Ubuntu
kwallet-pam package

[CVE] Access to privileged files

Artful (17.10)
Bug #1768649

Bug #1768649 reported by Simon Quigley on 2018-05-02

260

This bug affects 1 person

	Status	Importance	Assigned to
kwallet-pam (Ubuntu)	Fix Released	High	Rik Mills
Xenial	Fix Released	High	Simon Quigley
Artful	Fix Released	High	Simon Quigley
Bionic	Fix Released	High	Simon Quigley
Cosmic	Fix Released	High	Rik Mills
pam-kwallet (Ubuntu)	Invalid	Undecided	Unassigned
Trusty	New	High	Unassigned

Bug Description

KDE Project Security Advisory
=============================

Title: kwallet-pam: Access to privileged files
Risk Rating: High
CVE: CVE-2018-10380
Versions: Plasma < 5.12.6
Date: 4 May 2018

Overview
========
kwallet-pam was doing file writing and permission changing
as root that with correct timing and use of carefully
crafted symbolic links could allow a non privileged user
to become the owner of any file on the system.

Workaround
==========
None (other than not using kwallet-pam)

Solution
========
Update to Plasma >= 5.12.6 or Plasma >= 5.13.0

Or apply the following patches:
Plasma 5.12
https://commits.kde.org/kwallet-pam/2134dec85ce19d6378d03cddfae9e5e464cb24c0
https://commits.kde.org/kwallet-pam/01d4143fda5bddb6dca37b23304dc239a5fb38b5

Plasma 5.8
https://commits.kde.org/kwallet-pam/99abc7fde21f40cc6da5feb6ee766cc46fcca1f8
https://commits.kde.org/kwallet-pam/802f305d81f8771c4f4a8bd7fd0e368ffc6f9b3b

Credits
=======
Thanks to Fabian Vogt for the report and to Albert Astals Cid for the fix.

See original description

Tags:

CVE References

2018-10380

Revision history for this message

Simon Quigley (tsimonq2) wrote on 2018-05-02:

We don't have solid indicators of what this actually affects yet, so I'll nominate it for all Ubuntu releases.

Changed in kwallet-pam (Ubuntu Trusty):
importance:	Undecided → High
Changed in kwallet-pam (Ubuntu Xenial):
importance:	Undecided → High
Changed in kwallet-pam (Ubuntu Artful):
importance:	Undecided → High
Changed in kwallet-pam (Ubuntu Bionic):
importance:	Undecided → High
Changed in kwallet-pam (Ubuntu Cosmic):
importance:	Undecided → High
Changed in kwallet-pam (Ubuntu Trusty):
assignee:	nobody → Simon Quigley (tsimonq2)
Changed in kwallet-pam (Ubuntu Artful):
assignee:	nobody → Simon Quigley (tsimonq2)

Rik Mills (rikmills) on 2018-05-02

description:

updated

Simon Quigley (tsimonq2) on 2018-05-02

Changed in kwallet-pam (Ubuntu Xenial):
assignee:	nobody → Simon Quigley (tsimonq2)
Changed in kwallet-pam (Ubuntu Cosmic):
assignee:	nobody → Simon Quigley (tsimonq2)
Changed in kwallet-pam (Ubuntu Bionic):
assignee:	nobody → Simon Quigley (tsimonq2)

Revision history for this message

Steve Beattie (sbeattie) wrote on 2018-05-02:

kwallet-pam source pacakge was named pam-kwallet in trusty.

Changed in kwallet-pam (Ubuntu Trusty):
status:	New → Invalid
Changed in pam-kwallet (Ubuntu Xenial):
status:	New → Invalid
Changed in pam-kwallet (Ubuntu Artful):
status:	New → Invalid
Changed in pam-kwallet (Ubuntu Bionic):
status:	New → Invalid
Changed in pam-kwallet (Ubuntu Cosmic):
status:	New → Invalid

Simon Quigley (tsimonq2) on 2018-05-03

Changed in pam-kwallet (Ubuntu Trusty):
assignee:	nobody → Simon Quigley (tsimonq2)
importance:	Undecided → High
Changed in kwallet-pam (Ubuntu Trusty):
assignee:	Simon Quigley (tsimonq2) → nobody
importance:	High → Undecided

Rik Mills (rikmills) on 2018-05-03

description:

updated

Revision history for this message

Rik Mills (rikmills) wrote on 2018-05-03:

This has now been posted to the kde-announce list:

https://marc.info/?l=kde-announce&m=152534806103730&w=1

Revision history for this message

Rik Mills (rikmills) wrote on 2018-05-03:

I was in the process of preparing a SRU of plasma 5.12.5 anyway to bionic, so a staged build with the CVE patches can be found here:

https://launchpad.net/~kubuntu-ppa/+archive/ubuntu/staging-plasma/+sourcepub/9055851/+listing-archive-extra

Rik Mills (rikmills) on 2018-05-03

Changed in kwallet-pam (Ubuntu Cosmic):
status:	New → Fix Committed

Simon Quigley (tsimonq2) on 2018-05-03

information type:

