Bug 20843

Summary:	kauth, kdelibs4 new security issue CVE-2017-8422
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	critical
Priority:	Normal	CC:	jim, lewyssmith, mageia, mageia, sysadmin-bugs
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	advisory MGA5-64-OK mga5-32-ok
Source RPM:	kdelibs4-4.14.30-1.mga5.src.rpm, kauth-5.5.0-1.mga5.src.rpm	CVE:
Status comment:
Attachments:	list of packages

Description David Walser 2017-05-13 19:08:41 CEST

Upstream has issued an advisory on May 10:
https://www.kde.org/info/security/advisory-20170510-1.txt

Debian has issued an advisory for this on May 12:
https://www.debian.org/security/2017/dsa-3849

The issue has already been fixed in Cauldron by Nicolas.

Comment 1 Nicolas Lécureuil 2017-08-16 00:13:33 CEST

pushed in updates_testing
src.rpm:
        kauth-5.5.0-1.1.mga5
        kdelibs4-4.14.30-1.1.mga5

Assignee: kde => qa-bugs
CC: (none) => mageia

Comment 2 David Walser 2017-08-16 00:57:38 CEST

Advisory:
========================

Updated kauth and kdelibs4 packages fix security vulnerability:

Sebastian Krahmer from SUSE discovered that the KAuth framework contains a
logic flaw in which the service invoking dbus is not properly checked. This
flaw allows spoofing the identity of the caller and gaining root privileges
from an unprivileged account (CVE-2017-8422).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8422
https://www.kde.org/info/security/advisory-20170510-1.txt
https://www.debian.org/security/2017/dsa-3849
========================

Updated packages in core/updates_testing:
========================
libkde3support4-4.14.30-1.1.mga5
libkdecore5-4.14.30-1.1.mga5
libkdefakes5-4.14.30-1.1.mga5
libkdesu5-4.14.30-1.1.mga5
libkdeui5-4.14.30-1.1.mga5
libkdnssd4-4.14.30-1.1.mga5
libkfile4-4.14.30-1.1.mga5
libkhtml5-4.14.30-1.1.mga5
libkimproxy4-4.14.30-1.1.mga5
libkio5-4.14.30-1.1.mga5
libkjsembed4-4.14.30-1.1.mga5
libkjs4-4.14.30-1.1.mga5
libkmediaplayer4-4.14.30-1.1.mga5
libnepomuk4-4.14.30-1.1.mga5
libknewstuff2_4-4.14.30-1.1.mga5
libknotifyconfig4-4.14.30-1.1.mga5
libkntlm4-4.14.30-1.1.mga5
libkdeclarative5-4.14.30-1.1.mga5
libkparts4-4.14.30-1.1.mga5
libkrosscore4-4.14.30-1.1.mga5
libkrossui4-4.14.30-1.1.mga5
libktexteditor4-4.14.30-1.1.mga5
libkunittest4-4.14.30-1.1.mga5
libkutils4-4.14.30-1.1.mga5
libsolid4-4.14.30-1.1.mga5
libthreadweaver4-4.14.30-1.1.mga5
libkpty4-4.14.30-1.1.mga5
libkjsapi4-4.14.30-1.1.mga5
libplasma3-4.14.30-1.1.mga5
libkunitconversion4-4.14.30-1.1.mga5
libnepomukquery4-4.14.30-1.1.mga5
libkdewebkit5-4.14.30-1.1.mga5
libknewstuff3_4-4.14.30-1.1.mga5
libkcmutils4-4.14.30-1.1.mga5
libkprintutils4-4.14.30-1.1.mga5
libkidletime4-4.14.30-1.1.mga5
libkemoticons4-4.14.30-1.1.mga5
libnepomukutils4-4.14.30-1.1.mga5
kdelibs4-core-4.14.30-1.1.mga5
kdelibs4-handbooks-4.14.30-1.1.mga5
kdelibs4-devel-4.14.30-1.1.mga5
kauth-5.5.0-1.1.mga5
libkf5auth5-5.5.0-1.1.mga5
libkf5auth-devel-5.5.0-1.1.mga5

from SRPMS:
kdelibs4-4.14.30-1.1.mga5.src.rpm
kauth-5.5.0-1.1.mga5.src.rpm

Comment 3 James Kerr 2017-08-16 12:12:31 CEST

On mga5-64

Installed all of the packages listed in comment#2

Tested a wide variety of applications.

