Bug 1177993 - (CVE-2020-27187) VUL-0: CVE-2020-27187: kpmcore: kpmcore_externalcommand helper can be exploited in local privilege escalation
(CVE-2020-27187)
VUL-0: CVE-2020-27187: kpmcore: kpmcore_externalcommand helper can be exploit...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.1
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: E-mail List
Security Team bot
https://smash.suse.de/issue/269800/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-10-22 06:53 UTC by Wolfgang Frisch
Modified: 2020-11-16 15:12 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-10-22 06:53:18 UTC
CVE-2020-27187

kpmcore_externalcommand helper contains a logic flaw in which the service invoking dbus is not properly checked. An attacker on your local machine can replace /etc/fstab, execute mount and other partitioning related commands while KDE Partition Manager is running. The mount command can then be used to gain full root privileges.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1890199
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27187
Comment 1 Wolfgang Frisch 2020-10-22 06:55:41 UTC
KDE Project Security Advisory
=============================

Title:           KDE Partition Manager: kpmcore_externalcommand helper can be exploited in local privilege escalation
Risk Rating:     Important
CVE:             CVE-2020-27187
Versions:        kpmcore == 4.1.0
Author:          Andrius Štikonas <andrius@stikonas.eu>
Date:            17 October 2020

Overview
========

kpmcore_externalcommand helper contains a logic flaw in which the service invoking dbus
is not properly checked. An attacker on your local machine can replace /etc/fstab,
execute mount and other partitioning related commands while KDE Partition Manager is running.
mount command can then be used to gain full root privileges.

Impact
======

KDE Partition Manager 4.1.0 should not be used on systems with untrusted users or running untrusted software.

Solution
========

KDE Partition Manager 4.2.0 fixes this issue.

You can apply the following patches on top of KPMcore 4.1.0:
https://invent.kde.org/system/kpmcore/-/commit/c466c5db11b5cee546d1ec0594c2f1105a354fed (fix)
https://invent.kde.org/system/kpmcore/-/commit/7ec4b611dcf822439b081613cca4184689266454 (removes KF5 5.73 dependency)


Credits
=======

Thanks to David Edmundson who co-authored polkit port.
Comment 2 Wolfgang Bauer 2020-11-04 06:58:06 UTC
We only have kpmcore 3.3.0 in Factory which should not be affected by this yet (as it doesn't contain this helper).
Comment 3 Wolfgang Bauer 2020-11-16 15:12:52 UTC
The package in KDE:Extra has meanwhile been updated to 4.2.0.

As there is nothing more to do (as mentioned, the distribution itself doesn't contain an affected version), I'll close it as fixed.