kpmcore 4.1.0: CVE-2020-27187
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kpmcore (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
It has now been almost a month with no reaction to KDE security advisory. Almost all other distros fixed this some time ago...
KDE Project Security Advisory
=======
Title: KDE Partition Manager: kpmcore_
Risk Rating: Important
CVE: CVE-2020-27187
Versions: kpmcore == 4.1.0
Author: Andrius Štikonas <email address hidden>
Date: 17 October 2020
Overview
========
kpmcore_
is not properly checked. An attacker on your local machine can replace /etc/fstab,
execute mount and other partitioning related commands while KDE Partition Manager is running.
mount command can then be used to gain full root privileges.
Impact
======
KDE Partition Manager 4.1.0 should not be used on systems with untrusted users or running untrusted software.
Solution
========
KDE Partition Manager 4.2.0 fixes this issue.
You can apply the following patches on top of KPMcore 4.1.0:
https:/
https:/