No regressions observed.

OK for mga5-64

Whiteboard: (none) => MGA5-64-OK
CC: (none) => jim

Comment 4 James Kerr 2017-08-16 12:21:40 CEST

Created attachment 9602 [details]
list of packages

The packages referred to in comment#3

Comment 5 PC LX 2017-08-16 17:40:06 CEST

Packages installed without issues. Using a Plasma session for several hours now, with plenty of KDE applications used without noticeable regressions.

System: Mageia 5, Intel x86_64 CPU, Plasma using OpenGL composition, nVidia GPU with the nvidia340 proprietary driver.

# uname -a
Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
# journalctl -b 0 | grep RPM.*install
Ago 16 13:03:25 marte [RPM][3743]: install lib64solid4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:25 marte [RPM][3743]: install lib64kjs4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:25 marte [RPM][3743]: install lib64ktexteditor4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:26 marte [RPM][3743]: install lib64kdeui5-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:26 marte [RPM][3743]: install lib64kjsembed4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:26 marte [RPM][3743]: install lib64kntlm4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:26 marte [RPM][3743]: install lib64krosscore4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:26 marte [RPM][3743]: install lib64nepomukquery4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:27 marte [RPM][3743]: install lib64kfile4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:27 marte [RPM][3743]: install lib64khtml5-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:27 marte [RPM][3743]: install lib64kemoticons4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:27 marte [RPM][3743]: install lib64kio5-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:27 marte [RPM][3743]: install lib64nepomukutils4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:27 marte [RPM][3743]: install lib64nepomuk4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:28 marte [RPM][3743]: install lib64kdecore5-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:28 marte [RPM][3743]: install lib64kparts4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:37 marte [RPM][3743]: install kdelibs4-core-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:37 marte [RPM][3743]: install lib64kf5auth5-5.5.0-1.1.mga5.x86_64: success
Ago 16 13:03:45 marte [RPM][3743]: install lib64kpty4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:45 marte [RPM][3743]: install lib64kde3support4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:45 marte [RPM][3743]: install lib64kprintutils4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:45 marte [RPM][3743]: install lib64kcmutils4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:45 marte [RPM][3743]: install lib64kunitconversion4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:45 marte [RPM][3743]: install lib64knotifyconfig4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:45 marte [RPM][3743]: install lib64kdeclarative5-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:46 marte [RPM][3743]: install lib64knewstuff2_4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:46 marte [RPM][3743]: install lib64kdnssd4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:46 marte [RPM][3743]: install lib64knewstuff3_4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:46 marte [RPM][3743]: install lib64kdewebkit5-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:46 marte [RPM][3743]: install lib64threadweaver4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:46 marte [RPM][3743]: install lib64plasma3-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:46 marte [RPM][3743]: install lib64kdesu5-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:46 marte [RPM][3743]: install lib64kjsapi4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:03:46 marte [RPM][3743]: install lib64kidletime4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:04:21 marte [RPM][3743]: install lib64kmediaplayer4-2:4.14.30-1.1.mga5.x86_64: success
Ago 16 13:04:21 marte [RPM][3743]: install lib64kdefakes5-2:4.14.30-1.1.mga5.x86_64: success

CC: (none) => mageia

Comment 6 James Kerr 2017-08-16 17:54:54 CEST

On mga5-32 in a vbox VM

Installed all of the packages

Tested a variety of applications

No regressions noted

OK for mga5-32 in a vbox VM

Comment 7 Lewis Smith 2017-08-16 22:46:08 CEST

Added the 32-bit OK for Jim. Thanks to you & PC_LX for these tests.
Validating, advisory to follow.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => MGA5-64-OK mga5-32-ok
CC: (none) => lewyssmith, sysadmin-bugs

Rémi Verschelde 2017-08-16 23:23:42 CEST

Whiteboard: MGA5-64-OK mga5-32-ok => advisory MGA5-64-OK mga5-32-ok

Comment 8 Mageia Robot 2017-08-17 00:32:47 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0274.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED