[Pkg-kde-extras] Bug#843790: kde-cli-tools: CVE-2016-7787

Balint Reczey balint at balintreczey.hu
Wed Nov 9 16:52:59 UTC 2016 

On Thu, 6 Oct 2016 02:31:33 +0200 Balint Reczey <balint at balintreczey.hu>
wrote:
> On Wed, 05 Oct 2016 21:48:58 +0200 Salvatore Bonaccorso
> <carnil at debian.org> wrote:
> > Hi,
> > 
> > the following vulnerability was published for kde-cli-tools.
> > 
> > CVE-2016-7787[0]:
> > kdesu: Displayed command truncated by unicode string terminator
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2016-7787
> > [1] https://www.kde.org/info/security/advisory-20160930-1.txt
> > 
> > Please adjust the affected versions in the BTS as needed. I'm not sure
> > if kde-runtime is as well affected (it looks source wise, since the
> > same file can be patched).
> 
> It seems both Jessie and Wheezy are affected in some way.
> Both show the command in the dialog, but on my vagrant VM installations
> the string terminator was not interpreted on Wheezy, just on Jessie.
> 
> Test command: kdesudo ls $(printf 'aa\u9chidden')
> 
> On Jessie it shows the following dialog:
> +-----------------------------------------------------------------------
> |  ls aa[]hidden needs administrative privileges. Please eneter your
> |  password.
> |
> | Command ls aa
> | Password:|
> | OK Cancel
> +-----------------------------------------------------------------------
> Thus the string terminator takes effect only once.
> 
> On Wheezy the dialog looks like this:
> +-----------------------------------------------------------------------
> |  ls aa[?]hidden needs administrative privileges. Please eneter your
> |  password.
> |
> | Command ls aa[?]hidden
> | Password:|
> | OK Cancel
> +-----------------------------------------------------------------------

Attaching the patch for kdesudo.

Wheezy's version is not affected and not fixed by the patch because it
interprets the command as Latin-1 instead of UTF-8.
https://wiki.qt.io/Strings_and_encodings_in_Qt

Cheers,
Balint
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2016-7787.patch
Type: text/x-patch
Size: 668 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-kde-extras/attachments/20161109/c20976f7/attachment.bin>

More information about the pkg-kde-extras mailing list