GLSA Advocate

Joined: 12 May 2004 Posts: 2235
|
Posted: Wed Dec 30, 2015 9:26 pm Post subject: [ GLSA 201512-12 ] KDE Systemsettings |
|
|
Gentoo Linux Security Advisory
Title: KDE Systemsettings: Privilege escalation (GLSA 201512-12)
Severity: normal
Exploitable: local
Date: December 30, 2015
Bug(s): #528468
ID: 201512-12
Synopsis
Data validation in KDE Systemsettings could lead to local privilege
escalation.
Background
KDE workspace configuration module for setting the date and time has a
helper program
which runs as root for performing actions.
Affected Packages
Package: kde-base/systemsettings
Vulnerable: < 4.11.13-r1
Unaffected: >= 4.11.13-r1
Architectures: All supported architectures
Description
KDE Systemsettings fails to properly validate user input before passing
it as argument in context of higher privilege.
Impact
A local attacker could gain privileges via a crafted ntpUtility (ntp
utility name) argument.
Workaround
Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save action.
Resolution
All KDE Systemsettings users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose
">=kde-base/systemsettings-4.11.13-r1"
|
References
CVE-2014-8651 |
|