Private Security → Public Security

Simon Quigley (tsimonq2) on 2018-05-03

Changed in kwallet-pam (Ubuntu Cosmic):
assignee:	Simon Quigley (tsimonq2) → Rik Mills (rikmills)
Changed in kwallet-pam (Ubuntu Bionic):
status:	New → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-05-04:

This bug was fixed in the package kwallet-pam - 4:5.12.5-0ubuntu1

---------------
kwallet-pam (4:5.12.5-0ubuntu1) cosmic; urgency=medium

  * SECURITY UPDATE: Access to privileged files (LP: #1768649)
    - debian/patches/CVE-2018-10380-salt-creation.diff: Move salt
      creation to an unprivileged process
    - debian/patches/CVE-2018-10380-socket-creation.diff: Move socket
      creation to unprivileged codepath
    - CVE-2018-10380
  * New upstream release (5.12.5)

-- Rik Mills <email address hidden> Thu, 03 May 2018 20:49:30 +0100

Changed in kwallet-pam (Ubuntu Cosmic):
status:	Fix Committed → Fix Released

Revision history for this message

Simon Quigley (tsimonq2) wrote on 2018-05-04:

Updated packages are in the security proposed PPA. I have tested all three in fresh, fully updated virtual machines of each release, and all three work.

The Trusty backport is pending a review, but I would call the Xenial, Artful, and Bionic updates good.

Changed in kwallet-pam (Ubuntu Artful):
status:	New → Fix Committed
Changed in kwallet-pam (Ubuntu Bionic):
status:	In Progress → Fix Committed
Changed in kwallet-pam (Ubuntu Xenial):
status:	New → Fix Committed
no longer affects:	kwallet-pam (Ubuntu Trusty)
no longer affects:	pam-kwallet (Ubuntu Xenial)
no longer affects:	pam-kwallet (Ubuntu Artful)
no longer affects:	pam-kwallet (Ubuntu Bionic)
no longer affects:	pam-kwallet (Ubuntu Cosmic)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-05-04:

This bug was fixed in the package kwallet-pam - 4:5.10.5-0ubuntu1.1

---------------
kwallet-pam (4:5.10.5-0ubuntu1.1) artful-security; urgency=medium

  * SECURITY UPDATE: Access to privileged files (LP: #1768649):
    - fix-CVE-2018-10380-1.patch
    - fix-CVE-2018-10380-2.patch
    - CVE-2018-10380

-- Simon Quigley <email address hidden> Thu, 03 May 2018 16:25:43 -0500

Changed in kwallet-pam (Ubuntu Artful):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-05-04:

This bug was fixed in the package kwallet-pam - 4:5.12.4-0ubuntu1.1

---------------
kwallet-pam (4:5.12.4-0ubuntu1.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Access to privileged files (LP: #1768649):
    - fix-CVE-2018-10380-1.patch
    - fix-CVE-2018-10380-2.patch
    - CVE-2018-10380

-- Simon Quigley <email address hidden> Thu, 03 May 2018 16:06:06 -0500

Changed in kwallet-pam (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-05-04:

This bug was fixed in the package kwallet-pam - 4:5.5.5-0ubuntu1.1

---------------
kwallet-pam (4:5.5.5-0ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Access to privileged files (LP: #1768649):
    - fix-CVE-2018-10380-1.patch
    - fix-CVE-2018-10380-2.patch
    - CVE-2018-10380

-- Simon Quigley <email address hidden> Thu, 03 May 2018 16:32:17 -0500

Changed in kwallet-pam (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Revision history for this message

Josue (josue-tille) wrote on 2018-05-04:

#10

Hello,

Since I did the upgrade. Kwallet is broken. I can't access to any wallet.

Here is my configuration :

Ubuntu 16.04

My installed packages :

While I try to launch kwallet I get this :

# kwalletmanager5
Invalid DBus reply: QDBusError("org.freedesktop.DBus.Error.NoReply", "Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.")
Connecting to deprecated signal QDBusConnectionInterface::serviceOwnerChanged(QString,QString,QString)
Invalid DBus reply: QDBusError("org.freedesktop.DBus.Error.NoReply", "Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.")

After a while the kwallet windows open but no wallet is accessible.

Hello,

Since I did the upgrade. Kwallet is broken. I can't access to any wallet.

