GLSA 201512-12: KDE Systemsettings: Privilege escalation

Severity:normal
Title:KDE Systemsettings: Privilege escalation
Date:12/30/2015
Bugs: #528468
ID:201512-12

Synopsis

Data validation in KDE Systemsettings could lead to local privilege escalation.

Background

KDE workspace configuration module for setting the date and time has a helper program which runs as root for performing actions.

Affected packages

Package Vulnerable Unaffected Architecture(s)
kde-base/systemsettings < 4.11.13-r1 >= 4.11.13-r1 All supported architectures

Description

KDE Systemsettings fails to properly validate user input before passing it as argument in context of higher privilege.

Impact

A local attacker could gain privileges via a crafted ntpUtility (ntp utility name) argument.

Workaround

Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save action.

Resolution

All KDE Systemsettings users should upgrade to the latest version:

      # emerge --sync
      # emerge --ask --oneshot --verbose
      ">=kde-base/systemsettings-4.11.13-r1"
    

References

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201512-12.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License

Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

Thank you!