user/kauth: CVE-2019-7443: dbus helpers running as root accept images without good reason
| Bugzilla ID | 213 |
| Alias(es) | CVE-2019-7443 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2019-10-16 16:39:51 -0500 |
| Modified | 2019-10-16 20:14:39 -0500 |
| Status | RESOLVED FIXED |
| Version | 1.0-BETA3 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| URL | https://nvd.nist.gov/vuln/detail/CVE-2019-7443 |
Description
KDE KAuth before 5.55 allows the passing of parameters with arbitrary
types to helpers running as root over DBus via DBusHelperProxy.cpp.
Certain types can cause crashes, and trigger the decoding of arbitrary
images with dynamically loaded plugins. In other words, KAuth
unintentionally causes this plugin code to run as root, which
increases the severity of any possible exploitation of a plugin
vulnerability.