Fix CVE-2016-7787

Bug #1629145 reported by Simon Quigley
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
kde-cli-tools (Ubuntu)
Fix Released
Undecided
Simon Quigley

Bug Description

This CVE applies to the package in Xenial and Yakkety. There is already a fix uploaded to proposed that needs to migrate to yakkety-release, but xenial-security needs this fix ASAP. Here is what the CVE states:

KDE Project Security Advisory
=============================

Title: kdesu: Displayed command truncated by unicode string terminator
Risk Rating: Important
CVE: CVE-2016-7787
Versions: kde-cli-tools < 5.7.5
Author: Albert Astals Cid <email address hidden>
Date: 30 September 2016

Overview
========

A maliciously crafted command line for kdesu can result in the user
only seeing part of the commands that will actually get executed as super user.

Impact
======

Users can unwillingly run commands as root.

Workaround
==========

Users should be careful when running kdesu with a command line they have not written themselves.

Solution
========

kde-cli-tools 5.7.5, released as part of KDE Plasma does not allow the
execution of commands with such characters.

Alternatively, commit 5eda179a099ba68a20dc21dc0da63e85a565a171 in kde-cli-tools.git
can be applied to previous releases.

Thanks to Fabian Vogt for reporting this issue.
Thanks to Martin Sandsmark for fixing this issue.

Here is a link: https://www.kde.org/info/security/advisory-20160930-1.txt

Attached is a diff that can be uploaded to xenial-security. Please let me know if any corrections need to be made as this is my first time doing this.

CVE References

Revision history for this message
Simon Quigley (tsimonq2) wrote :
information type: Private Security → Public Security
Simon Quigley (tsimonq2)
Changed in kde-cli-tools (Ubuntu):
assignee: nobody → Simon Quigley (tsimonq2)
status: New → In Progress
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Simon, the patch looks good; I changed the debian/changelog to match our usual style:

  * SECURITY UPDATE: kdesu may show a different string than it would execute
    with elevated privileges. (LP: #1629145)
    - debian/patches/01-patch-kde-CVE-2016-7787.diff
    - CVE-2016-7787

https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

Can you confirm that you've built and tested this package?

Thanks

Revision history for this message
Simon Quigley (tsimonq2) wrote :

Hey Seth,

I can confirm that this package does build correctly. I built it locally.

As for testing, the instructions for reproducing this CVE are not entirely clear (I don't know what "specially crafted" command they are referring to, it could be a lot of things). Again, I'm new to this process and I'm not a security expert of any kind.

This package installs successfully on a fresh, fully updated Kubuntu 16.04 install with no problems.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Simon, does kdesu still work as expected?

Thanks

Revision history for this message
Simon Quigley (tsimonq2) wrote :

Seth, yes, it works exactly as intended.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde-cli-tools - 4:5.5.5-0ubuntu1.1

---------------
kde-cli-tools (4:5.5.5-0ubuntu1.1) xenial-security; urgency=high

  * SECURITY UPDATE: kdesu may show a different string than it would execute
    with elevated privileges. (LP: #1629145)
    - debian/patches/01-patch-kde-CVE-2016-7787.diff
    - CVE-2016-7787

 -- Simon Quigley <email address hidden> Thu, 29 Sep 2016 18:43:32 -0500

Changed in kde-cli-tools (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Simon!

Revision history for this message
Simon Quigley (tsimonq2) wrote :

Thanks for your help, Seth! :)

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers