KDE Systemsettings: Privilege escalation — GLSA 201512-12

Data validation in KDE Systemsettings could lead to local privilege escalation.

Affected Packages

kde-base/systemsettings on all architectures
Affected versions < 4.11.13-r1
Unaffected versions >= 4.11.13-r1

Background

KDE workspace configuration module for setting the date and time has a helper program which runs as root for performing actions.

Description

KDE Systemsettings fails to properly validate user input before passing it as argument in context of higher privilege.

Impact

A local attacker could gain privileges via a crafted ntpUtility (ntp utility name) argument.

Workaround

Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save action.

Resolution

All KDE Systemsettings users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=kde-base/systemsettings-4.11.13-r1"
 

References

Release Date
December 30, 2015

Latest Revision
December 30, 2015: 1

Severity
normal

Exploitable
local

Bugzilla entries