Upstream has issued an advisory on May 10: https://www.kde.org/info/security/advisory-20170510-1.txt Debian has issued an advisory for this on May 12: https://www.debian.org/security/2017/dsa-3849 The issue has already been fixed in Cauldron by Nicolas.
pushed in updates_testing src.rpm: kauth-5.5.0-1.1.mga5 kdelibs4-4.14.30-1.1.mga5
Assignee: kde => qa-bugsCC: (none) => mageia
Advisory: ======================== Updated kauth and kdelibs4 packages fix security vulnerability: Sebastian Krahmer from SUSE discovered that the KAuth framework contains a logic flaw in which the service invoking dbus is not properly checked. This flaw allows spoofing the identity of the caller and gaining root privileges from an unprivileged account (CVE-2017-8422). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8422 https://www.kde.org/info/security/advisory-20170510-1.txt https://www.debian.org/security/2017/dsa-3849 ======================== Updated packages in core/updates_testing: ======================== libkde3support4-4.14.30-1.1.mga5 libkdecore5-4.14.30-1.1.mga5 libkdefakes5-4.14.30-1.1.mga5 libkdesu5-4.14.30-1.1.mga5 libkdeui5-4.14.30-1.1.mga5 libkdnssd4-4.14.30-1.1.mga5 libkfile4-4.14.30-1.1.mga5 libkhtml5-4.14.30-1.1.mga5 libkimproxy4-4.14.30-1.1.mga5 libkio5-4.14.30-1.1.mga5 libkjsembed4-4.14.30-1.1.mga5 libkjs4-4.14.30-1.1.mga5 libkmediaplayer4-4.14.30-1.1.mga5 libnepomuk4-4.14.30-1.1.mga5 libknewstuff2_4-4.14.30-1.1.mga5 libknotifyconfig4-4.14.30-1.1.mga5 libkntlm4-4.14.30-1.1.mga5 libkdeclarative5-4.14.30-1.1.mga5 libkparts4-4.14.30-1.1.mga5 libkrosscore4-4.14.30-1.1.mga5 libkrossui4-4.14.30-1.1.mga5 libktexteditor4-4.14.30-1.1.mga5 libkunittest4-4.14.30-1.1.mga5 libkutils4-4.14.30-1.1.mga5 libsolid4-4.14.30-1.1.mga5 libthreadweaver4-4.14.30-1.1.mga5 libkpty4-4.14.30-1.1.mga5 libkjsapi4-4.14.30-1.1.mga5 libplasma3-4.14.30-1.1.mga5 libkunitconversion4-4.14.30-1.1.mga5 libnepomukquery4-4.14.30-1.1.mga5 libkdewebkit5-4.14.30-1.1.mga5 libknewstuff3_4-4.14.30-1.1.mga5 libkcmutils4-4.14.30-1.1.mga5 libkprintutils4-4.14.30-1.1.mga5 libkidletime4-4.14.30-1.1.mga5 libkemoticons4-4.14.30-1.1.mga5 libnepomukutils4-4.14.30-1.1.mga5 kdelibs4-core-4.14.30-1.1.mga5 kdelibs4-handbooks-4.14.30-1.1.mga5 kdelibs4-devel-4.14.30-1.1.mga5 kauth-5.5.0-1.1.mga5 libkf5auth5-5.5.0-1.1.mga5 libkf5auth-devel-5.5.0-1.1.mga5 from SRPMS: kdelibs4-4.14.30-1.1.mga5.src.rpm kauth-5.5.0-1.1.mga5.src.rpm
On mga5-64 Installed all of the packages listed in comment#2 Tested a wide variety of applications. No regressions observed. OK for mga5-64
Whiteboard: (none) => MGA5-64-OKCC: (none) => jim
Created attachment 9602 [details] list of packages The packages referred to in comment#3
Packages installed without issues. Using a Plasma session for several hours now, with plenty of KDE applications used without noticeable regressions. System: Mageia 5, Intel x86_64 CPU, Plasma using OpenGL composition, nVidia GPU with the nvidia340 proprietary driver. # uname -a Linux marte 4.4.82-desktop-1.mga5 #1 SMP Sun Aug 13 18:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux # journalctl -b 0 | grep RPM.*install Ago 16 13:03:25 marte [RPM][3743]: install lib64solid4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:25 marte [RPM][3743]: install lib64kjs4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:25 marte [RPM][3743]: install lib64ktexteditor4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:26 marte [RPM][3743]: install lib64kdeui5-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:26 marte [RPM][3743]: install lib64kjsembed4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:26 marte [RPM][3743]: install lib64kntlm4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:26 marte [RPM][3743]: install lib64krosscore4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:26 marte [RPM][3743]: install lib64nepomukquery4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:27 marte [RPM][3743]: install lib64kfile4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:27 marte [RPM][3743]: install lib64khtml5-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:27 marte [RPM][3743]: install lib64kemoticons4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:27 marte [RPM][3743]: install lib64kio5-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:27 marte [RPM][3743]: install lib64nepomukutils4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:27 marte [RPM][3743]: install lib64nepomuk4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:28 marte [RPM][3743]: install lib64kdecore5-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:28 marte [RPM][3743]: install lib64kparts4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:37 marte [RPM][3743]: install kdelibs4-core-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:37 marte [RPM][3743]: install lib64kf5auth5-5.5.0-1.1.mga5.x86_64: success Ago 16 13:03:45 marte [RPM][3743]: install lib64kpty4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:45 marte [RPM][3743]: install lib64kde3support4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:45 marte [RPM][3743]: install lib64kprintutils4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:45 marte [RPM][3743]: install lib64kcmutils4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:45 marte [RPM][3743]: install lib64kunitconversion4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:45 marte [RPM][3743]: install lib64knotifyconfig4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:45 marte [RPM][3743]: install lib64kdeclarative5-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:46 marte [RPM][3743]: install lib64knewstuff2_4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:46 marte [RPM][3743]: install lib64kdnssd4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:46 marte [RPM][3743]: install lib64knewstuff3_4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:46 marte [RPM][3743]: install lib64kdewebkit5-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:46 marte [RPM][3743]: install lib64threadweaver4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:46 marte [RPM][3743]: install lib64plasma3-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:46 marte [RPM][3743]: install lib64kdesu5-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:46 marte [RPM][3743]: install lib64kjsapi4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:03:46 marte [RPM][3743]: install lib64kidletime4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:04:21 marte [RPM][3743]: install lib64kmediaplayer4-2:4.14.30-1.1.mga5.x86_64: success Ago 16 13:04:21 marte [RPM][3743]: install lib64kdefakes5-2:4.14.30-1.1.mga5.x86_64: success
CC: (none) => mageia
On mga5-32 in a vbox VM Installed all of the packages Tested a variety of applications No regressions noted OK for mga5-32 in a vbox VM
Added the 32-bit OK for Jim. Thanks to you & PC_LX for these tests. Validating, advisory to follow.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => MGA5-64-OK mga5-32-okCC: (none) => lewyssmith, sysadmin-bugs
Whiteboard: MGA5-64-OK mga5-32-ok => advisory MGA5-64-OK mga5-32-ok
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0274.html
Status: NEW => RESOLVEDResolution: (none) => FIXED