Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 678170 (CVE-2019-7443) - <kde-frameworks/kauth-5.54.0-r1: Insecure handling of arguments in helpers
Summary: <kde-frameworks/kauth-5.54.0-r1: Insecure handling of arguments in helpers
Status: RESOLVED FIXED
Alias: CVE-2019-7443
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://mail.kde.org/pipermail/kde-an...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-16 18:25 UTC by Andreas Sturmlechner
Modified: 2019-03-10 03:51 UTC (History)
0 users

See Also:
Package list:
kde-frameworks/kauth-5.54.0-r1
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Sturmlechner gentoo-dev 2019-02-16 18:25:50 UTC 
KDE Project Security Advisory
=============================

Title:          kauth: Insecure handling of arguments in helpers
Risk Rating:    Medium
CVE:            CVE-2019-7443
Versions:       KDE Frameworks < 5.55.0
Date:           9 February 2019


Overview
========
KAuth allows to pass parameters with arbitrary types to helpers running as root
over DBus. Certain types can cause crashes and trigger decoding arbitrary
images with dynamically loaded plugins.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7443
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-02-17 22:37:11 UTC 
x86 stable
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-02-18 06:17:35 UTC 
amd64 stable
Comment 3 Larry the Git Cow gentoo-dev 2019-02-18 10:54:10 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e037d56b2b07aeffbf1117893f706b51338cf94e

commit e037d56b2b07aeffbf1117893f706b51338cf94e
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-02-18 09:01:20 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-02-18 10:53:55 +0000

    kde-frameworks/kauth: Security cleanup
    
    Bug: https://bugs.gentoo.org/678170
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 kde-frameworks/kauth/kauth-5.54.0.ebuild | 41 --------------------------------
 1 file changed, 41 deletions(-)
Comment 4 Andreas Sturmlechner gentoo-dev 2019-02-18 15:14:12 UTC 
Cleanup done, KDE team out.