Security update for kauth SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1277-1 Final 1 1 2019-04-26T05:55:02Z current 2019-04-26T05:55:02Z 2019-04-26T05:55:02Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for kauth This update for kauth fixes the following issues: Security issue fixed: - CVE-2019-7443: Fixed an insecure handling of arguments in helpers by removing the support of passing gui variants (bsc#1124863). This update was imported from the openSUSE:Leap:15.0:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1277 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DYXRURFCJ4V45YTWBIHAHA4MX62HBZCX/#DYXRURFCJ4V45YTWBIHAHA4MX62HBZCX E-Mail link for openSUSE-SU-2019:1277-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1124863 SUSE Bug 1124863 https://www.suse.com/security/cve/CVE-2019-7443/ SUSE CVE CVE-2019-7443 page SUSE Package Hub 15 kauth-devel-5.45.0-bp150.8.2 kauth-devel-64bit-5.45.0-bp150.8.2 libKF5Auth5-5.45.0-bp150.8.2 libKF5Auth5-64bit-5.45.0-bp150.8.2 libKF5Auth5-lang-5.45.0-bp150.8.2 libpolkit-qt5-1-1-0.112.0-bp150.3.6.1 libpolkit-qt5-1-1-64bit-0.112.0-bp150.3.6.1 libpolkit-qt5-1-devel-0.112.0-bp150.3.6.1 libpolkit-qt5-1-devel-64bit-0.112.0-bp150.3.6.1 kauth-devel-5.45.0-bp150.8.2 as a component of SUSE Package Hub 15 kauth-devel-64bit-5.45.0-bp150.8.2 as a component of SUSE Package Hub 15 libKF5Auth5-5.45.0-bp150.8.2 as a component of SUSE Package Hub 15 libKF5Auth5-64bit-5.45.0-bp150.8.2 as a component of SUSE Package Hub 15 libKF5Auth5-lang-5.45.0-bp150.8.2 as a component of SUSE Package Hub 15 libpolkit-qt5-1-1-0.112.0-bp150.3.6.1 as a component of SUSE Package Hub 15 libpolkit-qt5-1-1-64bit-0.112.0-bp150.3.6.1 as a component of SUSE Package Hub 15 libpolkit-qt5-1-devel-0.112.0-bp150.3.6.1 as a component of SUSE Package Hub 15 libpolkit-qt5-1-devel-64bit-0.112.0-bp150.3.6.1 as a component of SUSE Package Hub 15 KDE KAuth before 5.55 allows the passing of parameters with arbitrary types to helpers running as root over DBus via DBusHelperProxy.cpp. Certain types can cause crashes, and trigger the decoding of arbitrary images with dynamically loaded plugins. In other words, KAuth unintentionally causes this plugin code to run as root, which increases the severity of any possible exploitation of a plugin vulnerability. CVE-2019-7443 SUSE Package Hub 15:kauth-devel-5.45.0-bp150.8.2 SUSE Package Hub 15:kauth-devel-64bit-5.45.0-bp150.8.2 SUSE Package Hub 15:libKF5Auth5-5.45.0-bp150.8.2 SUSE Package Hub 15:libKF5Auth5-64bit-5.45.0-bp150.8.2 SUSE Package Hub 15:libKF5Auth5-lang-5.45.0-bp150.8.2 SUSE Package Hub 15:libpolkit-qt5-1-1-0.112.0-bp150.3.6.1 SUSE Package Hub 15:libpolkit-qt5-1-1-64bit-0.112.0-bp150.3.6.1 SUSE Package Hub 15:libpolkit-qt5-1-devel-0.112.0-bp150.3.6.1 SUSE Package Hub 15:libpolkit-qt5-1-devel-64bit-0.112.0-bp150.3.6.1 moderate 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DYXRURFCJ4V45YTWBIHAHA4MX62HBZCX/#DYXRURFCJ4V45YTWBIHAHA4MX62HBZCX https://www.suse.com/security/cve/CVE-2019-7443.html CVE-2019-7443 https://bugzilla.suse.com/1124863 SUSE Bug 1124863 https://bugzilla.suse.com/1170293 SUSE Bug 1170293