privilage escalation in clock kcontrol

Bug #1389665 reported by Jonathan Riddell
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kde-workspace (Ubuntu)
Invalid
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Utopic
Fix Released
Undecided
Unassigned
Vivid
Invalid
Undecided
Unassigned

Bug Description

KDE Project Security Advisory
=============================

Title: kde-workspace: Privilege Escalation via KDE Clock KCM polkit helper

Risk Rating: Medium(?)
CVE: requested. Not been given one yet
Platforms: All
Versions: kde-workspace < 4.14.3
Author: David Edmundson <email address hidden>
Date: 4 November 2014

Overview
========

KDE workspace configuration module for setting the date and time has a helper program
which runs as root for performing actions. This is secured with polkit.

This helper takes the name of the ntp utility to run as an argument. This allows a hacker
to run any arbitrary command as root under the guise of updating the time.

Impact
======

An application can gain root priveledges from an admin user with either misleading information
or no interaction.

On some systems the user will be shown a prompt to change the time. However, if the system has
policykit-desktop-privileges installed, the datetime helper will be invoked by an admin user
without any prompts.

Workaround
==========

Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save action

Solution
========

Upgrade kde-desktop to 4.14.3 once released or apply the following patch:

Revision history for this message
Jonathan Riddell (jr) wrote :

to be made public on 6th November
I have a vivid package ready to upload

Revision history for this message
Jonathan Riddell (jr) wrote :
Revision history for this message
Jonathan Riddell (jr) wrote :
Revision history for this message
Jonathan Riddell (jr) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the patches. Unfortunately, due to bug #1047417, precise has been updated with 4.8.5 and so much of kde needs to be rebuilt against the security pocket for this security update.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

(meaning, the update will be delayed)

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Ah, it appears only kdepimlibs needs a no change rebuild (we already updated other bits in the security ppa previously).

Changed in kde-workspace (Ubuntu Precise):
status: New → In Progress
Changed in kde-workspace (Ubuntu Trusty):
status: New → In Progress
Changed in kde-workspace (Ubuntu Utopic):
status: New → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Precise FTBFS:
../../../kcontrol/dateandtime/helper.cpp: In function 'QString findNtpUtility()':
../../../kcontrol/dateandtime/helper.cpp:54:80: error: 'exePath' was not declared in this scope
make[5]: *** [kcontrol/dateandtime/CMakeFiles/kcmdatetimehelper.dir/helper.o] Error 1
make[5]: Leaving directory `/«PKGBUILDDIR»/obj-x86_64-linux-gnu'
make[4]: *** [kcontrol/dateandtime/CMakeFiles/kcmdatetimehelper.dir/all] Error 2
make[4]: *** Waiting for unfinished jobs....

is this patch from upstream?

Changed in kde-workspace (Ubuntu Precise):
status: In Progress → Incomplete
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

What is happening is that kcontrol/dateandtime/helper.cpp is missing:
// We cannot rely on the $PATH environment variable, because D-Bus activation
// clears it. So we have to use a reasonable default.
static const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin");

This was apparently added in a previous commit. Jonathon, can you confirm that adding the above to the patch is all that is needed?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

(sorry, I of course meant Jonathan).

Revision history for this message
Jonathan Riddell (jr) wrote :
Revision history for this message
Jonathan Riddell (jr) wrote :
Revision history for this message
Jonathan Riddell (jr) wrote :
Revision history for this message
Jonathan Riddell (jr) wrote :

Upstream patch gone public, debdiffs updated with final version
https://www.kde.org/info/security/advisory-20141106-1.txt

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

FYI, the updated precise patch looks like it will still FTBFS in dateandtime/helper.cpp. Have you built and tested these locally?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

FYI, updating the updated patch and also using exePath with findExe() for hwclock and zic like on 4.11.

Changed in kde-workspace (Ubuntu Precise):
status: Incomplete → In Progress
Changed in kde-workspace (Ubuntu Utopic):
status: In Progress → Fix Committed
Changed in kde-workspace (Ubuntu Trusty):
status: In Progress → Fix Committed
information type: Private Security → Public Security
Revision history for this message
Jonathan Riddell (jr) wrote :

This is now allocated CVE-2014-8651

building locally now..

Revision history for this message
Jonathan Riddell (jr) wrote :
Changed in kde-workspace (Ubuntu Precise):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde-workspace - 4:4.8.5-0ubuntu0.4

---------------
kde-workspace (4:4.8.5-0ubuntu0.4) precise-security; urgency=medium

  [ Jonathan Riddell ]
  * SECURITY UPDATE: Privilege Escalation via KDE Clock KCM polkit helper
   - Add upstream_clock-privilage-escalation.diff, checks which
     binary is being run
   - https://www.kde.org/info/security/advisory-20141106-1.txt
   - LP: #1389665

  [ Jamie Strandboge ]
  * update upstream_clock-privilage-escalation.diff to add exePath definition
    to fix a FTBFS, and also use exePath with hwclock and zic, like on newer
    releases
 -- Jamie Strandboge <email address hidden> Thu, 06 Nov 2014 14:22:00 -0600

Changed in kde-workspace (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde-workspace - 4:4.11.12-0ubuntu1.1

---------------
kde-workspace (4:4.11.12-0ubuntu1.1) utopic-security; urgency=medium

  * SECURITY UPDATE: Privilege Escalation via KDE Clock KCM polkit helper
   - Add upstream_clock-privilage-escalation.diff, checks which
     binary is being run
   - https://www.kde.org/info/security/advisory-20141106-1.txt
   - LP: #1389665
 -- Jonathan Riddell <email address hidden> Wed, 05 Nov 2014 13:10:05 +0100

Changed in kde-workspace (Ubuntu Utopic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde-workspace - 4:4.11.11-0ubuntu0.2

---------------
kde-workspace (4:4.11.11-0ubuntu0.2) trusty-security; urgency=medium

  * SECURITY UPDATE: Privilege Escalation via KDE Clock KCM polkit helper
   - Add upstream_clock-privilage-escalation.diff, checks which
     binary is being run
   - https://www.kde.org/info/security/advisory-20141106-1.txt
   - LP: #1389665
 -- Jonathan Riddell <email address hidden> Wed, 05 Nov 2014 13:14:49 +0100

Changed in kde-workspace (Ubuntu Trusty):
status: Fix Committed → Fix Released
Changed in kde-workspace (Ubuntu Vivid):
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.