Bug 19488

Summary: kdebase4-runtime new possible security issue CVE-2016-7787
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, jim, kde, mageia, sysadmin-bugs
Version: 5Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/703329/
Whiteboard: MGA5-64-OK
Source RPM: kdebase4-runtime-4.14.3-5.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-09-29 13:47:39 CEST 
A CVE has been issued for a security issue fixed upstream in kde-cli-tools:
http://openwall.com/lists/oss-security/2016/09/29/7

Cauldron should have this fix soon if it doesn't have it already.

kdesu is in kdebase4-runtime in Mageia 5 and may also be affected.
Comment 1 Nicolas Lécureuil 2016-09-29 15:22:53 CEST 
already fixed in plasma 5.7.95
New package in mga5 updates_testing.

CC: (none) => mageia

Comment 2 David Walser 2016-10-12 18:33:23 CEST 
openSUSE has issued an advisory for this on October 11:
https://lists.opensuse.org/opensuse-updates/2016-10/msg00034.html

URL: (none) => http://lwn.net/Vulnerabilities/703329/

David Walser 2016-12-30 23:40:33 CET

Depends on: (none) => 17123

David Walser 2017-08-20 22:37:52 CEST

Depends on: 17123 => (none)

Comment 3 David Walser 2017-12-27 04:43:39 CET 
Nicolas committed the patch to fix this but never built it.

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated kdebase4-runtime packages fix security vulnerability:

A user could sneak an unicode string terminator in the kdesu invocation, which
could hide the fact that more commands could be executed (CVE-2016-7787).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7787
http://openwall.com/lists/oss-security/2016/09/29/7
https://lists.opensuse.org/opensuse-updates/2016-10/msg00034.html
========================

Updated packages in core/updates_testing:
========================
kdebase4-runtime-4.14.3-5.1.mga5
khelpcenter-4.14.3-5.1.mga5
khelpcenter-handbook-4.14.3-5.1.mga5
kdebase4-runtime-handbook-4.14.3-5.1.mga5
kwallet-daemon-4.14.3-5.1.mga5
libkwalletbackend4-4.14.3-5.1.mga5
libmolletnetwork4-4.14.3-5.1.mga5
kdebase4-runtime-devel-4.14.3-5.1.mga5

from kdebase4-runtime-4.14.3-5.1.mga5.src.rpm

CC: (none) => kde
Assignee: kde => qa-bugs

Comment 4 James Kerr 2017-12-29 18:05:36 CET 
on mga5-64

packages installed cleanly:
- kdebase4-runtime-4.14.3-5.1.mga5.x86_64
- kdebase4-runtime-handbook-4.14.3-5.1.mga5.noarch
- khelpcenter-4.14.3-5.1.mga5.x86_64
- khelpcenter-handbook-4.14.3-5.1.mga5.noarch
- kwallet-daemon-4.14.3-5.1.mga5.x86_64
- lib64kwalletbackend4-4.14.3-5.1.mga5.x86_64
- lib64molletnetwork4-4.14.3-5.1.mga5.x86_64

Have had this running for two days, using a variety of commonly used applications

No regressions noted. Looks OK for mga5-64

However I do not use kwallet, and so perhaps should be tested by someone who does.

CC: (none) => jim

Comment 5 Lewis Smith 2017-12-29 22:30:13 CET 
Testing Mageia 5 x64.
 kdebase4-runtime-4.14.3-5.1.mga5
 kdebase4-runtime-handbook-4.14.3-5.1.mga5
 khelpcenter-4.14.3-5.1.mga5
 khelpcenter-handbook-4.14.3-5.1.mga5
 kwallet-daemon-4.14.3-5.1.mga5
 lib64kwalletbackend4-4.14.3-5.1.mga5
 lib64molletnetwork4-4.14.3-5.1.mga5

I have had this update in use for some hours. For the first session, among other things I did quite a lot of KDE configuration. Soon after, it froze. This seems from the mailList to be a known - if occasional - problem, hence which I am not attributing to this update. I re-started the X-server (Ctrl/Backspace/Backspace), and have been running fine ever since.

Seconding James' 64-bit M5 OK, but wait a bit for others.

CC: (none) => lewyssmith
Keywords: (none) => advisory

Comment 6 David Walser 2017-12-29 23:01:53 CET 
Keep in mind that this update only impacts kdesu.
Comment 7 Lewis Smith 2017-12-30 11:53:40 CET 
To prioritise.

CC: lewyssmith => (none)

Comment 8 Thomas Andrews 2017-12-30 19:33:46 CET 
First I've even heard of kdesu, so I did a little research. Looks like it could be a handy thing to have.

After installing the update, I placed a link to /lib64/kde4/libexec/kdesu in /usr/bin to make the command easier to use.

I then started dolphin, kwrite, Okular, and Firefox as root, using the kdesu command. I did not try any of the other options.

Everything seemed to work as it should. The apps all opened with root privileges.

Going to tentatively put a 64-bit OK in the Whiteboard. If further testing is needed, I'll give it a shot, but I'll need instructions.

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA5-64-OK

Comment 9 Lewis Smith 2017-12-30 20:38:49 CET 
Thanks TJ - a good investigation. I tried it also, but difficult to know that <whatever> was running with root privileges. Via kdesu, created a file using Leafpad and checked its permissions with Dolphin: owned by root.
Weakly confirms TJ. Validating as the update is M5 only, test x64.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Thomas Andrews 2017-12-30 21:04:24 CET 
Easiest to tell if you run Dolphin. If running as root, mine opens in /root, which is root's "home" directory. When dolphin is opened by a user, /root cannot be accessed.
Comment 11 Mageia Robot 2017-12-31 01:11:10 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0473.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED