Bug 14487

Summary: kde-workspace new security issue CVE-2014-8651
Product: Mageia Reporter: Luc Menut <lmenut>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: luigiwalser, sysadmin-bugs, wilcal.int
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/619817/
Whiteboard: MGA3-32-OK MGA3-64-OK advisory
Source RPM: kdebase4-workspace-4.10.5-1.1.mga3.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 3310, 9086, 11050    

Description Luc Menut 2014-11-08 12:32:41 CET 
Description of problem:
KDE has issued an advisory for a security issue (CVE-2014-8651):
https://www.kde.org/info/security/advisory-20141106-1.txt
http://openwall.com/lists/oss-security/2014/11/04/9

The issue is fixed upstream in the KDE/4.11 branch
http://quickgit.kde.org/?p=kde-workspace.git&a=commit&h=eebcb17746d9fa86ea8c5a7344709ef6750781cf

Version-Release number of selected component (if applicable):
kdebase4-workspace 4.10.5-1.1.mga3
Mageia 4 and Cauldron are also affected, and will be fixed next week by updating to kde-workspace-4.11.14.

Reproducible: 

Steps to Reproduce:
Luc Menut 2014-11-08 13:04:14 CET

Blocks: (none) => 3310, 9086, 11050

Comment 1 David Walser 2014-11-10 14:15:10 CET 
Packages for Mageia 3 update:
kdebase4-workspace-4.10.5-1.2.mga3
kdebase4-workspace-devel-4.10.5-1.2.mga3
kdebase4-workspace-handbooks-4.10.5-1.2.mga3
kdebase4-workspace-plasma-config-4.10.5-1.2.mga3
kded_randrmonitor-4.10.5-1.2.mga3
kdm-4.10.5-1.2.mga3
kdm-handbook-4.10.5-1.2.mga3
kinfocenter-4.10.5-1.2.mga3
kinfocenter-handbook-4.10.5-1.2.mga3
libkdecorations4-4.10.5-1.2.mga3
libkephal4-4.10.5-1.2.mga3
libkfontinst4-4.10.5-1.2.mga3
libkfontinstui4-4.10.5-1.2.mga3
libkhotkeysprivate4-4.10.5-1.2.mga3
libkscreensaver5-4.10.5-1.2.mga3
libksgrd4-4.10.5-1.2.mga3
libksignalplotter4-4.10.5-1.2.mga3
libkwineffects1-4.10.5-1.2.mga3
libkwinglesutils1-4.10.5-1.2.mga3
libkwinglutils1-4.10.5-1.2.mga3
libkwinnvidiahack4-4.10.5-1.2.mga3
libkworkspace4-4.10.5-1.2.mga3
liblsofui4-4.10.5-1.2.mga3
liboxygenstyle4-4.10.5-1.2.mga3
liboxygenstyleconfig4-4.10.5-1.2.mga3
libplasma_applet_system_monitor4-4.10.5-1.2.mga3
libplasmaclock4-4.10.5-1.2.mga3
libplasmagenericshell4-4.10.5-1.2.mga3
libplasma-geolocation-interface4-4.10.5-1.2.mga3
libpowerdevilconfigcommonprivate4-4.10.5-1.2.mga3
libpowerdevilcore0-4.10.5-1.2.mga3
libpowerdevilui4-4.10.5-1.2.mga3
libprocesscore4-4.10.5-1.2.mga3
libprocessui4-4.10.5-1.2.mga3
libsolidcontrol4-4.10.5-1.2.mga3
libsolidcontrolifaces4-4.10.5-1.2.mga3
libsystemsettingsview2-4.10.5-1.2.mga3
libtaskmanager4-4.10.5-1.2.mga3
libweather_ion6-4.10.5-1.2.mga3
plasma-applet-battery-4.10.5-1.2.mga3
plasma-applet-calendar-4.10.5-1.2.mga3
plasma-applet-quicklaunch-4.10.5-1.2.mga3
plasma-applet-system-monitor-cpu-4.10.5-1.2.mga3
plasma-applet-system-monitor-hdd-4.10.5-1.2.mga3
plasma-applet-system-monitor-hwinfo-4.10.5-1.2.mga3
plasma-applet-system-monitor-net-4.10.5-1.2.mga3
plasma-applet-system-monitor-temperature-4.10.5-1.2.mga3
plasma-applet-webbrowser-4.10.5-1.2.mga3
plasma-krunner-nepomuk-4.10.5-1.2.mga3
plasma-krunner-powerdevil-4.10.5-1.2.mga3
plasma-runner-places-4.10.5-1.2.mga3
plasma-scriptengine-python-4.10.5-1.2.mga3
plasma-scriptengine-ruby-4.10.5-1.2.mga3

from kdebase4-workspace 4.10.5-1.2.mga3

Assignee: bugsquad => qa-bugs
Severity: normal => major

Comment 2 David Walser 2014-11-10 14:16:53 CET 
Luc, do you know how to test this issue?  I see that kcmshell4 has an --args option, and I see in the code that it uses ntpUtility, ntpServers, and ntpEnabled args, but I can't figure out exactly how to pass them such that it has any noticeable effect.

