** Description changed: [ Impact ] On May 31, 2024, KDE published a security advisory for plasma-workspace: https://kde.org/info/security/advisory-20240531-1.txt This was assigned CVE-2024-36041, and affects all stable versions of Kubuntu (and the Ubuntu Studio releases with KDE Plasma). Overview from the advisory: KSmserver, KDE's XSMP manager, incorrectly allows connections via ICE based purely on the host, allowing all local connections. This allows another user on the same machine to gain access to the session manager. A well crafted client could use the session restore feature to execute arbitrary code as the user on the next boot. The fix for this is applying https://invent.kde.org/plasma/plasma- workspace/-/commit/da843d3fdb143ed44094c8e6246cfb8305f6f09f (iceauth is already installed by default). [ Test Plan ] Ensure your system is fully updated. Confirm the vulnerability is present: 1. Install build-essential and libice-dev (for use in the POC). 2. Download the POC: `wget https://launchpadlibrarian.net/735809918/poc-CVE-2024-36041.c` 3. Compile the POC: `gcc -o poc-CVE-2024-36041 ./poc-CVE-2024-36041.c -lICE` 4. Run the POC with a path to the ICE socket belonging to the current user. For example: `./poc-CVE-2024-36041 local/:/tmp/.ICE-unix/1878` 5. Observe the following output: "Authentication not needed, vulnerable!" Install the updates from the security-proposed pocket: 1. Add the PPA: `sudo add-apt-repository ppa:ubuntu-security-proposed/ppa` 2. Install the updates for plasma-workspace from the PPA: - Noble and Mantic: `sudo apt -y install plasma-workspace` - Jammy: `sudo apt -y install plasma-workspace breeze kwin-x11 libksysguardformatter1` + Noble and Mantic: `sudo apt -y install plasma-workspace` + Jammy: `sudo apt -y install plasma-workspace breeze kwin-x11 libksysguardformatter1` + Focal: `sudo apt -y install plasma-workspace breeze kwin-x11` Open Firefox. Confirm session restore and logout work as intended, and that the vulnerability is fixed: 1. Log out of the session and log back in. Confirm Firefox opens as expected. 2. Run the POC again, this time it will be a different socket. Example: `./poc-CVE-2024-36041 local/:/tmp/.ICE-unix/5920` 3. Observe the following output: `None of the authentication protocols specified are supported. Connection failed! This probably means you're safe.` [ Where problems could occur ] The iceauth binary being installed means we do not need https://invent.kde.org/plasma/plasma-workspace/-/commit/1d5aa1d27bff87b2d242ed759cfb2ce15a5c3de7 as well. Several bug reports have been filed regarding this: - https://bugzilla.redhat.com/show_bug.cgi?id=2290337 - https://bugs.kde.org/show_bug.cgi?id=488187 The test case explicitly covers both of these bugs, to ensure they do not exist.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2067742 Title: CVE-2024-36041: ksmserver: Unauthorized users can access session manager To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/plasma-workspace/+bug/2067742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
