Bug 1163778 (CVE-2014-8651) - CVE-2014-8651 kde-workspace: arbitrary code execution and local privilege escalation
Summary: CVE-2014-8651 kde-workspace: arbitrary code execution and local privilege esc...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-8651
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1160353
TreeView+ depends on / blocked
 
Reported: 2014-11-13 13:19 UTC by Francisco Alonso
Modified: 2023-05-12 05:49 UTC (History)
12 users (show)

Fixed In Version: kde-workspace 4.14.3
Clone Of:
Environment:
Last Closed: 2015-10-09 10:39:28 UTC
Embargoed:

Attachments (Terms of Use)

Description Francisco Alonso 2014-11-13 13:19:34 UTC 
A security issue was found in KDE Clock KCM polkit helper. This helper which runs as root privileges takes the name of the ntp utility to run as argument. A local user could use this flaw to run arbitrary commands as root.

Note the two patches. The first patch do not pass ntpUtility as an argument to datetime helper and also moves the detection of ntp utility location into the helper function.The second patch validate timezone before setting and ensures that the symlink /etc/localtime allways point to a file in /usr/share/timezones.

Upstream fix:
https://projects.kde.org/projects/kde/kde-workspace/repository/diff?rev=54d0bfb5effff9c8cf60da890b7728cbe36a454e&rev_to=fd2aa9deed44fad6107625ad7360157fea7296f6

References:
http://seclists.org/oss-sec/2014/q4/520
http://seclists.org/oss-sec/2014/q4/552
https://www.kde.org/info/security/advisory-20141106-1.txt
https://git.reviewboard.kde.org/r/120977/


Acknowledgements:
Red Hat would like to thank David Edmundson for reporting this issue.
Comment 1 Than Ngo 2014-11-13 16:04:34 UTC 
It's only effected in kde-workspace < 4.11.14, plasma-desktop < 5.1.1. we have 
kde-workspace-4.11.14 in fc > 19, so it's not effected in fedora.
Comment 2 Kevin Kofler 2014-11-13 16:18:13 UTC 
4.11.14 is only in updates-testing.

I'm tagging the updates as security updates and adding this bug now.
Comment 3 Kevin Kofler 2014-11-13 16:27:19 UTC 
The updates filed by Rex Dieter:
https://admin.fedoraproject.org/updates/kde-workspace-4.11.14-1.fc21
https://admin.fedoraproject.org/updates/kde-workspace-4.11.14-1.fc20
https://admin.fedoraproject.org/updates/kde-workspace-4.11.14-1.fc19
Comment 5 Fedora Update System 2014-11-15 09:09:33 UTC 
kde-workspace-4.11.14-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-11-16 14:45:27 UTC 
kde-workspace-4.11.14-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-11-17 06:33:12 UTC 
kde-workspace-4.11.14-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Siddharth Sharma 2015-10-09 10:38:33 UTC 
Mitigation:

Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save action. This rule can be tweaked by configuring file /usr/share/polkit-1/actions/org.kde.kcontrol.kcmclock.policy

no = NOT AUTHORIZED for inactive sessions
 <allow_inactive>no</allow_inactive>

auth_admin = Administration Authorization is Required to perform such action. Change this to 'no'

 <allow_active>no</allow_active>
Note You need to log in before you can comment on or make changes to this bug.