Current security issues with KAuth support in KIO
Albert Astals Cid
aacid at kde.org
Sun Feb 4 22:47:26 UTC 2018
So we're having KF5 5.43 next week, has this been figured out?
I find this thread ended too open ended for my taste.
Cheers,
Albert
El dissabte, 13 de gener de 2018, a les 23:55:16 CET, Luca Beltrame va
escriure:
> (please keep Fabian in CC, he's not subscribed and found out most of the
> issues reported here)
>
> At openSUSE we have to request reviews by the security team before
> new polkit services get accepted. This is the case for the kio kauth helper
> as well.
> While the security team raised concerns with the wide capabilities of the
> helper (it can easily be used to do literally everything), we had a look at
> the implementation itself to find some obvious security issues:
>
> - The privilege is persistent for the entire session (already fixed).
> - The confirmation prompt for the kauth action use does not tell what is
> going to happen. So you might open a file dialog and then instead of
> opening a file, write to /bin/sh.
> - Trivial stack-based buffer overflow in the kauth helper:
> https://cgit.kde.org/kio.git/tree/src/ioslaves/file/sharefd_p.h#n57
> - The socket used to send and receive file descriptors does not have any
> kind of permission check. You can easily send fds to and receive fds from
> users of the kauth helper on the same machine. (BTW,
> SocketAddress::length should return the actual length of the buffer,
> currently it adds ~100 '\0' bytes to the end)
>
> In its current state we can not recommend anyone to enable this.
> However, we hope that those issues can be addressed, it does provide some
> useful functionality.
>
> Luca Beltrame
> on behalf of the openSUSE KDE Team
More information about the Kde-frameworks-devel
mailing list