group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #23507
[Bug 1768649] Re: [CVE] Access to privileged files
This bug was fixed in the package kwallet-pam - 4:5.12.4-0ubuntu1.1
---------------
kwallet-pam (4:5.12.4-0ubuntu1.1) bionic-security; urgency=medium
* SECURITY UPDATE: Access to privileged files (LP: #1768649):
- fix-CVE-2018-10380-1.patch
- fix-CVE-2018-10380-2.patch
- CVE-2018-10380
-- Simon Quigley <tsimonq2@xxxxxxxxxx> Thu, 03 May 2018 16:06:06 -0500
** Changed in: kwallet-pam (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1768649
Title:
[CVE] Access to privileged files
Status in kwallet-pam package in Ubuntu:
Fix Released
Status in pam-kwallet package in Ubuntu:
Invalid
Status in pam-kwallet source package in Trusty:
New
Status in kwallet-pam source package in Xenial:
Fix Released
Status in kwallet-pam source package in Artful:
Fix Released
Status in kwallet-pam source package in Bionic:
Fix Released
Status in kwallet-pam source package in Cosmic:
Fix Released
Bug description:
KDE Project Security Advisory
=============================
Title: kwallet-pam: Access to privileged files
Risk Rating: High
CVE: CVE-2018-10380
Versions: Plasma < 5.12.6
Date: 4 May 2018
Overview
========
kwallet-pam was doing file writing and permission changing
as root that with correct timing and use of carefully
crafted symbolic links could allow a non privileged user
to become the owner of any file on the system.
Workaround
==========
None (other than not using kwallet-pam)
Solution
========
Update to Plasma >= 5.12.6 or Plasma >= 5.13.0
Or apply the following patches:
Plasma 5.12
https://commits.kde.org/kwallet-pam/2134dec85ce19d6378d03cddfae9e5e464cb24c0
https://commits.kde.org/kwallet-pam/01d4143fda5bddb6dca37b23304dc239a5fb38b5
Plasma 5.8
https://commits.kde.org/kwallet-pam/99abc7fde21f40cc6da5feb6ee766cc46fcca1f8
https://commits.kde.org/kwallet-pam/802f305d81f8771c4f4a8bd7fd0e368ffc6f9b3b
Credits
=======
Thanks to Fabian Vogt for the report and to Albert Astals Cid for the fix.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/kwallet-pam/+bug/1768649/+subscriptions