[ANN] CVE-2016-7787

Ovidiu-Florin BOGDAN ovidiu.b13 at gmail.com
Mon Oct 24 05:59:01 UTC 2016 

We don't ship "kdesu" bu default. We only ship "kdesudo", which
currently is at Qt: 4.8.7; KDE Development Platform: 4.14.22; KdeSudo:
3.4.2.3 in Yakety.

AFAIK "kdesu" != "kdesudo".
Ovidiu - Florin BOGDAN
GeekAliens.com
Kubuntu România



2016-09-30 7:31 GMT+03:00 Simon Quigley <tsimonq2 at ubuntu.com>:
> Hello everyone,
>
> In case you don't know me, my name is Simon, and I'm a Kubuntu Ninja.
>
> About 5 hours ago, someone pasted a link to the CVE report for
> CVE-2016-7787 on the KDE website[1]. Here is the vulnerability:
>
> Overview
> ========
>
> A maliciously crafted command line for kdesu can result in the user
> only seeing part of the commands that will actually get executed as
> super user.
>
> Impact
> ======
>
> Users can unwillingly run commands as root.
>
> Workaround
> ==========
>
> Users should be careful when running kdesu with a command line they have
> not written themselves.
>
> Solution
> ========
>
> kde-cli-tools 5.7.5, released as part of KDE Plasma does not allow the
> execution of commands with such characters.
>
> Alternatively, commit 5eda179a099ba68a20dc21dc0da63e85a565a171 in
> kde-cli-tools.git
> can be applied to previous releases.
>
> Thanks to Fabian Vogt for reporting this issue.
> Thanks to Martin Sandsmark for fixing this issue.
>
> Since, I've filed a bug[2] and worked with a member of the Ubuntu
> Security team to get the bug fixed and the aforementioned commit backported.
>
> This security vulnerability has been fixed in Xenial (and is in
> xenial-security now) and the Backports PPA (only for Xenial as Wily is
> not supported any more). We're waiting on kde-cli-tools to migrate from
> proposed in Yakkety, and that will happen within the next few days.
>
> You should update your computer as soon as possible to get this patch.
>
> Let me know if you have any questions.
>
> [1] https://www.kde.org/info/security/advisory-20160930-1.txt
> [2] https://pad.lv/1629145
>
> --
> Simon Quigley
> tsimonq2 at ubuntu.com
> tsimonq2 on freenode and OFTC
> 5C7A BEA2 0F86 3045 9CC8
> C8B5 E27F 2CF8 458C 2FA4
>
> --
> kubuntu-devel mailing list
> kubuntu-devel at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/kubuntu-devel

More information about the kubuntu-devel mailing list