Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 933342 (CVE-2024-36041) - <kde-plasma/plasma-workspace-5.27.11.1:5, <kde-plasma/plasma-workspace-6.0.90-r1:6: ksmserver: Unauthorized users can access session manager
Summary: <kde-plasma/plasma-workspace-5.27.11.1:5, <kde-plasma/plasma-workspace-6.0.90...
Status: RESOLVED FIXED
Alias: CVE-2024-36041
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://kde.org/info/security/advisor...
Whiteboard: B1 [glsa+]
Keywords:
Depends on: 933647
Blocks:
  Show dependency tree
 
Reported: 2024-06-01 07:15 UTC by Andreas Sturmlechner
Modified: 2024-07-06 06:45 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Sturmlechner gentoo-dev 2024-06-01 07:15:04 UTC
Overview
========
KSmserver, KDE's XSMP manager, incorrectly allows connections via ICE
based purely on the host, allowing all local connections. This allows
another user on the same machine to gain access to the session
manager.

A well crafted client could use the session restore feature to execute
arbitrary code as the user on the next boot.
Comment 1 Larry the Git Cow gentoo-dev 2024-06-07 16:18:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f102a34bb6339a5ee03f9a4a7b381dc6c0abf300

commit f102a34bb6339a5ee03f9a4a7b381dc6c0abf300
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2024-06-07 16:08:45 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2024-06-07 16:16:43 +0000

    kde-plasma/plasma-workspace: drop 5.27.11, 5.27.11.1
    
    Bug: https://bugs.gentoo.org/933342
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-plasma/plasma-workspace/Manifest               |   1 -
 .../plasma-workspace-5.27.11.1.ebuild              | 233 ---------------------
 .../plasma-workspace-5.27.11.ebuild                | 233 ---------------------
 3 files changed, 467 deletions(-)
Comment 2 Andreas Sturmlechner gentoo-dev 2024-06-07 16:25:38 UTC
Cleanup done, thanks everyone.
Comment 3 Larry the Git Cow gentoo-dev 2024-07-06 06:45:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=ff64c164b3070caa6ec2bf19cbea6d9083251e93

commit ff64c164b3070caa6ec2bf19cbea6d9083251e93
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-07-06 06:45:04 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-07-06 06:45:13 +0000

    [ GLSA 202407-20 ] KDE Plasma Workspaces: Privilege Escalation
    
    Bug: https://bugs.gentoo.org/933342
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202407-20.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)