Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 832447 (CVE-2022-23853) - <kde-frameworks/ktexteditor-5.90.0-r2: Missing validation of binaries executed by QProcess
Summary: <kde-frameworks/ktexteditor-5.90.0-r2: Missing validation of binaries execute...
Status: RESOLVED FIXED
Alias: CVE-2022-23853
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://kde.org/info/security/advisor...
Whiteboard: B2 [glsa+]
Keywords:
: 833152 833153 (view as bug list)
Depends on: frameworks-5.90-stable
Blocks: 833154
  Show dependency tree
 
Reported: 2022-01-31 20:14 UTC by Sam James
Modified: 2024-01-15 15:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-31 20:14:40 UTC
https://kde.org/info/security/advisory-20220131-1.txt:

```
KTextEditor and Kate execute binaries without user interaction in a few cases.

Some examples are:

- KTextEditor will try to check on external file modification via invoking the "git" binary if the file is known in the repository with the new content.
- Kate will execute the LSP (language server protocol) server associated with the mime type of the files you open if the LSP plugin is active
- Kate will execute "git", "svn" and other version control tools on document open to retrieve project information if the project plugin is active

KTextEditor & Kate use QProcess for this process invocation.

The typical pattern is like:

QProcess p;
p.setWorkingDirectory(xxx); // in some cases
p.start("binaryname", args);

As the binary name is in most cases passed as a non-absolute executable name, QProcess will execute a "binaryname" named executable
from the working directory (implicit that of the application or explicit that one set by setWorkingDirectory), if no matching executable is found
in the normal search path (PATH).

This allows attackers to put malicious executables with the right name for example in the document directory.
If the wanted executable is not in the search path, the malicious one will be executed.

Impact
======

Opening files might lead to the execution of malicious binaries if they are placed in the right directories.
```
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-31 20:15:35 UTC
Note that we don't need to patch Kate given we've patched KTextEditor, as per advisory. Patches are simpler for KTextEditor too.
Comment 2 Larry the Git Cow gentoo-dev 2022-02-10 09:13:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=164f9ef42c0fd49cab16b428e75b47e92327ca50

commit 164f9ef42c0fd49cab16b428e75b47e92327ca50
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-02-10 08:20:49 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-02-10 09:11:01 +0000

    kde-frameworks/ktexteditor: drop 5.88.0*
    
    Bug: https://bugs.gentoo.org/832447
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-frameworks/ktexteditor/Manifest                |  1 -
 .../ktexteditor-5.88.0-revert-invoke-always.patch  | 36 -------------
 .../ktexteditor/ktexteditor-5.88.0-r1.ebuild       | 63 ----------------------
 3 files changed, 100 deletions(-)
Comment 3 Andreas Sturmlechner gentoo-dev 2022-02-10 09:14:40 UTC
kde proj is done here.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-16 18:40:55 UTC
*** Bug 833152 has been marked as a duplicate of this bug. ***
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-16 18:41:04 UTC
*** Bug 833153 has been marked as a duplicate of this bug. ***
Comment 6 Larry the Git Cow gentoo-dev 2024-01-15 15:43:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=e942b106d11d2a5ee17ed381e8b9a59583355b52

commit e942b106d11d2a5ee17ed381e8b9a59583355b52
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-15 15:42:22 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-15 15:42:48 +0000

    [ GLSA 202401-21 ] KTextEditor: Arbitrary Local Code Execution
    
    Bug: https://bugs.gentoo.org/832447
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-21.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)