Bug 24334 - kauth new security issue CVE-2019-7443
Summary: kauth new security issue CVE-2019-7443
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-02-09 21:43 CET by David Walser
Modified: 2019-02-14 09:40 CET (History)
5 users (show)

See Also:
Source RPM: kauth-5.54.0-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-02-09 21:43:54 CET
KDE has issued an advsiory today (February 9):
https://www.kde.org/info/security/advisory-20190209-1.txt

The issue is fixed upstream in 5.55 and in the commit linked from the advisory.

Mageia 6 is also affected.
David Walser 2019-02-09 21:44:01 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Nicolas Lécureuil 2019-02-09 22:27:16 CET
src.rpm: kauth-5.42.0-1.1.mga6

rpms:

kauth-5.42.0-1.1.mga6
lib{64}kf5auth5-5.42.0-1.1.mga6
lib{64}kf5auth-devel-5.42.0-1.1.mga6
kauth-debuginfo-5.42.0-1.1.mga6

Advisory:

KAuth allows to pass parameters with arbitrary types to helpers running as root
over DBus. Certain types can cause crashes and trigger decoding arbitrary
images with dynamically loaded plugins.

CC: (none) => mageia

Nicolas Lécureuil 2019-02-09 22:27:35 CET

Assignee: kde => qa-bugs

Thomas Backlund 2019-02-10 17:27:44 CET

CC: (none) => tmb
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 2 Herman Viaene 2019-02-11 12:03:51 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Found bug 20843 as previous update, but "Tested a wide variety of applications." is not really much info.
# urpmq --whatrequires kauth
kauth
kwallet
kwallet
kwallet

So I installed kwallet and kwalletmanager5, but running this GUI with strace nor 

$ strace -o kauth.txt kwallet-query -lv kauthtest
timer event
standby opening wallet  "kauthtest"
org.kde.kwindowsystem: Could not find any platform plugin
testkauth (this is an item I created in the wallet)

 created any usage of kauth apart from references to the messages.
Giving up, I don't want to run a full Plasma install on this old slow laptop.

CC: (none) => herman.viaene

Comment 3 Dave Hodgins 2019-02-14 08:55:38 CET
It's used by any kde program that requires root authority to run.

Tested by selecting Tools/System Tools/KDE Partition Manager.

Advisory committed to svn. Validating the update.

CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_update

Comment 4 Mageia Robot 2019-02-14 09:40:25 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0083.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.