Arch Linux 2014-11-10 Advisory: kdebase-workspace Local Escalation

Arch Linux Security Advisory ASA-201411-6
========================================
Severity: Medium
Date    : 2014-11-10
CVE-ID  : CVE-2014-8651
Package : kdebase-workspace
Type    : local privilege escalation
Remote  : No
Link    : https://wiki.archlinux.org/title/CVE-2014

Summary
======
The package kdebase-workspace before version 4.11.13-2 is
vulnerable to a local privilege escalation issue.

Resolution
=========
Upgrade to 4.11.13-2.

# pacman -Syu "kdebase-workspace>=4.11.13-2"

The problem has not been fixed upstream yet.

Workaround
=========
A polkit rule can be added to disable the org.kde.kcontrol.kcmclock.save
action.

Description
==========
KDE workspace configuration module for setting the date and time has a
helper program which runs as root for performing actions. This is
secured with polkit. This helper takes the name of the ntp utility to
run as an argument. This allows a hacker to run any arbitrary command as
root under the guise of updating the time.

Impact
=====
An local application can gain root privileges from an admin user with
either misleading information or no interaction.

References
=========
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8651
https://seclists.org/oss-sec/2014/q4/520
https://bugs.archlinux.org/task/42679