GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Wed Jul 12, 2017 2:26 am Post subject: [ GLSA 201706-29 ] KAuth and KDELibs |
 |
|
Gentoo Linux Security Advisory
Title: KAuth and KDELibs: Privilege escalation (GLSA 201706-29)
Severity: high
Exploitable: local
Date: 2017-06-27
Bug(s): #618108
ID: 201706-29
Synopsis
A vulnerability in KAuth and KDELibs allows local users to gain
root privileges.
Background
KAuth provides a convenient, system-integrated way to offload actions
that need to be performed as a privileged user (root, for example) to
small (hopefully secure) helper utilities.
The KDE libraries, basis of KDE and used by many open source projects.
Affected Packages
Package: kde-frameworks/kauth
Vulnerable: < 5.29.0-r1
Unaffected: >= 5.29.0-r1
Architectures: All supported architectures
Package: kde-frameworks/kdelibs
Vulnerable: < 4.14.32
Unaffected: >= 4.14.32
Architectures: All supported architectures
Description
KAuth and KDELibs contains a logic flaw in which the service invoking
D-Bus is not properly checked. This allows spoofing the identity of the
caller and with some carefully crafted calls can lead to gaining root
from an unprivileged account.
Impact
A local attacker could spoof the identity of the caller invoking D-Bus,
possibly resulting in gaining privileges.
Workaround
There is no known workaround at this time.
Resolution
All KAuth users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=kde-frameworks/kauth-5.29.0-r1"
|
All KDELibs users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=kde-frameworks/kdelibs-4.14.32"
|
References
CVE-2017-8422 |
|
News & Announcements
