--===============5971428850662571758== Content-Type: multipart/alternative; boundary=001a1140f5c639eed9050733a0c6 --001a1140f5c639eed9050733a0c6 Content-Type: text/plain; charset=UTF-8 https://www.kde.org/info/security/advisory-20141106-1.txt KDE Project Security Advisory ============================= Title: kde-workspace, plasma-desktop: privilage escalation Risk Rating: Medium CVE: not yet allocated Platforms: All Versions: kde-workspace < 4.11.14, plasma-desktop < 5.1.1 Author: David Edmundson davidedmundson@kde.org Date: 06 November 2014 Overview ======== KDE workspace configuration module for setting the date and time has a helper program which runs as root for performing actions. This is secured with polkit. This helper takes the name of the ntp utility to run as an argument. This allows a hacker to run any arbitrary command as root under the guise of updating the time. Impact ====== An application can gain root priveledges from an admin user with either misleading information or no interaction. On some systems the user will be shown a prompt to change the time. However, if the system has policykit-desktop-privileges installed, the datetime helper will be invoked by an admin user without any prompts. Workaround ========== Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save action. Solution ======== For kde-workspace 4 upgrade kde-workspace to 4.11.14 once released or apply the following patch: https://projects.kde.org/projects/kde/kde-workspace/repository/diff?rev=54d0bfb5effff9c8cf60da890b7728cbe36a454e&rev_to=fd2aa9deed44fad6107625ad7360157fea7296f6 For plasma-desktop 5 upgrade to plasma-desktop 5.1.1 once release or apply the following patch: https://projects.kde.org/projects/kde/workspace/plasma-desktop/repository/diff?rev_to=683b66889b8abbeec82eedcbb1c9ff08c06e9582&rev=58bb376fb9ffb2ecb9ce0a89a0a312bfa091bd3f Credits ======= Thanks to David Edmundson for finding and fixing the issue --001a1140f5c639eed9050733a0c6 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
KDE Project Security Advisory =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D Title: kde-workspace, plasma-desktop: privilage escalation Risk Rating: Medium CVE: not yet allocated Platforms: All Versions: kde-workspace < 4.11.14, plasma-desktop < 5.1.1 Author: David Edmundson d= avidedmundson@kde.org Date: 06 November 2014 Overview =3D=3D=3D=3D=3D=3D=3D=3D KDE workspace configuration module for setting the date and time has a help= er program which runs as root for performing actions. This is secured with polkit. This helper takes the name of the ntp utility to run as an argument. This a= llows a hacker to run any arbitrary command as root under the guise of updating the time. Impact =3D=3D=3D=3D=3D=3D An application can gain root priveledges from an admin user with either mis= leading information or no interaction. On some systems the user will be shown a prompt to change the time. However= , if the system has policykit-desktop-privileges installed, the datetime helper will be invoked= by an admin user without any prompts. Workaround =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save action. Solution =3D=3D=3D=3D=3D=3D=3D=3D For kde-workspace 4 upgrade kde-workspace to 4.11.14 once released or apply= the following patch: https://projects.kde.org/projects/kde/kde-w= orkspace/repository/diff?rev=3D54d0bfb5effff9c8cf60da890b7728cbe36a454e&= ;rev_to=3Dfd2aa9deed44fad6107625ad7360157fea7296f6 For plasma-desktop 5 upgrade to plasma-desktop 5.1.1 once release or apply = the following patch: https://projects.kde.org/proje= cts/kde/workspace/plasma-desktop/repository/diff?rev_to=3D683b66889b8abbeec= 82eedcbb1c9ff08c06e9582&rev=3D58bb376fb9ffb2ecb9ce0a89a0a312bfa091bd3f<= /a> Credits =3D=3D=3D=3D=3D=3D=3D Thanks to David Edmundson for finding and fixing the issue