[CVE] Access to privileged files

Bug #1768649 reported by Simon Quigley on 2018-05-02
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kwallet-pam (Ubuntu)
Status tracked in Cosmic
Xenial
High
Simon Quigley
Artful
High
Simon Quigley
Bionic
High
Simon Quigley
Cosmic
High
Rik Mills
pam-kwallet (Ubuntu)
Undecided
Unassigned
Trusty
High
Unassigned

Bug Description

KDE Project Security Advisory
=============================

Title: kwallet-pam: Access to privileged files
Risk Rating: High
CVE: CVE-2018-10380
Versions: Plasma < 5.12.6
Date: 4 May 2018

Overview
========
kwallet-pam was doing file writing and permission changing
as root that with correct timing and use of carefully
crafted symbolic links could allow a non privileged user
to become the owner of any file on the system.

Workaround
==========
None (other than not using kwallet-pam)

Solution
========
Update to Plasma >= 5.12.6 or Plasma >= 5.13.0

Or apply the following patches:
Plasma 5.12
    https://commits.kde.org/kwallet-pam/2134dec85ce19d6378d03cddfae9e5e464cb24c0
    https://commits.kde.org/kwallet-pam/01d4143fda5bddb6dca37b23304dc239a5fb38b5

Plasma 5.8
    https://commits.kde.org/kwallet-pam/99abc7fde21f40cc6da5feb6ee766cc46fcca1f8
    https://commits.kde.org/kwallet-pam/802f305d81f8771c4f4a8bd7fd0e368ffc6f9b3b

Credits
=======
Thanks to Fabian Vogt for the report and to Albert Astals Cid for the fix.

CVE References

Simon Quigley (tsimonq2) wrote :

We don't have solid indicators of what this actually affects yet, so I'll nominate it for all Ubuntu releases.

Changed in kwallet-pam (Ubuntu Trusty):
importance: Undecided → High
Changed in kwallet-pam (Ubuntu Xenial):
importance: Undecided → High
Changed in kwallet-pam (Ubuntu Artful):
importance: Undecided → High
Changed in kwallet-pam (Ubuntu Bionic):
importance: Undecided → High
Changed in kwallet-pam (Ubuntu Cosmic):
importance: Undecided → High
Changed in kwallet-pam (Ubuntu Trusty):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in kwallet-pam (Ubuntu Artful):
assignee: nobody → Simon Quigley (tsimonq2)
Rik Mills (rikmills) on 2018-05-02
description: updated
Simon Quigley (tsimonq2) on 2018-05-02
Changed in kwallet-pam (Ubuntu Xenial):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in kwallet-pam (Ubuntu Cosmic):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in kwallet-pam (Ubuntu Bionic):
assignee: nobody → Simon Quigley (tsimonq2)
Steve Beattie (sbeattie) wrote :

kwallet-pam source pacakge was named pam-kwallet in trusty.

Changed in kwallet-pam (Ubuntu Trusty):
status: New → Invalid
Changed in pam-kwallet (Ubuntu Xenial):
status: New → Invalid
Changed in pam-kwallet (Ubuntu Artful):
status: New → Invalid
Changed in pam-kwallet (Ubuntu Bionic):
status: New → Invalid
Changed in pam-kwallet (Ubuntu Cosmic):
status: New → Invalid
Simon Quigley (tsimonq2) on 2018-05-03
Changed in pam-kwallet (Ubuntu Trusty):
assignee: nobody → Simon Quigley (tsimonq2)
importance: Undecided → High
Changed in kwallet-pam (Ubuntu Trusty):
assignee: Simon Quigley (tsimonq2) → nobody
importance: High → Undecided
Rik Mills (rikmills) on 2018-05-03
description: updated
Rik Mills (rikmills) wrote :

This has now been posted to the kde-announce list:

https://marc.info/?l=kde-announce&m=152534806103730&w=1

Rik Mills (rikmills) wrote :

I was in the process of preparing a SRU of plasma 5.12.5 anyway to bionic, so a staged build with the CVE patches can be found here:

https://launchpad.net/~kubuntu-ppa/+archive/ubuntu/staging-plasma/+sourcepub/9055851/+listing-archive-extra

Rik Mills (rikmills) on 2018-05-03
Changed in kwallet-pam (Ubuntu Cosmic):
status: New → Fix Committed
Simon Quigley (tsimonq2) on 2018-05-03
information type: Private Security → Public Security
Simon Quigley (tsimonq2) on 2018-05-03
Changed in kwallet-pam (Ubuntu Cosmic):
assignee: Simon Quigley (tsimonq2) → Rik Mills (rikmills)
Changed in kwallet-pam (Ubuntu Bionic):
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kwallet-pam - 4:5.12.5-0ubuntu1

---------------
kwallet-pam (4:5.12.5-0ubuntu1) cosmic; urgency=medium

  * SECURITY UPDATE: Access to privileged files (LP: #1768649)
    - debian/patches/CVE-2018-10380-salt-creation.diff: Move salt
      creation to an unprivileged process
    - debian/patches/CVE-2018-10380-socket-creation.diff: Move socket
      creation to unprivileged codepath
    - CVE-2018-10380
  * New upstream release (5.12.5)

 -- Rik Mills <email address hidden> Thu, 03 May 2018 20:49:30 +0100

Changed in kwallet-pam (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Simon Quigley (tsimonq2) wrote :

Updated packages are in the security proposed PPA. I have tested all three in fresh, fully updated virtual machines of each release, and all three work.

The Trusty backport is pending a review, but I would call the Xenial, Artful, and Bionic updates good.

Changed in kwallet-pam (Ubuntu Artful):
status: New → Fix Committed
Changed in kwallet-pam (Ubuntu Bionic):
status: In Progress → Fix Committed
Changed in kwallet-pam (Ubuntu Xenial):
status: New → Fix Committed
no longer affects: kwallet-pam (Ubuntu Trusty)
no longer affects: pam-kwallet (Ubuntu Xenial)
no longer affects: pam-kwallet (Ubuntu Artful)
no longer affects: pam-kwallet (Ubuntu Bionic)
no longer affects: pam-kwallet (Ubuntu Cosmic)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kwallet-pam - 4:5.10.5-0ubuntu1.1

---------------
kwallet-pam (4:5.10.5-0ubuntu1.1) artful-security; urgency=medium

  * SECURITY UPDATE: Access to privileged files (LP: #1768649):
    - fix-CVE-2018-10380-1.patch
    - fix-CVE-2018-10380-2.patch
    - CVE-2018-10380

 -- Simon Quigley <email address hidden> Thu, 03 May 2018 16:25:43 -0500

Changed in kwallet-pam (Ubuntu Artful):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kwallet-pam - 4:5.12.4-0ubuntu1.1

---------------
kwallet-pam (4:5.12.4-0ubuntu1.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Access to privileged files (LP: #1768649):
    - fix-CVE-2018-10380-1.patch
    - fix-CVE-2018-10380-2.patch
    - CVE-2018-10380

 -- Simon Quigley <email address hidden> Thu, 03 May 2018 16:06:06 -0500

Changed in kwallet-pam (Ubuntu Bionic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kwallet-pam - 4:5.5.5-0ubuntu1.1

---------------
kwallet-pam (4:5.5.5-0ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Access to privileged files (LP: #1768649):
    - fix-CVE-2018-10380-1.patch
    - fix-CVE-2018-10380-2.patch
    - CVE-2018-10380

 -- Simon Quigley <email address hidden> Thu, 03 May 2018 16:32:17 -0500

Changed in kwallet-pam (Ubuntu Xenial):
status: Fix Committed → Fix Released
Josue (josue-tille) wrote :

Hello,

Since I did the upgrade. Kwallet is broken. I can't access to any wallet.

Here is my configuration :

Ubuntu 16.04

My installed packages :

# dpkg -l | grep kwallet
ii kwalletcli 2.12-5 amd64 command line interface to the KDE Wallet
ii kwalletmanager 4:15.12.3-0ubuntu1 amd64 secure password wallet manager
ii libkwalletbackend5-5:amd64 5.18.0a-0ubuntu1 amd64 Secure and unified container for user passwords.
ii libpam-kwallet4 4:5.5.5-0ubuntu1.1 amd64 KWallet (KDE 4) integration with PAM
ii libpam-kwallet5 4:5.5.5-0ubuntu1.1 amd64 KWallet (Kf5) integration with PAM
ii signon-kwallet-extension 4:15.12.3-0ubuntu1 amd64 KWallet extension for signond

While I try to launch kwallet I get this :

 # kwalletmanager5
Invalid DBus reply: QDBusError("org.freedesktop.DBus.Error.NoReply", "Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.")
Connecting to deprecated signal QDBusConnectionInterface::serviceOwnerChanged(QString,QString,QString)
Invalid DBus reply: QDBusError("org.freedesktop.DBus.Error.NoReply", "Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.")

After a while the kwallet windows open but no wallet is accessible.

Czikus (czikus-gmail) wrote :

Same problem, no access to kwallet.

Seth Arnold (seth-arnold) wrote :

Czikus, note that the CVE fix was reverted four hours ago. If you're still having problems, please re-run:

sudo apt-get update
sudo apt-get -u dist-upgrade

and restart your session if needed.

Thanks

Why was the fix reverted? Will kwallet be repatched to fix the CVE?

Marc Deslauriers (mdeslaur) wrote :

Since there is no actionable item to be sponsored here, unsubscribing the ubuntu-security-sponsors. If someone adds a new debdiff to this bug, please subscribe ubuntu-security-sponsors again. Thanks!

Rik Mills (rikmills) on 2018-05-28
Changed in kwallet-pam (Ubuntu Bionic):
status: Fix Released → Triaged
Changed in kwallet-pam (Ubuntu Artful):
status: Fix Released → Triaged
Changed in kwallet-pam (Ubuntu Xenial):
status: Fix Released → Triaged
Seth Arnold (seth-arnold) wrote :

Xenial, Artful, and Bionic packages are in https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages for testing, thanks to Simon. Feedback appreciated.

Thanks

Simon Quigley (tsimonq2) on 2018-06-19
tags: added: community-security
Simon Quigley (tsimonq2) wrote :

I have tested each of these fixes on fresh Lubuntu VMs Xenial, Artful, and Bionic (to ensure that there are no regressions caused by non-KDE environments). They work as intended.

Rik Mills (rikmills) wrote :

4:5.12.4-0ubuntu1.3 in Bionic tests ok for me.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kwallet-pam - 4:5.5.5-0ubuntu1.3

---------------
kwallet-pam (4:5.5.5-0ubuntu1.3) xenial-security; urgency=medium

  * SECURITY UPDATE: Access to privileged files (LP: #1768649):
    - fix-CVE-2018-10380-1.patch
    - fix-CVE-2018-10380-2.patch
    - fix-CVE-2018-10380-3.patch
    - CVE-2018-10380

 -- Simon Quigley <email address hidden> Thu, 14 Jun 2018 11:51:19 -0500

Changed in kwallet-pam (Ubuntu Xenial):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kwallet-pam - 4:5.10.5-0ubuntu1.3

---------------
kwallet-pam (4:5.10.5-0ubuntu1.3) artful-security; urgency=medium

  * SECURITY UPDATE: Access to privileged files (LP: #1768649):
    - fix-CVE-2018-10380-1.patch
    - fix-CVE-2018-10380-2.patch
    - fix-CVE-2018-10380-3.patch
    - CVE-2018-10380

 -- Simon Quigley <email address hidden> Thu, 14 Jun 2018 11:44:32 -0500

Changed in kwallet-pam (Ubuntu Artful):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kwallet-pam - 4:5.12.4-0ubuntu1.3

---------------
kwallet-pam (4:5.12.4-0ubuntu1.3) bionic-security; urgency=medium

  * SECURITY UPDATE: Access to privileged files (LP: #1768649):
    - fix-CVE-2018-10380-1.patch
    - fix-CVE-2018-10380-2.patch
    - fix-CVE-2018-10380-3.patch
    - CVE-2018-10380

 -- Simon Quigley <email address hidden> Thu, 14 Jun 2018 11:30:19 -0500

Changed in kwallet-pam (Ubuntu Bionic):
status: Triaged → Fix Released
Simon Quigley (tsimonq2) wrote :

I don't plan on fixing this for Trusty. Trusty has a very early upstream commit, and it goes EOL in a few months. In my personal opinion, it's not worth the many hours it'll take to properly backport and test it.

Changed in pam-kwallet (Ubuntu Trusty):
assignee: Simon Quigley (tsimonq2) → nobody
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers