Bug 2291222 (CVE-2024-36041)

Summary: CVE-2024-36041 plasma-workspace/ksmserver: Unauthorized users can access session manager
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2291223, 2291224    
Bug Blocks:    

Description Marco Benatto 2024-06-10 20:59:21 UTC 
Overview
========
KSmserver, KDE's XSMP manager, incorrectly allows connections via ICE
based purely on the host, allowing all local connections. This allows
another user on the same machine to gain access to the session
manager.

A well crafted client could use the session restore feature to execute
arbitrary code as the user on the next boot.
Comment 1 Marco Benatto 2024-06-10 20:59:37 UTC 
Created plasma-workspace tracking bugs for this issue:

Affects: epel-all [bug 2291223]
Affects: fedora-all [bug 2291224]