[ANN] CVE-2016-7787

Simon Quigley tsimonq2 at ubuntu.com
Fri Sep 30 04:31:02 UTC 2016


Hello everyone,

In case you don't know me, my name is Simon, and I'm a Kubuntu Ninja.

About 5 hours ago, someone pasted a link to the CVE report for
CVE-2016-7787 on the KDE website[1]. Here is the vulnerability:

Overview
========

A maliciously crafted command line for kdesu can result in the user
only seeing part of the commands that will actually get executed as
super user.

Impact
======

Users can unwillingly run commands as root.

Workaround
==========

Users should be careful when running kdesu with a command line they have
not written themselves.

Solution
========

kde-cli-tools 5.7.5, released as part of KDE Plasma does not allow the
execution of commands with such characters.

Alternatively, commit 5eda179a099ba68a20dc21dc0da63e85a565a171 in
kde-cli-tools.git
can be applied to previous releases.

Thanks to Fabian Vogt for reporting this issue.
Thanks to Martin Sandsmark for fixing this issue.

Since, I've filed a bug[2] and worked with a member of the Ubuntu
Security team to get the bug fixed and the aforementioned commit backported.

This security vulnerability has been fixed in Xenial (and is in
xenial-security now) and the Backports PPA (only for Xenial as Wily is
not supported any more). We're waiting on kde-cli-tools to migrate from
proposed in Yakkety, and that will happen within the next few days.

You should update your computer as soon as possible to get this patch.

Let me know if you have any questions.

[1] https://www.kde.org/info/security/advisory-20160930-1.txt
[2] https://pad.lv/1629145

-- 
Simon Quigley
tsimonq2 at ubuntu.com
tsimonq2 on freenode and OFTC
5C7A BEA2 0F86 3045 9CC8
C8B5 E27F 2CF8 458C 2FA4




More information about the kubuntu-users mailing list