[arch-security] [Arch Linux Security Advisory ASA-201411-6] kdebase-workspace: local privilege escalation
Remi Gacogne
rgacogne at archlinux.org
Mon Nov 10 14:49:59 UTC 2014
Arch Linux Security Advisory ASA-201411-6
=========================================
Severity: Medium
Date : 2014-11-10
CVE-ID : CVE-2014-8651
Package : kdebase-workspace
Type : local privilege escalation
Remote : No
Link : https://wiki.archlinux.org/index.php/CVE-2014
Summary
=======
The package kdebase-workspace before version 4.11.13-2 is
vulnerable to a local privilege escalation issue.
Resolution
==========
Upgrade to 4.11.13-2.
# pacman -Syu "kdebase-workspace>=4.11.13-2"
The problem has not been fixed upstream yet.
Workaround
==========
A polkit rule can be added to disable the org.kde.kcontrol.kcmclock.save
action.
Description
===========
KDE workspace configuration module for setting the date and time has a
helper program which runs as root for performing actions. This is
secured with polkit. This helper takes the name of the ntp utility to
run as an argument. This allows a hacker to run any arbitrary command as
root under the guise of updating the time.
Impact
======
An local application can gain root privileges from an admin user with
either misleading information or no interaction.
References
==========
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8651
http://seclists.org/oss-sec/2014/q4/520
https://git.reviewboard.kde.org/r/120977/
https://bugs.archlinux.org/task/42679
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141110/8debfae0/attachment.bin>
More information about the arch-security
mailing list