Bug#839865: kde-cli-tools: CVE-2016-7787
On Wed, 05 Oct 2016 21:48:58 +0200 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Hi,
>
> the following vulnerability was published for kde-cli-tools.
>
> CVE-2016-7787[0]:
> kdesu: Displayed command truncated by unicode string terminator
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-7787
> [1] https://www.kde.org/info/security/advisory-20160930-1.txt
>
> Please adjust the affected versions in the BTS as needed. I'm not sure
> if kde-runtime is as well affected (it looks source wise, since the
> same file can be patched).
It seems both Jessie and Wheezy are affected in some way.
Both show the command in the dialog, but on my vagrant VM installations
the string terminator was not interpreted on Wheezy, just on Jessie.
Test command: kdesudo ls $(printf 'aa\u9chidden')
On Jessie it shows the following dialog:
+-----------------------------------------------------------------------
| ls aa[]hidden needs administrative privileges. Please eneter your
| password.
|
| Command ls aa
| Password:|
| OK Cancel
+-----------------------------------------------------------------------
Thus the string terminator takes effect only once.
On Wheezy the dialog looks like this:
+-----------------------------------------------------------------------
| ls aa[?]hidden needs administrative privileges. Please eneter your
| password.
|
| Command ls aa[?]hidden
| Password:|
| OK Cancel
+-----------------------------------------------------------------------
[],[?] - block showing unknown unicode character
Cheers,
Balint
Reply to: