Ubuntu
kpmcore package

kpmcore 4.1.0: CVE-2020-27187

Bug #1903774 reported by Andrius Štikonas
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kpmcore (Ubuntu)
New
Undecided
Unassigned

Bug Description

It has now been almost a month with no reaction to KDE security advisory. Almost all other distros fixed this some time ago...

KDE Project Security Advisory
=============================

Title: KDE Partition Manager: kpmcore_externalcommand helper can be exploited in local privilege escalation
Risk Rating: Important
CVE: CVE-2020-27187
Versions: kpmcore == 4.1.0
Author: Andrius Štikonas <email address hidden>
Date: 17 October 2020

Overview
========

kpmcore_externalcommand helper contains a logic flaw in which the service invoking dbus
is not properly checked. An attacker on your local machine can replace /etc/fstab,
execute mount and other partitioning related commands while KDE Partition Manager is running.
mount command can then be used to gain full root privileges.

Impact
======

KDE Partition Manager 4.1.0 should not be used on systems with untrusted users or running untrusted software.

Solution
========

KDE Partition Manager 4.2.0 fixes this issue.

You can apply the following patches on top of KPMcore 4.1.0:
https://invent.kde.org/system/kpmcore/-/commit/c466c5db11b5cee546d1ec0594c2f1105a354fed (fix)
https://invent.kde.org/system/kpmcore/-/commit/7ec4b611dcf822439b081613cca4184689266454 (removes KF5 5.73 dependency)

CVE References

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.