Things like kcmshell4 clock --args "ntpEnabled=true", or kcmshell4 clock --args "--ntpEnabled=true" don't seem to work.

CC: (none) => luigiwalser

Comment 3 David Walser 2014-11-10 14:25:18 CET 
Bug 11050 is fixed by this update.
Comment 4 William Kenney 2014-11-11 19:00:33 CET 
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
kdebase4-workspace kdebase4-workspace-plasma-config

default install of kdebase4-workspace & kdebase4-workspace-plasma-config

[root@localhost wilcal]# urpmi kdebase4-workspace
Package kdebase4-workspace-4.10.5-1.1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi kdebase4-workspace-plasma-config
Package kdebase4-workspace-plasma-config-4.10.5-1.1.mga3.noarch is already installed

KDE apps work just fine

install kdebase4-workspace & kdebase4-workspace-plasma-config from updates_testing

[root@localhost wilcal]# urpmi kdebase4-workspace
Package kdebase4-workspace-4.10.5-1.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi kdebase4-workspace-plasma-config
Package kdebase4-workspace-plasma-config-4.10.5-1.2.mga3.noarch is already installed

System reboot and KDE apps work just fine.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 5 William Kenney 2014-11-11 19:33:14 CET 
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
kdebase4-workspace kdebase4-workspace-plasma-config

default install of kdebase4-workspace & kdebase4-workspace-plasma-config

[root@localhost wilcal]# urpmi kdebase4-workspace
Package kdebase4-workspace-4.10.5-1.1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi kdebase4-workspace-plasma-config
Package kdebase4-workspace-plasma-config-4.10.5-1.1.mga3.noarch is already installed

KDE apps work just fine

install kdebase4-workspace & kdebase4-workspace-plasma-config from updates_testing

[root@localhost wilcal]# urpmi kdebase4-workspace
Package kdebase4-workspace-4.10.5-1.2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi kdebase4-workspace-plasma-config
Package kdebase4-workspace-plasma-config-4.10.5-1.2.mga3.noarch is already installed

System reboot and KDE apps work just fine.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 6 William Kenney 2014-11-11 19:35:45 CET 
Seems ok to me David. If it's ok with you I'll validate it.
Comment 7 David Walser 2014-11-11 20:39:05 CET 
Go ahead.  Thanks William.
Comment 8 Luc Menut 2014-11-11 21:11:01 CET 
Suggested advisory:

Updated kdebase4-workspace packages fix security vulnerability and various bugs

This update fixes a security vulnerability in the KDE workspace configuration module for setting the date and time - CVE-2014-8651 - (mga#14487),
and fixes some additional issues:
- fix kcm botching unrelated user settings (mga#3310, bko#254430),
- do not popup during initialization 0 B Removable media (mga#11050, bko#318061),
- fix new graphical session numbers (mga#9086).

References:
https://bugs.mageia.org/show_bug.cgi?id=14487
https://www.kde.org/info/security/advisory-20141106-1.txt
https://bugs.mageia.org/show_bug.cgi?id=3310
https://bugs.mageia.org/show_bug.cgi?id=9086
https://bugs.mageia.org/show_bug.cgi?id=11050

===========================================================

src.rpm:
kdebase4-workspace-4.10.5-1.2.mga3.src.rpm

packages for i586:
kdebase4-workspace-4.10.5-1.2.mga3.i586.rpm
kdebase4-workspace-devel-4.10.5-1.2.mga3.i586.rpm
kdebase4-workspace-handbooks-4.10.5-1.2.mga3.noarch.rpm
kdebase4-workspace-plasma-config-4.10.5-1.2.mga3.noarch.rpm
kded_randrmonitor-4.10.5-1.2.mga3.i586.rpm
kdm-4.10.5-1.2.mga3.i586.rpm
kdm-handbook-4.10.5-1.2.mga3.noarch.rpm
kinfocenter-4.10.5-1.2.mga3.i586.rpm
kinfocenter-handbook-4.10.5-1.2.mga3.noarch.rpm
libkdecorations4-4.10.5-1.2.mga3.i586.rpm
libkephal4-4.10.5-1.2.mga3.i586.rpm
libkfontinst4-4.10.5-1.2.mga3.i586.rpm
libkfontinstui4-4.10.5-1.2.mga3.i586.rpm
libkhotkeysprivate4-4.10.5-1.2.mga3.i586.rpm
libkscreensaver5-4.10.5-1.2.mga3.i586.rpm
libksgrd4-4.10.5-1.2.mga3.i586.rpm
libksignalplotter4-4.10.5-1.2.mga3.i586.rpm
libkwineffects1-4.10.5-1.2.mga3.i586.rpm
libkwinglesutils1-4.10.5-1.2.mga3.i586.rpm
libkwinglutils1-4.10.5-1.2.mga3.i586.rpm
libkwinnvidiahack4-4.10.5-1.2.mga3.i586.rpm
libkworkspace4-4.10.5-1.2.mga3.i586.rpm
liblsofui4-4.10.5-1.2.mga3.i586.rpm
liboxygenstyle4-4.10.5-1.2.mga3.i586.rpm
liboxygenstyleconfig4-4.10.5-1.2.mga3.i586.rpm
libplasma_applet_system_monitor4-4.10.5-1.2.mga3.i586.rpm
libplasmaclock4-4.10.5-1.2.mga3.i586.rpm
libplasmagenericshell4-4.10.5-1.2.mga3.i586.rpm
libplasma-geolocation-interface4-4.10.5-1.2.mga3.i586.rpm
libpowerdevilconfigcommonprivate4-4.10.5-1.2.mga3.i586.rpm
libpowerdevilcore0-4.10.5-1.2.mga3.i586.rpm
libpowerdevilui4-4.10.5-1.2.mga3.i586.rpm
libprocesscore4-4.10.5-1.2.mga3.i586.rpm
libprocessui4-4.10.5-1.2.mga3.i586.rpm
libsolidcontrol4-4.10.5-1.2.mga3.i586.rpm
libsolidcontrolifaces4-4.10.5-1.2.mga3.i586.rpm
libsystemsettingsview2-4.10.5-1.2.mga3.i586.rpm
libtaskmanager4-4.10.5-1.2.mga3.i586.rpm
libweather_ion6-4.10.5-1.2.mga3.i586.rpm
plasma-applet-battery-4.10.5-1.2.mga3.i586.rpm
plasma-applet-calendar-4.10.5-1.2.mga3.i586.rpm
plasma-applet-quicklaunch-4.10.5-1.2.mga3.i586.rpm
plasma-applet-system-monitor-cpu-4.10.5-1.2.mga3.i586.rpm
plasma-applet-system-monitor-hdd-4.10.5-1.2.mga3.i586.rpm
plasma-applet-system-monitor-hwinfo-4.10.5-1.2.mga3.i586.rpm
plasma-applet-system-monitor-net-4.10.5-1.2.mga3.i586.rpm
plasma-applet-system-monitor-temperature-4.10.5-1.2.mga3.i586.rpm
plasma-applet-webbrowser-4.10.5-1.2.mga3.i586.rpm
plasma-krunner-nepomuk-4.10.5-1.2.mga3.i586.rpm
plasma-krunner-powerdevil-4.10.5-1.2.mga3.i586.rpm
plasma-runner-places-4.10.5-1.2.mga3.i586.rpm
plasma-scriptengine-python-4.10.5-1.2.mga3.i586.rpm
plasma-scriptengine-ruby-4.10.5-1.2.mga3.noarch.rpm

