Bug 1572159 (CVE-2018-10361)

Summary: CVE-2018-10361 kf5-ktexteditor: Insecure handling of temporary files in kauth_ktexteditor_helper service allows privileges escalation via symlink attack
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jgrulich, me, rdieter, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-27 16:27:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1572161, 1572162    
Bug Blocks:    

Description Adam Mariš 2018-04-26 09:51:08 UTC 
An issue was discovered in KTextEditor 5.34.0 through 5.45.0. Insecure handling of temporary files in the KTextEditor's kauth_ktexteditor_helper service (as utilized in the Kate text editor) can allow other unprivileged users on the local system to gain root privileges. The attack occurs when one user (who has an unprivileged account but is also able to authenticate as root) writes a text file using Kate into a directory owned by a another unprivileged user. The latter unprivileged user conducts a symlink attack to achieve privilege escalation.

References:

http://www.openwall.com/lists/oss-security/2018/04/24/1
Comment 1 Adam Mariš 2018-04-26 09:51:51 UTC 
Created kf5-ktexteditor tracking bugs for this issue:

Affects: fedora-all [bug 1572161]
Affects: epel-all [bug 1572162]
Comment 2 Rex Dieter 2018-05-27 18:56:17 UTC 
Fix under review
https://phabricator.kde.org/D12513
Comment 3 Rex Dieter 2018-11-27 16:27:08 UTC 
Fix was released as part of kde frameworks 5.48 which landed in all fedora releases.

f27: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2bb229d1b3
f28: https://bodhi.fedoraproject.org/updates/FEDORA-2018-697c1e9b44

and kde frameworks 5.50 released for epel7:
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-c4ee248d8a