Page MenuHomeFreeBSD

Add patches for CVE-2017-8422 in x11/kdelibs4 and devel/kf5-kauth

Authored by tcberner on May 10 2017, 9:39 AM.



Import the patches from the following security advisory:

KDE Project Security Advisory
Title           kauth: Local privilege escalation
Risk Rating     High
CVE             CVE-2017-8422
Versions        kauth < 5.34, kdelibs < 4.14.32
Date            10 May 2017

KAuth contains a logic flaw in which the service invoking dbus
is not properly checked.

This allows spoofing the identity of the caller and with some
carefully crafted calls can lead to gaining root from an
unprivileged account.

Update to kauth >= 5.34 and kdelibs >= 4.14.32 (when released)

Or apply the following patches:

Thanks to Sebastian Krahmer from SUSE for the report and
to Albert Astals Cid from KDE for the fix.

Diff Detail

rP FreeBSD ports repository
Lint Not Applicable
Tests Not Applicable

Event Timeline

don't forget to add the appropriate entries to vuln.xml first and reference their UUIDs in your commit message.

This revision is now accepted and ready to land.May 10 2017, 9:56 AM

I though I can leave the vuln.xml editing to someone else, and just set Security: CVE-2017-8422 in the commit?

It's good practice to do both if you can, otherwise you're basically relying on ports-secteam or someone else to do that, which may take long or not happen at all. Let me know if you need help with it.

tcberner edited edge metadata.

Add vuxml magic.

This revision now requires review to proceed.May 10 2017, 10:49 AM

Correct kdelibs version. Ports has only 4.14.30.

86 ↗(On Diff #28193)

The more references you have, the better. This flaw already has a CVE assigned, so you should add <cvename>CVE-2017-8422</cvename>.

I like using Debian's security-tracker page because it contains links to several possible sources of information. For example, has a working link to an oss-sec mailing list post you can reference using <mlist> tags.

Add cvename and mlist -- the mlist-entry does not appear in the make VID=.. html output -- should it?

Remember to land the vuln.xml first, and then ask for an MFH to 2017Q2. As for mlist, I don't see anything wrong with it, so as long as it passes make validate it should be fine.

This revision is now accepted and ready to land.May 10 2017, 11:56 AM
This revision was automatically updated to reflect the committed changes.