packages for x86_64:
kdebase4-workspace-4.10.5-1.2.mga3.x86_64.rpm
kdebase4-workspace-devel-4.10.5-1.2.mga3.x86_64.rpm
kdebase4-workspace-handbooks-4.10.5-1.2.mga3.noarch.rpm
kdebase4-workspace-plasma-config-4.10.5-1.2.mga3.noarch.rpm
kded_randrmonitor-4.10.5-1.2.mga3.x86_64.rpm
kdm-4.10.5-1.2.mga3.x86_64.rpm
kdm-handbook-4.10.5-1.2.mga3.noarch.rpm
kinfocenter-4.10.5-1.2.mga3.x86_64.rpm
kinfocenter-handbook-4.10.5-1.2.mga3.noarch.rpm
lib64kdecorations4-4.10.5-1.2.mga3.x86_64.rpm
lib64kephal4-4.10.5-1.2.mga3.x86_64.rpm
lib64kfontinst4-4.10.5-1.2.mga3.x86_64.rpm
lib64kfontinstui4-4.10.5-1.2.mga3.x86_64.rpm
lib64khotkeysprivate4-4.10.5-1.2.mga3.x86_64.rpm
lib64kscreensaver5-4.10.5-1.2.mga3.x86_64.rpm
lib64ksgrd4-4.10.5-1.2.mga3.x86_64.rpm
lib64ksignalplotter4-4.10.5-1.2.mga3.x86_64.rpm
lib64kwineffects1-4.10.5-1.2.mga3.x86_64.rpm
lib64kwinglesutils1-4.10.5-1.2.mga3.x86_64.rpm
lib64kwinglutils1-4.10.5-1.2.mga3.x86_64.rpm
lib64kwinnvidiahack4-4.10.5-1.2.mga3.x86_64.rpm
lib64kworkspace4-4.10.5-1.2.mga3.x86_64.rpm
lib64lsofui4-4.10.5-1.2.mga3.x86_64.rpm
lib64oxygenstyle4-4.10.5-1.2.mga3.x86_64.rpm
lib64oxygenstyleconfig4-4.10.5-1.2.mga3.x86_64.rpm
lib64plasma_applet_system_monitor4-4.10.5-1.2.mga3.x86_64.rpm
lib64plasmaclock4-4.10.5-1.2.mga3.x86_64.rpm
lib64plasmagenericshell4-4.10.5-1.2.mga3.x86_64.rpm
lib64plasma-geolocation-interface4-4.10.5-1.2.mga3.x86_64.rpm
lib64powerdevilconfigcommonprivate4-4.10.5-1.2.mga3.x86_64.rpm
lib64powerdevilcore0-4.10.5-1.2.mga3.x86_64.rpm
lib64powerdevilui4-4.10.5-1.2.mga3.x86_64.rpm
lib64processcore4-4.10.5-1.2.mga3.x86_64.rpm
lib64processui4-4.10.5-1.2.mga3.x86_64.rpm
lib64solidcontrol4-4.10.5-1.2.mga3.x86_64.rpm
lib64solidcontrolifaces4-4.10.5-1.2.mga3.x86_64.rpm
lib64systemsettingsview2-4.10.5-1.2.mga3.x86_64.rpm
lib64taskmanager4-4.10.5-1.2.mga3.x86_64.rpm
lib64weather_ion6-4.10.5-1.2.mga3.x86_64.rpm
plasma-applet-battery-4.10.5-1.2.mga3.x86_64.rpm
plasma-applet-calendar-4.10.5-1.2.mga3.x86_64.rpm
plasma-applet-quicklaunch-4.10.5-1.2.mga3.x86_64.rpm
plasma-applet-system-monitor-cpu-4.10.5-1.2.mga3.x86_64.rpm
plasma-applet-system-monitor-hdd-4.10.5-1.2.mga3.x86_64.rpm
plasma-applet-system-monitor-hwinfo-4.10.5-1.2.mga3.x86_64.rpm
plasma-applet-system-monitor-net-4.10.5-1.2.mga3.x86_64.rpm
plasma-applet-system-monitor-temperature-4.10.5-1.2.mga3.x86_64.rpm
plasma-applet-webbrowser-4.10.5-1.2.mga3.x86_64.rpm
plasma-krunner-nepomuk-4.10.5-1.2.mga3.x86_64.rpm
plasma-krunner-powerdevil-4.10.5-1.2.mga3.x86_64.rpm
plasma-runner-places-4.10.5-1.2.mga3.x86_64.rpm
plasma-scriptengine-python-4.10.5-1.2.mga3.x86_64.rpm
plasma-scriptengine-ruby-4.10.5-1.2.mga3.noarch.rpm
Comment 9 William Kenney 2014-11-12 04:06:21 CET 
For me this update works fine.
Testing complete for mga3 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: (none) => MGA3-32-OK MGA3-64-OK
CC: (none) => sysadmin-bugs

Comment 10 RĂ©mi Verschelde 2014-11-12 10:56:06 CET 
Advisory uploaded.

Whiteboard: MGA3-32-OK MGA3-64-OK => MGA3-32-OK MGA3-64-OK advisory

David Walser 2014-11-13 15:11:13 CET

URL: https://www.kde.org/info/security/advisory-20141106-1.txt => http://lwn.net/Vulnerabilities/619817/

Comment 11 Mageia Robot 2014-11-14 01:58:16 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0445.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED