group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1689759] Re: CVE 2017-8422 - kauth: Local privilege escalation

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Thu, 11 May 2017 13:26:54 -0000
Reply-to: Bug 1689759 <1689759@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
ACK on the debdiffs in comments #1 and #2. I have uploaded them for
releasing as a security update, with a few minor changes, such as
targeting the security pocket, some whitespace changes in the changelog,
and adding the new patch to the end of the series file rather than at
the beginning.

Thanks!

** Also affects: kde4libs (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: kauth (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: kde4libs (Ubuntu Artful)
   Importance: Undecided
       Status: Confirmed

** Also affects: kauth (Ubuntu Artful)
   Importance: Undecided
       Status: Confirmed

** Also affects: kde4libs (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: kauth (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: kde4libs (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

** Also affects: kauth (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

** Also affects: kde4libs (Ubuntu Zesty)
   Importance: Undecided
       Status: New

** Also affects: kauth (Ubuntu Zesty)
   Importance: Undecided
       Status: New

** Changed in: kde4libs (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: kde4libs (Ubuntu Trusty)
       Status: New => Confirmed

** Changed in: kde4libs (Ubuntu Trusty)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: kde4libs (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: kde4libs (Ubuntu Xenial)
       Status: New => Confirmed

** Changed in: kde4libs (Ubuntu Yakkety)
   Importance: Undecided => High

** Changed in: kde4libs (Ubuntu Yakkety)
       Status: New => Confirmed

** Changed in: kde4libs (Ubuntu Zesty)
   Importance: Undecided => High

** Changed in: kde4libs (Ubuntu Zesty)
       Status: New => Confirmed

** Changed in: kde4libs (Ubuntu Zesty)
       Status: Confirmed => In Progress

** Changed in: kauth (Ubuntu Trusty)
       Status: New => Invalid

** Changed in: kauth (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: kauth (Ubuntu Xenial)
       Status: New => Confirmed

** Changed in: kauth (Ubuntu Yakkety)
   Importance: Undecided => High

** Changed in: kauth (Ubuntu Yakkety)
       Status: New => Confirmed

** Changed in: kauth (Ubuntu Zesty)
   Importance: Undecided => High

** Changed in: kauth (Ubuntu Zesty)
       Status: New => Confirmed

** Changed in: kauth (Ubuntu Zesty)
       Status: Confirmed => In Progress

** Changed in: kauth (Ubuntu Artful)
   Importance: Undecided => High

** Changed in: kde4libs (Ubuntu Artful)
   Importance: Undecided => High

** Changed in: kde4libs (Ubuntu Trusty)
       Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1689759

Title:
  CVE 2017-8422 - kauth: Local privilege escalation

Status in kauth package in Ubuntu:
  Confirmed
Status in kde4libs package in Ubuntu:
  Confirmed
Status in kauth source package in Trusty:
  Invalid
Status in kde4libs source package in Trusty:
  In Progress
Status in kauth source package in Xenial:
  Confirmed
Status in kde4libs source package in Xenial:
  Confirmed
Status in kauth source package in Yakkety:
  Confirmed
Status in kde4libs source package in Yakkety:
  Confirmed
Status in kauth source package in Zesty:
  In Progress
Status in kde4libs source package in Zesty:
  In Progress
Status in kauth source package in Artful:
  Confirmed
Status in kde4libs source package in Artful:
  Confirmed

Bug description:
  KDE Project Security Advisory
  =============================

  Title:          kauth: Local privilege escalation
  Risk Rating:    High
  CVE:            CVE-2017-8422
  Versions:       kauth < 5.34, kdelibs < 4.14.32
  Date:           10 May 2017

  
  Overview
  ========
  KAuth contains a logic flaw in which the service invoking dbus
  is not properly checked.

  This allows spoofing the identity of the caller and with some
  carefully crafted calls can lead to gaining root from an
  unprivileged account.

  Solution
  ========
  Update to kauth >= 5.34 and kdelibs >= 4.14.32 (when released)

  Or apply the following patches:
    kauth: https://commits.kde.org/kauth/df875f725293af53399f5146362eb158b4f9216a
  kdelibs: https://commits.kde.org/kdelibs/264e97625abe2e0334f97de17f6ffb52582888ab

  Credits
  =======
  Thanks to Sebastian Krahmer from SUSE for the report and
  to Albert Astals Cid from KDE for the fix.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kauth/+bug/1689759/+subscriptions