From kde-announce  Thu Nov 06 16:59:56 2014
From: Jonathan Riddell <jr () jriddell ! org>
Date: Thu, 06 Nov 2014 16:59:56 +0000
To: kde-announce
Subject: [kde-announce] security update. kde-workspace, plasma-desktop: privilage escalation
Message-Id: <CANX=XXPEPtQQ3Z2etG=L3_SV-eYQudaHvSTnVO=h949yjaRXAQ () mail ! gmail ! com>
X-MARC-Message: https://marc.info/?l=kde-announce&m=141529556911212
MIME-Version: 1
Content-Type: multipart/mixed; boundary="--===============5971428850662571758=="

--===============5971428850662571758==
Content-Type: multipart/alternative; boundary=001a1140f5c639eed9050733a0c6

--001a1140f5c639eed9050733a0c6
Content-Type: text/plain; charset=UTF-8

https://www.kde.org/info/security/advisory-20141106-1.txt

KDE Project Security Advisory
=============================

Title:          kde-workspace, plasma-desktop: privilage escalation
Risk Rating:    Medium
CVE:            not yet allocated
Platforms:      All
Versions:       kde-workspace < 4.11.14, plasma-desktop < 5.1.1
Author:         David Edmundson davidedmundson@kde.org
Date:           06 November 2014

Overview
========

KDE workspace configuration module for setting the date and time has a
helper program
which runs as root for performing actions. This is secured with polkit.

This helper takes the name of the ntp utility to run as an argument.
This allows a hacker
to run any arbitrary command as root under the guise of updating the time.

Impact
======

An application can gain root priveledges from an admin user with
either misleading information
or no interaction.

On some systems the user will be shown a prompt to change the time.
However, if the system has
policykit-desktop-privileges installed, the datetime helper will be
invoked by an admin user
without any prompts.

Workaround
==========

Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save action.

Solution
========

For kde-workspace 4 upgrade kde-workspace to 4.11.14 once released or
apply the following patch:
 https://projects.kde.org/projects/kde/kde-workspace/repository/diff?rev=54d0bfb5effff9c8cf60da890b7728cbe36a454e&rev_to=fd2aa9deed44fad6107625ad7360157fea7296f6

For plasma-desktop 5 upgrade to plasma-desktop 5.1.1 once release or
apply the following patch:
 https://projects.kde.org/projects/kde/workspace/plasma-desktop/repository/diff?rev_to=683b66889b8abbeec82eedcbb1c9ff08c06e9582&rev=58bb376fb9ffb2ecb9ce0a89a0a312bfa091bd3f

Credits
=======

Thanks to David Edmundson for finding and fixing the issue

--001a1140f5c639eed9050733a0c6
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><a href=3D"https://www.kde.org/info/security/advisory-2014=
1106-1.txt">https://www.kde.org/info/security/advisory-20141106-1.txt</a><b=
r><br><pre>KDE Project Security Advisory
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D

Title:          kde-workspace, plasma-desktop: privilage escalation
Risk Rating:    Medium
CVE:            not yet allocated
Platforms:      All
Versions:       kde-workspace &lt; 4.11.14, plasma-desktop &lt; 5.1.1
Author:         David Edmundson <a href=3D"mailto:davidedmundson@kde.org">d=
avidedmundson@kde.org</a>
Date:           06 November 2014

Overview
=3D=3D=3D=3D=3D=3D=3D=3D

KDE workspace configuration module for setting the date and time has a help=
er program
which runs as root for performing actions. This is secured with polkit.

This helper takes the name of the ntp utility to run as an argument. This a=
llows a hacker
to run any arbitrary command as root under the guise of updating the time.

Impact
=3D=3D=3D=3D=3D=3D

An application can gain root priveledges from an admin user with either mis=
leading information
or no interaction.

On some systems the user will be shown a prompt to change the time. However=
, if the system has
policykit-desktop-privileges installed, the datetime helper will be invoked=
 by an admin user
without any prompts.

Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save action.

Solution
=3D=3D=3D=3D=3D=3D=3D=3D

For kde-workspace 4 upgrade kde-workspace to 4.11.14 once released or apply=
 the following patch:
 <a href=3D"https://projects.kde.org/projects/kde/kde-workspace/repository/=
diff?rev=3D54d0bfb5effff9c8cf60da890b7728cbe36a454e&amp;rev_to=3Dfd2aa9deed=
44fad6107625ad7360157fea7296f6">https://projects.kde.org/projects/kde/kde-w=
orkspace/repository/diff?rev=3D54d0bfb5effff9c8cf60da890b7728cbe36a454e&amp=
;rev_to=3Dfd2aa9deed44fad6107625ad7360157fea7296f6</a>

For plasma-desktop 5 upgrade to plasma-desktop 5.1.1 once release or apply =
the following patch:
 <a href=3D"https://projects.kde.org/projects/kde/workspace/plasma-desktop/=
repository/diff?rev_to=3D683b66889b8abbeec82eedcbb1c9ff08c06e9582&amp;rev=
=3D58bb376fb9ffb2ecb9ce0a89a0a312bfa091bd3f">https://projects.kde.org/proje=
cts/kde/workspace/plasma-desktop/repository/diff?rev_to=3D683b66889b8abbeec=
82eedcbb1c9ff08c06e9582&amp;rev=3D58bb376fb9ffb2ecb9ce0a89a0a312bfa091bd3f<=
/a>

Credits
=3D=3D=3D=3D=3D=3D=3D

Thanks to David Edmundson for finding and fixing the issue
</pre><br></div>

--001a1140f5c639eed9050733a0c6--

--===============5971428850662571758==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
kde-announce mailing list
kde-announce@kde.org
https://mail.kde.org/mailman/listinfo/kde-announce

--===============5971428850662571758==--