A CVE has been issued for a security issue fixed upstream in kde-cli-tools:
Cauldron should have this fix soon if it doesn't have it already.
kdesu is in kdebase4-runtime in Mageia 5 and may also be affected.
already fixed in plasma 5.7.95
New package in mga5 updates_testing.
openSUSE has issued an advisory for this on October 11:
Nicolas committed the patch to fix this but never built it.
Patched package uploaded for Mageia 5.
Updated kdebase4-runtime packages fix security vulnerability:
A user could sneak an unicode string terminator in the kdesu invocation, which
could hide the fact that more commands could be executed (CVE-2016-7787).
Updated packages in core/updates_testing:
packages installed cleanly:
Have had this running for two days, using a variety of commonly used applications
No regressions noted. Looks OK for mga5-64
However I do not use kwallet, and so perhaps should be tested by someone who does.
Testing Mageia 5 x64.
I have had this update in use for some hours. For the first session, among other things I did quite a lot of KDE configuration. Soon after, it froze. This seems from the mailList to be a known - if occasional - problem, hence which I am not attributing to this update. I re-started the X-server (Ctrl/Backspace/Backspace), and have been running fine ever since.
Seconding James' 64-bit M5 OK, but wait a bit for others.
Keep in mind that this update only impacts kdesu.
First I've even heard of kdesu, so I did a little research. Looks like it could be a handy thing to have.
After installing the update, I placed a link to /lib64/kde4/libexec/kdesu in /usr/bin to make the command easier to use.
I then started dolphin, kwrite, Okular, and Firefox as root, using the kdesu command. I did not try any of the other options.
Everything seemed to work as it should. The apps all opened with root privileges.
Going to tentatively put a 64-bit OK in the Whiteboard. If further testing is needed, I'll give it a shot, but I'll need instructions.
Thanks TJ - a good investigation. I tried it also, but difficult to know that <whatever> was running with root privileges. Via kdesu, created a file using Leafpad and checked its permissions with Dolphin: owned by root.
Weakly confirms TJ. Validating as the update is M5 only, test x64.
Easiest to tell if you run Dolphin. If running as root, mine opens in /root, which is root's "home" directory. When dolphin is opened by a user, /root cannot be accessed.
An update for this issue has been pushed to the Mageia Updates repository.