A security issue was found in KDE Clock KCM polkit helper. This helper which runs as root privileges takes the name of the ntp utility to run as argument. A local user could use this flaw to run arbitrary commands as root.
Note the two patches. The first patch do not pass ntpUtility as an argument to datetime helper and also moves the detection of ntp utility location into the helper function.The second patch validate timezone before setting and ensures that the symlink /etc/localtime allways point to a file in /usr/share/timezones.
Red Hat would like to thank David Edmundson for reporting this issue.
It's only effected in kde-workspace < 4.11.14, plasma-desktop < 5.1.1. we have
kde-workspace-4.11.14 in fc > 19, so it's not effected in fedora.
4.11.14 is only in updates-testing.
I'm tagging the updates as security updates and adding this bug now.
The updates filed by Rex Dieter:
kde-workspace-4.11.14-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
kde-workspace-4.11.14-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
kde-workspace-4.11.14-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save action. This rule can be tweaked by configuring file /usr/share/polkit-1/actions/org.kde.kcontrol.kcmclock.policy
no = NOT AUTHORIZED for inactive sessions
auth_admin = Administration Authorization is Required to perform such action. Change this to 'no'