19488 – kdebase4-runtime new possible security issue CVE-2016-7787

Bug 19488 - kdebase4-runtime new possible security issue CVE-2016-7787

Summary: kdebase4-runtime new possible security issue CVE-2016-7787

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/703329/
Whiteboard:	MGA5-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2016-09-29 13:47 CEST by David Walser
Modified:	2017-12-31 01:11 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	kdebase4-runtime-4.14.3-5.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-09-29 13:47:39 CEST

A CVE has been issued for a security issue fixed upstream in kde-cli-tools:
http://openwall.com/lists/oss-security/2016/09/29/7

Cauldron should have this fix soon if it doesn't have it already.

kdesu is in kdebase4-runtime in Mageia 5 and may also be affected.

Comment 1 Nicolas Lécureuil 2016-09-29 15:22:53 CEST

already fixed in plasma 5.7.95
New package in mga5 updates_testing.

CC: (none) => mageia

Comment 2 David Walser 2016-10-12 18:33:23 CEST

openSUSE has issued an advisory for this on October 11:
https://lists.opensuse.org/opensuse-updates/2016-10/msg00034.html

URL: (none) => http://lwn.net/Vulnerabilities/703329/

David Walser 2016-12-30 23:40:33 CET

Depends on: (none) => 17123

David Walser 2017-08-20 22:37:52 CEST

Depends on: 17123 => (none)

Comment 3 David Walser 2017-12-27 04:43:39 CET

Nicolas committed the patch to fix this but never built it.

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated kdebase4-runtime packages fix security vulnerability:

A user could sneak an unicode string terminator in the kdesu invocation, which
could hide the fact that more commands could be executed (CVE-2016-7787).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7787
http://openwall.com/lists/oss-security/2016/09/29/7
https://lists.opensuse.org/opensuse-updates/2016-10/msg00034.html
========================

Updated packages in core/updates_testing:
========================
kdebase4-runtime-4.14.3-5.1.mga5
khelpcenter-4.14.3-5.1.mga5
khelpcenter-handbook-4.14.3-5.1.mga5
kdebase4-runtime-handbook-4.14.3-5.1.mga5
kwallet-daemon-4.14.3-5.1.mga5
libkwalletbackend4-4.14.3-5.1.mga5
libmolletnetwork4-4.14.3-5.1.mga5
kdebase4-runtime-devel-4.14.3-5.1.mga5

from kdebase4-runtime-4.14.3-5.1.mga5.src.rpm

CC: (none) => kde
Assignee: kde => qa-bugs

Comment 4 James Kerr 2017-12-29 18:05:36 CET

on mga5-64

packages installed cleanly:
- kdebase4-runtime-4.14.3-5.1.mga5.x86_64
- kdebase4-runtime-handbook-4.14.3-5.1.mga5.noarch
- khelpcenter-4.14.3-5.1.mga5.x86_64
- khelpcenter-handbook-4.14.3-5.1.mga5.noarch
- kwallet-daemon-4.14.3-5.1.mga5.x86_64
- lib64kwalletbackend4-4.14.3-5.1.mga5.x86_64
- lib64molletnetwork4-4.14.3-5.1.mga5.x86_64

Have had this running for two days, using a variety of commonly used applications

No regressions noted. Looks OK for mga5-64

However I do not use kwallet, and so perhaps should be tested by someone who does.

CC: (none) => jim

Comment 5 Lewis Smith 2017-12-29 22:30:13 CET

Testing Mageia 5 x64.
 kdebase4-runtime-4.14.3-5.1.mga5
 kdebase4-runtime-handbook-4.14.3-5.1.mga5
 khelpcenter-4.14.3-5.1.mga5
 khelpcenter-handbook-4.14.3-5.1.mga5
 kwallet-daemon-4.14.3-5.1.mga5
 lib64kwalletbackend4-4.14.3-5.1.mga5
 lib64molletnetwork4-4.14.3-5.1.mga5

I have had this update in use for some hours. For the first session, among other things I did quite a lot of KDE configuration. Soon after, it froze. This seems from the mailList to be a known - if occasional - problem, hence which I am not attributing to this update. I re-started the X-server (Ctrl/Backspace/Backspace), and have been running fine ever since.

Seconding James' 64-bit M5 OK, but wait a bit for others.

CC: (none) => lewyssmith
Keywords: (none) => advisory

Comment 6 David Walser 2017-12-29 23:01:53 CET

Keep in mind that this update only impacts kdesu.

Comment 7 Lewis Smith 2017-12-30 11:53:40 CET

To prioritise.

CC: lewyssmith => (none)

Comment 8 Thomas Andrews 2017-12-30 19:33:46 CET

First I've even heard of kdesu, so I did a little research. Looks like it could be a handy thing to have.

After installing the update, I placed a link to /lib64/kde4/libexec/kdesu in /usr/bin to make the command easier to use.

I then started dolphin, kwrite, Okular, and Firefox as root, using the kdesu command. I did not try any of the other options.

Everything seemed to work as it should. The apps all opened with root privileges.

Going to tentatively put a 64-bit OK in the Whiteboard. If further testing is needed, I'll give it a shot, but I'll need instructions.

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA5-64-OK

Comment 9 Lewis Smith 2017-12-30 20:38:49 CET

Thanks TJ - a good investigation. I tried it also, but difficult to know that <whatever> was running with root privileges. Via kdesu, created a file using Leafpad and checked its permissions with Dolphin: owned by root.
Weakly confirms TJ. Validating as the update is M5 only, test x64.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Thomas Andrews 2017-12-30 21:04:24 CET

Easiest to tell if you run Dolphin. If running as root, mine opens in /root, which is root's "home" directory. When dolphin is opened by a user, /root cannot be accessed.

Comment 11 Mageia Robot 2017-12-31 01:11:10 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0473.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.