Bug 1449647 (CVE-2017-8422)

Summary: CVE-2017-8422 kauth: service invoking dbus is not properly checked and allows local privilege escalation
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: fedora, jgrulich, jreznik, kevin, me, rdieter, smparrish, than
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kdelibs 4.14.32, kauth 5.34 Doc Type: If docs needed, set a value
Doc Text:
A privilege escalation flaw was found in the way kdelibs handled D-Bus messages. A local user could potentially use this flaw to gain root privileges by spoofing a callerID and leveraging a privileged helper application.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:12:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1449648, 1449649, 1449650, 1449651, 1449652, 1452035, 1452068    
Bug Blocks: 1449672    

Description Adam Mariš 2017-05-10 12:12:45 UTC 
KAuth contains a logic flaw in which the service invoking dbus is not properly checked. This allows spoofing the identity of the caller and with some carefully crafted calls can lead to gaining root from an unprivileged account.

Affected versions: kauth < 5.34, kdelibs < 4.14.32

Upstream patches:

kauth: https://commits.kde.org/kauth/df875f725293af53399f5146362eb158b4f9216a
kdelibs: https://commits.kde.org/kdelibs/264e97625abe2e0334f97de17f6ffb52582888ab

External References:

https://www.kde.org/info/security/advisory-20170510-1.txt
http://seclists.org/oss-sec/2017/q2/240
Comment 1 Adam Mariš 2017-05-10 12:13:23 UTC 
Created kdelibs tracking bugs for this issue:

Affects: fedora-all [bug 1449649]


Created kdelibs-webkit tracking bugs for this issue:

Affects: epel-7 [bug 1449651]


Created kdelibs3 tracking bugs for this issue:

Affects: fedora-all [bug 1449650]


Created kf5-kauth tracking bugs for this issue:

Affects: epel-7 [bug 1449648]
Affects: fedora-all [bug 1449652]
Comment 2 Adam Mariš 2017-05-10 12:19:00 UTC 
Acknowledgments:

Name: Sebastian Krahmer (SUSE)
Comment 3 Kevin Kofler 2017-05-15 22:12:14 UTC 
As written in https://bugzilla.redhat.com/show_bug.cgi?id=1449650#c3 , the actual affected versions are only:
kauth < 5.34, 4.4.0 <= kdelibs < 4.14.32
In particular, kdelibs3 is NOT affected (see also https://bugzilla.redhat.com/show_bug.cgi?id=1449650#c2 ).
Comment 4 Adam Mariš 2017-05-16 06:58:36 UTC 
(In reply to Kevin Kofler from comment #3)
> As written in https://bugzilla.redhat.com/show_bug.cgi?id=1449650#c3 , the
> actual affected versions are only:
> kauth < 5.34, 4.4.0 <= kdelibs < 4.14.32
> In particular, kdelibs3 is NOT affected (see also
> https://bugzilla.redhat.com/show_bug.cgi?id=1449650#c2 ).

OK, thank you! Next time, please don't change the internal whiteboard, these changes should be made only by Product Security members.
Comment 9 errata-xmlrpc 2017-05-22 08:41:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1264 https://access.redhat.com/errata/RHSA-2017:1264