Bug 1163778 (CVE-2014-8651)

Summary: CVE-2014-8651 kde-workspace: arbitrary code execution and local privilege escalation
Product: [Other] Security Response Reporter: Francisco Alonso <falonso>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, carnil, dvratil, jgrulich, jreznik, jrusnack, kevin, mbriza, rdieter, rnovacek, sisharma, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kde-workspace 4.14.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-09 10:39:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1160353    

Description Francisco Alonso 2014-11-13 13:19:34 UTC 
A security issue was found in KDE Clock KCM polkit helper. This helper which runs as root privileges takes the name of the ntp utility to run as argument. A local user could use this flaw to run arbitrary commands as root.

Note the two patches. The first patch do not pass ntpUtility as an argument to datetime helper and also moves the detection of ntp utility location into the helper function.The second patch validate timezone before setting and ensures that the symlink /etc/localtime allways point to a file in /usr/share/timezones.

Upstream fix:
https://projects.kde.org/projects/kde/kde-workspace/repository/diff?rev=54d0bfb5effff9c8cf60da890b7728cbe36a454e&rev_to=fd2aa9deed44fad6107625ad7360157fea7296f6

References:
http://seclists.org/oss-sec/2014/q4/520
http://seclists.org/oss-sec/2014/q4/552
https://www.kde.org/info/security/advisory-20141106-1.txt
https://git.reviewboard.kde.org/r/120977/


Acknowledgements:
Red Hat would like to thank David Edmundson for reporting this issue.
Comment 1 Than Ngo 2014-11-13 16:04:34 UTC 
It's only effected in kde-workspace < 4.11.14, plasma-desktop < 5.1.1. we have 
kde-workspace-4.11.14 in fc > 19, so it's not effected in fedora.
Comment 2 Kevin Kofler 2014-11-13 16:18:13 UTC 
4.11.14 is only in updates-testing.

I'm tagging the updates as security updates and adding this bug now.
Comment 3 Kevin Kofler 2014-11-13 16:27:19 UTC 
The updates filed by Rex Dieter:
https://admin.fedoraproject.org/updates/kde-workspace-4.11.14-1.fc21
https://admin.fedoraproject.org/updates/kde-workspace-4.11.14-1.fc20
https://admin.fedoraproject.org/updates/kde-workspace-4.11.14-1.fc19
Comment 5 Fedora Update System 2014-11-15 09:09:33 UTC 
kde-workspace-4.11.14-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-11-16 14:45:27 UTC 
kde-workspace-4.11.14-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-11-17 06:33:12 UTC 
kde-workspace-4.11.14-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Siddharth Sharma 2015-10-09 10:38:33 UTC 
Mitigation:

Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save action. This rule can be tweaked by configuring file /usr/share/polkit-1/actions/org.kde.kcontrol.kcmclock.policy

no = NOT AUTHORIZED for inactive sessions
 <allow_inactive>no</allow_inactive>

auth_admin = Administration Authorization is Required to perform such action. Change this to 'no'

 <allow_active>no</allow_active>