Ubuntu
kde-cli-tools package

Fix CVE-2016-7787

Bug #1629145 reported by Simon Quigley
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
kde-cli-tools (Ubuntu)
Fix Released
Undecided
Simon Quigley

Bug Description

This CVE applies to the package in Xenial and Yakkety. There is already a fix uploaded to proposed that needs to migrate to yakkety-release, but xenial-security needs this fix ASAP. Here is what the CVE states:

KDE Project Security Advisory
=============================

Title: kdesu: Displayed command truncated by unicode string terminator
Risk Rating: Important
CVE: CVE-2016-7787
Versions: kde-cli-tools < 5.7.5
Author: Albert Astals Cid <email address hidden>
Date: 30 September 2016

Overview
========

A maliciously crafted command line for kdesu can result in the user
only seeing part of the commands that will actually get executed as super user.

Impact
======

Users can unwillingly run commands as root.

Workaround
==========

Users should be careful when running kdesu with a command line they have not written themselves.

Solution
========

kde-cli-tools 5.7.5, released as part of KDE Plasma does not allow the
execution of commands with such characters.

Alternatively, commit 5eda179a099ba68a20dc21dc0da63e85a565a171 in kde-cli-tools.git
can be applied to previous releases.

Thanks to Fabian Vogt for reporting this issue.
Thanks to Martin Sandsmark for fixing this issue.

Here is a link: https://www.kde.org/info/security/advisory-20160930-1.txt

Attached is a diff that can be uploaded to xenial-security. Please let me know if any corrections need to be made as this is my first time doing this.

CVE References

Revision history for this message
Simon Quigley (tsimonq2) wrote :
Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Simon Quigley (tsimonq2)
Changed in kde-cli-tools (Ubuntu):
assignee: nobody → Simon Quigley (tsimonq2)
status: New → In Progress
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Simon, the patch looks good; I changed the debian/changelog to match our usual style:

  * SECURITY UPDATE: kdesu may show a different string than it would execute
    with elevated privileges. (LP: #1629145)
    - debian/patches/01-patch-kde-CVE-2016-7787.diff
    - CVE-2016-7787

https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging

Can you confirm that you've built and tested this package?

Thanks

Revision history for this message
Simon Quigley (tsimonq2) wrote :

Hey Seth,

I can confirm that this package does build correctly. I built it locally.

As for testing, the instructions for reproducing this CVE are not entirely clear (I don't know what "specially crafted" command they are referring to, it could be a lot of things). Again, I'm new to this process and I'm not a security expert of any kind.

This package installs successfully on a fresh, fully updated Kubuntu 16.04 install with no problems.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Simon, does kdesu still work as expected?

Thanks

Revision history for this message
Simon Quigley (tsimonq2) wrote :

Seth, yes, it works exactly as intended.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde-cli-tools - 4:5.5.5-0ubuntu1.1

---------------
kde-cli-tools (4:5.5.5-0ubuntu1.1) xenial-security; urgency=high

  * SECURITY UPDATE: kdesu may show a different string than it would execute
    with elevated privileges. (LP: #1629145)
    - debian/patches/01-patch-kde-CVE-2016-7787.diff
    - CVE-2016-7787

 -- Simon Quigley <email address hidden> Thu, 29 Sep 2016 18:43:32 -0500

Changed in kde-cli-tools (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Simon!

Revision history for this message
Simon Quigley (tsimonq2) wrote :

Thanks for your help, Seth! :)

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.