Public bug reported:
Binary package hint: kdesudo
It is not clear whether or not this defect is in kdesudo or dolphin, but
I will mark both and let you guys decide.
STEPS:
(1) In dolphin, create a folder called: "test; konqueror" (without quotes)
(2) Right click it, under Actions, choose run as root
WHAT HAPPENS:
(1) Dolphin opens folder "test" as root
(2) Konqueror, after a few seconds, pops up, running as root
EXPECTED BEHAVIOR:
Dolphin should just pop up navigated to the "test; konqueror" folder as root.
This allows folder names to be crafted in a way that causes an unexpected
command to be executed with elevated privileges when the user simply wants to
navigate to that folder with elevated privileges.
In IRC, fdoving and I tried various combinations of quoting the %u and
kdesu arguments in
/usr/share/apps/d3lphin/servicemenus/d3lphin_su.desktop but I found that
every attempted workaround could be thwarted by the proper use of ", ',
and `.
The basic problem is that kdesu should not be interpreting its arguments
as shell code, or dolphin should be shell-escaping its arguments before
feeding to kdesu.
** Affects: dolphin (Ubuntu)
Importance: Undecided
Status: New
** Affects: kdesudo (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
** Also affects: dolphin (Ubuntu)
Importance: Undecided
Status: New
--
kdesudo+dolphin leads to command execution vulnerability
https://bugs.launchpad.net/bugs/163417
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
