[kde-security-preannounce] Privilege Escalation via KDE Clock KCM polkit helper
Manuel Rüger
mrueg at gentoo.org
Thu Nov 6 17:26:11 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Jonathan,
there's a small typo in the advisory:
priveledges should be priviledges
Manuel
On 06.11.2014 17:10, Jonathan Riddell wrote:
>
> This advisory, named timeshockbleed by the media, has now been made
> public.
>
> https://www.kde.org/info/security/advisory-20141106-1.txt
>
> Jonathan
>
>
> On Tue, Nov 04, 2014 at 05:54:30PM +0100, David Edmundson wrote:
>> Jonathan told me to post this here:
>>
>> KDE Project Security Advisory =============================
>>
>> Title: A A A A A kde-workspace: Privilege Escalation via KDE
>> Clock KCM polkit helperA
>>
>> Risk Rating: Medium(?) CVE: requested. Not been
>> given one yet Platforms: All Versions: kde-workspace <
>> 4.14.3 Author: David Edmundson <davidedmundson at kde.org>
>> Date: 4 November 2014
>>
>> Overview ========
>>
>> KDE workspace configuration module for setting the date and time
>> has a helper program which runs as root for performing actions.
>> This is secured with polkit.
>>
>> This helper takes the name of the ntp utility to run as an
>> argument. This allows a hacker to run any arbitrary command as
>> root under the guise of updating the time.
>>
>> Impact ======
>>
>> An application can gain root priveledges from an admin user with
>> either misleading information or no interaction.
>>
>> On some systems the user will be shown a prompt to change the
>> time. However, if the system has policykit-desktop-privileges
>> installed, the datetime helper will be invoked by an admin user
>> without any prompts.
>>
>>
>> Workaround ==========
>>
>> Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save
>> action
>>
>> Solution ========
>>
>> Upgrade kde-desktop to 4.14.3 once released or apply the
>> following patch: https://git.reviewboard.kde.org/r/120977/
>
>> _______________________________________________
>> Kde-security-preannounce mailing list
>> Kde-security-preannounce at kde.org
>> https://mail.kde.org/mailman/listinfo/kde-security-preannounce
>
> _______________________________________________ release-team
> mailing list release-team at kde.org
> https://mail.kde.org/mailman/listinfo/release-team
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0
iQJ8BAEBCgBmBQJUW68yXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4MDA1RERERkM0ODM2QkE4MEY3NzY0N0M1
OEZCQTM2QzhEOUQ2MzVDAAoJEFj7o2yNnWNcr+UQAK8JIauZ9FA/9T5j4TCWSUUZ
MmsNHx0k0c+peCZuG4IjVcXNrQ+C0T6NOdlS8nlWzHiv7Z6Dki/XBGnZEXcIvPIL
DG0wNySypavEoHZRGnAk4fBcftxUSZN+qdiUw5gib6aWbjGVYQDTd+zsnx//w52q
T1BpTxmm0POQAeglWYoqhkyonkvjKbmB3SaCDj5VrtxGA9ey7KAo9OdQx0iMBZ3B
yrhroDlTkNB3pfMMyjFeDRIbD9GU0yQstBtp6MbamLyJTdHY4wpMJVQefVuRGbgA
bO5hH5sYtX14r36d9wVLwK6gZ3e6TzAWpasS+G0jDBHUT2a/ewmm33qOOVJJExaL
za45lyCCDA1pAR12EKw1N5341JqpQW9FZ2pLl/4ldZpk97ywYqPw1KYALQrAxLPj
sFIBbVdNOgSO4aPjuGWSkFwm4+Ob0Ji2wzF/O0JABqBNxgZeLPas+9Jv7Fggn8Rc
bigsaxxlj2++QnS/N8IhfYm4vsekjy49ZYaY7zR2O5DQKMDYuAlheh/yapL5QPsC
34A68gxn72joKhWRKTXv999CdJ3C2YGtiZTpnbCT8Z3eo3/i1272p0Vi1zImw9uT
XBS8dx9cWHcOb/1zvbHgtdG3B0M4DiapN+WjQKo3A4802C+uLiqmg8miKDfMnwG4
tmL+aStZ8Aqzd8ysw+ws
=B+tO
-----END PGP SIGNATURE-----
More information about the release-team
mailing list