Here is my configuration :

Ubuntu 16.04

My installed packages :

# dpkg -l | grep kwallet
ii  kwalletcli                                                  2.12-5                                                   amd64        command line interface to the KDE Wallet
ii  kwalletmanager                                              4:15.12.3-0ubuntu1                                       amd64        secure password wallet manager
ii  libkwalletbackend5-5:amd64                                  5.18.0a-0ubuntu1                                         amd64        Secure and unified container for user passwords.
ii  libpam-kwallet4                                             4:5.5.5-0ubuntu1.1                                       amd64        KWallet (KDE 4) integration with PAM
ii  libpam-kwallet5                                             4:5.5.5-0ubuntu1.1                                       amd64        KWallet (Kf5) integration with PAM
ii  signon-kwallet-extension                                    4:15.12.3-0ubuntu1                                       amd64        KWallet extension for signond

While I try to launch kwallet I get this :

# kwalletmanager5 
Invalid DBus reply:  QDBusError("org.freedesktop.DBus.Error.NoReply", "Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.")
Connecting to deprecated signal QDBusConnectionInterface::serviceOwnerChanged(QString,QString,QString)
Invalid DBus reply:  QDBusError("org.freedesktop.DBus.Error.NoReply", "Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.")

After a while the kwallet windows open but no wallet is accessible.

Revision history for this message

Czikus (czikus-gmail) wrote on 2018-05-04:

#11

Same problem, no access to kwallet.

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2018-05-04:

#12

Czikus, note that the CVE fix was reverted four hours ago. If you're still having problems, please re-run:

sudo apt-get update
sudo apt-get -u dist-upgrade

and restart your session if needed.

Thanks

Revision history for this message

Mikhail Novosyolov (mikhailnov) wrote on 2018-05-06:

#13

Why was the fix reverted? Will kwallet be repatched to fix the CVE?

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2018-05-24:

#14

Since there is no actionable item to be sponsored here, unsubscribing the ubuntu-security-sponsors. If someone adds a new debdiff to this bug, please subscribe ubuntu-security-sponsors again. Thanks!

Rik Mills (rikmills) on 2018-05-28

Changed in kwallet-pam (Ubuntu Bionic):
status:	Fix Released → Triaged
Changed in kwallet-pam (Ubuntu Artful):
status:	Fix Released → Triaged
Changed in kwallet-pam (Ubuntu Xenial):
status:	Fix Released → Triaged

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2018-06-15:

#15

Xenial, Artful, and Bionic packages are in https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages for testing, thanks to Simon. Feedback appreciated.

Thanks

Simon Quigley (tsimonq2) on 2018-06-19

tags:

added: community-security

Revision history for this message

Simon Quigley (tsimonq2) wrote on 2018-07-05:

#16

I have tested each of these fixes on fresh Lubuntu VMs Xenial, Artful, and Bionic (to ensure that there are no regressions caused by non-KDE environments). They work as intended.

Revision history for this message

Rik Mills (rikmills) wrote on 2018-07-05:

#17

4:5.12.4-0ubuntu1.3 in Bionic tests ok for me.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-07-09:

#18

This bug was fixed in the package kwallet-pam - 4:5.5.5-0ubuntu1.3

---------------
kwallet-pam (4:5.5.5-0ubuntu1.3) xenial-security; urgency=medium

  * SECURITY UPDATE: Access to privileged files (LP: #1768649):
    - fix-CVE-2018-10380-1.patch
    - fix-CVE-2018-10380-2.patch
    - fix-CVE-2018-10380-3.patch
    - CVE-2018-10380

-- Simon Quigley <email address hidden> Thu, 14 Jun 2018 11:51:19 -0500

Changed in kwallet-pam (Ubuntu Xenial):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-07-09:

#19

This bug was fixed in the package kwallet-pam - 4:5.10.5-0ubuntu1.3

---------------
kwallet-pam (4:5.10.5-0ubuntu1.3) artful-security; urgency=medium

  * SECURITY UPDATE: Access to privileged files (LP: #1768649):
    - fix-CVE-2018-10380-1.patch
    - fix-CVE-2018-10380-2.patch
    - fix-CVE-2018-10380-3.patch
    - CVE-2018-10380

-- Simon Quigley <email address hidden> Thu, 14 Jun 2018 11:44:32 -0500

Changed in kwallet-pam (Ubuntu Artful):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-07-09:

#20

This bug was fixed in the package kwallet-pam - 4:5.12.4-0ubuntu1.3

---------------
kwallet-pam (4:5.12.4-0ubuntu1.3) bionic-security; urgency=medium

  * SECURITY UPDATE: Access to privileged files (LP: #1768649):
    - fix-CVE-2018-10380-1.patch
    - fix-CVE-2018-10380-2.patch
    - fix-CVE-2018-10380-3.patch
    - CVE-2018-10380

-- Simon Quigley <email address hidden> Thu, 14 Jun 2018 11:30:19 -0500

Changed in kwallet-pam (Ubuntu Bionic):
status:	Triaged → Fix Released

Revision history for this message

Simon Quigley (tsimonq2) wrote on 2018-07-20:

#21

I don't plan on fixing this for Trusty. Trusty has a very early upstream commit, and it goes EOL in a few months. In my personal opinion, it's not worth the many hours it'll take to properly backport and test it.

Changed in pam-kwallet (Ubuntu Trusty):
assignee:	Simon Quigley (tsimonq2) → nobody

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntukwallet-pam package

[CVE] Access to privileged files

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
kwallet-pam package