Debian Bug report logs -
#921995
kauth: Insecure handling of arguments in helpers
Reported by: Scott Kitterman <debian@kitterman.com>
Date: Mon, 11 Feb 2019 04:21:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version kauth/5.28.0-2
Fixed in versions kauth/5.54.0-2, kauth/5.28.0-2+deb9u1
Done: Moritz Mühlenhoff <jmm@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#921995; Package src:kauth.
(Mon, 11 Feb 2019 04:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Scott Kitterman <debian@kitterman.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>.
(Mon, 11 Feb 2019 04:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: src:kauth
Version: 5.28.0-2
Severity: grave
Tags: security upstream patch
Justification: user security hole
See the KDE announce list [1]. It includes reference to a fix [2]. This is
CVE-2019-7443.
Scott K
[1] https://mail.kde.org/pipermail/kde-announce/2019-February/000011.html
[2] https://cgit.kde.org/kauth.git/commit/?id=fc70fb0161c1b9144d26389434d34dd135cd3f4a
Message sent on
to Scott Kitterman <debian@kitterman.com>:
Bug#921995.
(Mon, 11 Feb 2019 06:18:05 GMT) (full text, mbox, link).
Message #8 received at 921995-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #921995 in kauth reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/qt-kde-team/kde/kauth/commit/7c3a1fc6f2a7590fe7a12db0035e89ce1c29301b
------------------------------------------------------------------------
* Remove support for passing gui QVariants to KAuth helpers (Closes: #921995)
* SECURITY UPDATE:
* References:
- CVE-2019-7443
- https://mail.kde.org/pipermail/kde-announce/2019-February/000011.html
* Remove support for passing gui QVariants to KAuth helpers (Closes:
#921995)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/921995
Added tag(s) pending.
Request was from Scott Kitterman <noreply@salsa.debian.org>
to 921995-submitter@bugs.debian.org.
(Mon, 11 Feb 2019 06:18:05 GMT) (full text, mbox, link).
Reply sent
to Scott Kitterman <scott@kitterman.com>:
You have taken responsibility.
(Mon, 11 Feb 2019 06:39:03 GMT) (full text, mbox, link).
Notification sent
to Scott Kitterman <debian@kitterman.com>:
Bug acknowledged by developer.
(Mon, 11 Feb 2019 06:39:03 GMT) (full text, mbox, link).
Message #15 received at 921995-close@bugs.debian.org (full text, mbox, reply):
Source: kauth
Source-Version: 5.54.0-2
We believe that the bug you reported is fixed in the latest version of
kauth, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 921995@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Scott Kitterman <scott@kitterman.com> (supplier of updated kauth package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 10 Feb 2019 23:22:23 -0500
Source: kauth
Architecture: source
Version: 5.54.0-2
Distribution: unstable
Urgency: high
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Scott Kitterman <scott@kitterman.com>
Closes: 921995
Changes:
kauth (5.54.0-2) unstable; urgency=high
.
* Team upload.
* SECURITY UPDATE:
* References:
- CVE-2019-7443
- https://mail.kde.org/pipermail/kde-announce/2019-February/000011.html
* Remove support for passing gui QVariants to KAuth helpers (Closes:
#921995)
Checksums-Sha1:
1b0222977fc2405ed2e414a253766c67275424b0 2545 kauth_5.54.0-2.dsc
5e1cc906491572111c913f12ab7047931dc3bddd 12128 kauth_5.54.0-2.debian.tar.xz
3b6d1b318e08a9c0a1ff65c8b0690431cbe73877 12199 kauth_5.54.0-2_source.buildinfo
Checksums-Sha256:
3f0fb3ba0795bb040d7659adc773c06617304122cc3e5578a18f0ef5ac1eb2fb 2545 kauth_5.54.0-2.dsc
06016fdc8720f0212d7f94cfe2de93904b4efcabcfcd1eab943ac0fc9ee0d4f2 12128 kauth_5.54.0-2.debian.tar.xz
68742839ab23453a6882a6e55073b69e20dc1d720b854277b9d5b404dd87a38c 12199 kauth_5.54.0-2_source.buildinfo
Files:
e91296b4ee2f62e15ce463dc56527bca 2545 libs optional kauth_5.54.0-2.dsc
2d4f3351089e78c37fbfa47e76abfef3 12128 libs optional kauth_5.54.0-2.debian.tar.xz
17f8873cd58324698410003bb16a6e6d 12199 libs optional kauth_5.54.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJcYRKxAAoJEHjX3vua1Zrxpd0P/1tsLVq3D0lWRnwE3SNsKk6b
nlU/KAm+fRD5+NochgK0ZCFFwprONnd8BbHTlW4fXE4sH9qsj3jzmbXHlmSGhhpv
k36seLMAU3URjUDoAcKzzdPC+703h+tNSvHYI7E1nGwrMBBBQMeprQPV+XaI8BRn
W3UX9JIuVCCHsOuRmPgh8Dtarkacryp0tC5B+rL8g/Oa02f2FRN3+cy3JUwL+as3
oObonbWLSwjc9lR/BDCKiToqTuDvPnJSFnHrkt+w3LT3V9zzB8NRG4GOVAwNQ0WN
ZkxAyU0e2iFCUug8TnRzbk7wUHv5zGMfcTz2v3DXRL5ngTAdPDTxuoEMwC8T26LJ
fpHZftt+mEdbBw+D0CoU8hFNAmpu6cdoLXSFQtuzopAzI1P0T1lySIaYZnfwOwkw
VGUNG/HCNwiJJJf5QO0o5ds6qJimXx5zPxI/QxLpXR7zKjy3H0FqxDN/0VutLJtk
s9jj0dUErYtm9Uo/ImlipAEKdsA0Jodq9+ufY5p/1Yv6Ik4IuEbYWmAqq9FndqDP
czu/JOZt1ulFNYLP+OddJawEbNluaQzP9yGWV5FXk8Y6TlY4ApCjhY3lKKxUQgqu
73eXOG6CnjbPW3VZIPsK9TpXBpK17Pvek0x+fBdw49DzYttIqtK31mIBKu6OeLMS
K5SuwooqIVukUiex0P4j
=EGhd
-----END PGP SIGNATURE-----
Reply sent
to Moritz Mühlenhoff <jmm@debian.org>:
You have taken responsibility.
(Sat, 09 Mar 2019 12:21:03 GMT) (full text, mbox, link).
Notification sent
to Scott Kitterman <debian@kitterman.com>:
Bug acknowledged by developer.
(Sat, 09 Mar 2019 12:21:03 GMT) (full text, mbox, link).
Message #20 received at 921995-close@bugs.debian.org (full text, mbox, reply):
Source: kauth
Source-Version: 5.28.0-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
kauth, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 921995@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <jmm@debian.org> (supplier of updated kauth package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 15 Feb 2019 00:03:40 +0100
Source: kauth
Binary: libkf5auth-dev libkf5auth-bin-dev libkf5auth5 libkf5auth-data
Architecture: source amd64 all
Version: 5.28.0-2+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Moritz Mühlenhoff <jmm@debian.org>
Description:
libkf5auth-bin-dev - Abstraction to system policy and authentication features
libkf5auth-data - Abstraction to system policy and authentication features
libkf5auth-dev - Abstraction to system policy and authentication features
libkf5auth5 - Abstraction to system policy and authentication features
Closes: 921995
Changes:
kauth (5.28.0-2+deb9u1) stretch; urgency=medium
.
* CVE-2019-7443 (Closes: #921995)
Checksums-Sha1:
d9011e1b98b219b65de2b8f4cc36f1bc7c383bdb 2503 kauth_5.28.0-2+deb9u1.dsc
daa7ffaf0c04e5bf0488f8ddd00cf905a1894734 9608 kauth_5.28.0-2+deb9u1.debian.tar.xz
daaeda7126c431d3d079acb7e0442dfac029841a 14010 kauth_5.28.0-2+deb9u1_amd64.buildinfo
a9b39ed22b6e2116c699d82074d9099e0e212d43 337020 libkf5auth-bin-dev-dbgsym_5.28.0-2+deb9u1_amd64.deb
4e7afd19e009a173fe45aec439fa747cf5764c2d 24452 libkf5auth-bin-dev_5.28.0-2+deb9u1_amd64.deb
c1e9e243faeeb7fbbd84a5fcb6179d39d9ee058e 18652 libkf5auth-data_5.28.0-2+deb9u1_all.deb
014b8bf64b44619fe07b9dc8887126cb5a589d63 24908 libkf5auth-dev_5.28.0-2+deb9u1_amd64.deb
23437f584977b8268a76ea0c05bedbb6435cc89c 2091026 libkf5auth5-dbgsym_5.28.0-2+deb9u1_amd64.deb
bac4d64874a43106375ff595487b02c45e62d402 54378 libkf5auth5_5.28.0-2+deb9u1_amd64.deb
Checksums-Sha256:
8c1aac1aa7bc2b4ee33585a560eb0c634e596c1b6463b805bb9b16a39e5299de 2503 kauth_5.28.0-2+deb9u1.dsc
dfa88cd7bec4e363881d7fde37475b712aa8b61b55de4e3927d0dcad9654d928 9608 kauth_5.28.0-2+deb9u1.debian.tar.xz
8ac29bed5122180cbfe5ee872158715bca0d3a77127524716e68e65d1b0aefd5 14010 kauth_5.28.0-2+deb9u1_amd64.buildinfo
81be836fd62192cfa5b747c94ad7686dfdb7e7f8a0d2a6148c02acaf5ad8eb5f 337020 libkf5auth-bin-dev-dbgsym_5.28.0-2+deb9u1_amd64.deb
dc3d70bf4290334b5b5c44017af891f02842bcd6d2f766bf6032fbe6694bd75a 24452 libkf5auth-bin-dev_5.28.0-2+deb9u1_amd64.deb
e1f8b565d1746770a93d676b24206f70eb48b533eafb6da06af60123dda3eb6d 18652 libkf5auth-data_5.28.0-2+deb9u1_all.deb
0c84212d2b1a10dc7b56150e1198c9c639b6a98d03ffa7dea92a1a37dbf1ae3f 24908 libkf5auth-dev_5.28.0-2+deb9u1_amd64.deb
31a25137c8a634bf4c342d5113b607edd46131a5312188fc0b2b2f56c1057ed8 2091026 libkf5auth5-dbgsym_5.28.0-2+deb9u1_amd64.deb
0bc1027bf7ed26f099fea3cb962fc8f6c1586cd0ce3f48c2938152aeefd3a828 54378 libkf5auth5_5.28.0-2+deb9u1_amd64.deb
Files:
3b8dee517d6e9f3d718836c9b5fbc823 2503 libs optional kauth_5.28.0-2+deb9u1.dsc
c98cd856f5bae8898fcc79b5147067f8 9608 libs optional kauth_5.28.0-2+deb9u1.debian.tar.xz
9ebdbce8f25f2970c08e74c415730c59 14010 libs optional kauth_5.28.0-2+deb9u1_amd64.buildinfo
2b6855344fe0bee87d0c18ff2f5c70e9 337020 debug extra libkf5auth-bin-dev-dbgsym_5.28.0-2+deb9u1_amd64.deb
55495671e1376775f1210d3016e1ef5a 24452 libdevel optional libkf5auth-bin-dev_5.28.0-2+deb9u1_amd64.deb
69109a54523f4ebc4730dff3f6a377b3 18652 libs optional libkf5auth-data_5.28.0-2+deb9u1_all.deb
d8f4d636e68574393895d1a3f34643de 24908 libdevel optional libkf5auth-dev_5.28.0-2+deb9u1_amd64.deb
35b4301d0fae98d9429d895515c1327e 2091026 debug extra libkf5auth5-dbgsym_5.28.0-2+deb9u1_amd64.deb
d5c6e0bab31f0b33cde3fd647784864d 54378 libs optional libkf5auth5_5.28.0-2+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlx1h84ACgkQEMKTtsN8
TjYBQRAAisNT+kGfWnC4ISq8T9Uodp69OZ1SLym8dHq3zOFkuo1t1lOPciH+XglE
I6MMQ1x91rB0UdrxzxerhZkXg6as3bB270DxkONE0qCTBhLOr572HNHURDVCZQRt
bc7uUW+IL/OrnYEsLBJWLOcUgp1efw0B2uzYCqdtuWFQ1tkViKF98RZNPhcILLzV
4aF6BPJmp9p/uNzxS1kiJzlttvNClels+7o8ljD93ZlZJGl+D7dD2Nd+NOku7tfL
p62ceqRazWuaXkV1Dl5tEtAxukp0moQt4ib6FDdM1crDXkqwn0R5K7Dmfh6uzVP5
W79yMPkN5125pQGXvXNONxUenwt9VV8wUeSh4JxOQsdI+FJzCzWCp50VVGHUSpRp
PMI9ygTxOQoD6IFcN+1flEe92zn3ClMJikctKYdKs8MhEBKmGMTWLdc6CAT3Skk5
iUhGPX2C353B0SvAW/ca7sIA+5IOqT/lmB5n8EJGrO4qWKQexpJhqZFcScQxNWHX
cGOqo38p5oOIWj90exeZIVsSISvCAL3rrzlj7hCNroAcGx7zD1JznsQa0cPPpHng
2rkeeVMCuWm1fK7BjcRQAfEB1Zwj4t/kBD/DP0CvmADYkHsiaQ/2UxeG2dNib7Gc
rshnwP3oHZNie2u/CzJEG9YG/lOiVUgrQOzqLL0zeqs6DWT3VvY=
=X4EY
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 07 May 2019 07:29:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:25:04 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon