Bug 19488 - kdebase4-runtime new possible security issue CVE-2016-7787
Summary: kdebase4-runtime new possible security issue CVE-2016-7787
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/703329/
Whiteboard: MGA5-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2016-09-29 13:47 CEST by David Walser
Modified: 2017-12-31 01:11 CET (History)
5 users (show)

See Also:
Source RPM: kdebase4-runtime-4.14.3-5.mga5.src.rpm
Status comment:


Description David Walser 2016-09-29 13:47:39 CEST
A CVE has been issued for a security issue fixed upstream in kde-cli-tools:

Cauldron should have this fix soon if it doesn't have it already.

kdesu is in kdebase4-runtime in Mageia 5 and may also be affected.
Comment 1 Nicolas Lécureuil 2016-09-29 15:22:53 CEST
already fixed in plasma 5.7.95
New package in mga5 updates_testing.

CC: (none) => mageia

Comment 2 David Walser 2016-10-12 18:33:23 CEST
openSUSE has issued an advisory for this on October 11:

URL: (none) => http://lwn.net/Vulnerabilities/703329/

David Walser 2016-12-30 23:40:33 CET

Depends on: (none) => 17123

David Walser 2017-08-20 22:37:52 CEST

Depends on: 17123 => (none)

Comment 3 David Walser 2017-12-27 04:43:39 CET
Nicolas committed the patch to fix this but never built it.

Patched package uploaded for Mageia 5.


Updated kdebase4-runtime packages fix security vulnerability:

A user could sneak an unicode string terminator in the kdesu invocation, which
could hide the fact that more commands could be executed (CVE-2016-7787).


Updated packages in core/updates_testing:

from kdebase4-runtime-4.14.3-5.1.mga5.src.rpm

CC: (none) => kde
Assignee: kde => qa-bugs

Comment 4 James Kerr 2017-12-29 18:05:36 CET
on mga5-64

packages installed cleanly:
- kdebase4-runtime-4.14.3-5.1.mga5.x86_64
- kdebase4-runtime-handbook-4.14.3-5.1.mga5.noarch
- khelpcenter-4.14.3-5.1.mga5.x86_64
- khelpcenter-handbook-4.14.3-5.1.mga5.noarch
- kwallet-daemon-4.14.3-5.1.mga5.x86_64
- lib64kwalletbackend4-4.14.3-5.1.mga5.x86_64
- lib64molletnetwork4-4.14.3-5.1.mga5.x86_64

Have had this running for two days, using a variety of commonly used applications

No regressions noted. Looks OK for mga5-64

However I do not use kwallet, and so perhaps should be tested by someone who does.

CC: (none) => jim

Comment 5 Lewis Smith 2017-12-29 22:30:13 CET
Testing Mageia 5 x64.

I have had this update in use for some hours. For the first session, among other things I did quite a lot of KDE configuration. Soon after, it froze. This seems from the mailList to be a known - if occasional - problem, hence which I am not attributing to this update. I re-started the X-server (Ctrl/Backspace/Backspace), and have been running fine ever since.

Seconding James' 64-bit M5 OK, but wait a bit for others.

CC: (none) => lewyssmith
Keywords: (none) => advisory

Comment 6 David Walser 2017-12-29 23:01:53 CET
Keep in mind that this update only impacts kdesu.
Comment 7 Lewis Smith 2017-12-30 11:53:40 CET
To prioritise.

CC: lewyssmith => (none)

Comment 8 Thomas Andrews 2017-12-30 19:33:46 CET
First I've even heard of kdesu, so I did a little research. Looks like it could be a handy thing to have.

After installing the update, I placed a link to /lib64/kde4/libexec/kdesu in /usr/bin to make the command easier to use.

I then started dolphin, kwrite, Okular, and Firefox as root, using the kdesu command. I did not try any of the other options.

Everything seemed to work as it should. The apps all opened with root privileges.

Going to tentatively put a 64-bit OK in the Whiteboard. If further testing is needed, I'll give it a shot, but I'll need instructions.

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA5-64-OK

Comment 9 Lewis Smith 2017-12-30 20:38:49 CET
Thanks TJ - a good investigation. I tried it also, but difficult to know that <whatever> was running with root privileges. Via kdesu, created a file using Leafpad and checked its permissions with Dolphin: owned by root.
Weakly confirms TJ. Validating as the update is M5 only, test x64.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Thomas Andrews 2017-12-30 21:04:24 CET
Easiest to tell if you run Dolphin. If running as root, mine opens in /root, which is root's "home" directory. When dolphin is opened by a user, /root cannot be accessed.
Comment 11 Mageia Robot 2017-12-31 01:11:10 CET
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.