Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201411-6 ======================================== Severity: Medium Date : 2014-11-10 CVE-ID : CVE-2014-8651 Package : kdebase-workspace Type : local privilege escalation Remote : No Link : https://wiki.archlinux.org/title/CVE-2014 Summary ====== The package kdebase-workspace before version 4.11.13-2 is vulnerable to a local privilege escalation issue. Resolution ========= Upgrade to 4.11.13-2. # pacman -Syu "kdebase-workspace>=4.11.13-2" The problem has not been fixed upstream yet. Workaround ========= A polkit rule can be added to disable the org.kde.kcontrol.kcmclock.save action. Description ========== KDE workspace configuration module for setting the date and time has a helper program which runs as root for performing actions. This is secured with polkit. This helper takes the name of the ntp utility to run as an argument. This allows a hacker to run any arbitrary command as root under the guise of updating the time. Impact ===== An local application can gain root privileges from an admin user with either misleading information or no interaction. References ========= https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8651 https://seclists.org/oss-sec/2014/q4/520 https://bugs.archlinux.org/task/42679