Bug 24334

Summary: kauth new security issue CVE-2019-7443
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, herman.viaene, mageia, sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: kauth-5.54.0-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-02-09 21:43:54 CET 
KDE has issued an advsiory today (February 9):
https://www.kde.org/info/security/advisory-20190209-1.txt

The issue is fixed upstream in 5.55 and in the commit linked from the advisory.

Mageia 6 is also affected.
David Walser 2019-02-09 21:44:01 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Nicolas Lécureuil 2019-02-09 22:27:16 CET 
src.rpm: kauth-5.42.0-1.1.mga6

rpms:

kauth-5.42.0-1.1.mga6
lib{64}kf5auth5-5.42.0-1.1.mga6
lib{64}kf5auth-devel-5.42.0-1.1.mga6
kauth-debuginfo-5.42.0-1.1.mga6

Advisory:

KAuth allows to pass parameters with arbitrary types to helpers running as root
over DBus. Certain types can cause crashes and trigger decoding arbitrary
images with dynamically loaded plugins.

CC: (none) => mageia

Nicolas Lécureuil 2019-02-09 22:27:35 CET

Assignee: kde => qa-bugs

Thomas Backlund 2019-02-10 17:27:44 CET

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
CC: (none) => tmb

Comment 2 Herman Viaene 2019-02-11 12:03:51 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Found bug 20843 as previous update, but "Tested a wide variety of applications." is not really much info.
# urpmq --whatrequires kauth
kauth
kwallet
kwallet
kwallet

So I installed kwallet and kwalletmanager5, but running this GUI with strace nor 

$ strace -o kauth.txt kwallet-query -lv kauthtest
timer event
standby opening wallet  "kauthtest"
org.kde.kwindowsystem: Could not find any platform plugin
testkauth (this is an item I created in the wallet)

 created any usage of kauth apart from references to the messages.
Giving up, I don't want to run a full Plasma install on this old slow laptop.

CC: (none) => herman.viaene

Comment 3 Dave Hodgins 2019-02-14 08:55:38 CET 
It's used by any kde program that requires root authority to run.

Tested by selecting Tools/System Tools/KDE Partition Manager.

Advisory committed to svn. Validating the update.

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 4 Mageia Robot 2019-02-14 09:40:25 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0083.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED