenced in the following commit(s):
Author: Andreas Sturmlechner <email@example.com>
AuthorDate: 2022-02-10 08:20:49 +0000
Commit: Andreas Sturmlechner <firstname.lastname@example.org>
CommitDate: 2022-02-10 09:11:01 +0000
kde-frameworks/ktexteditor: drop 5.88.0*
Signed-off-by: Andreas Sturmlechner <email@example.com>
kde-frameworks/ktexteditor/Manifest | 1 -
.../ktexteditor-5.88.0-revert-invoke-always.patch | 36 -------------
.../ktexteditor/ktexteditor-5.88.0-r1.ebuild | 63 ----------------------
3 files changed, 100 deletions(-)
kde proj is done here.
*** Bug 833152 has been marked as a duplicate of this bug. ***
*** Bug 833153 has been marked as a duplicate of this bug. ***