CVE-2019-7443

NameCVE-2019-7443
DescriptionKDE KAuth before 5.55 allows the passing of parameters with arbitrary types to helpers running as root over DBus via DBusHelperProxy.cpp. Certain types can cause crashes, and trigger the decoding of arbitrary images with dynamically loaded plugins. In other words, KAuth unintentionally causes this plugin code to run as root, which increases the severity of any possible exploitation of a plugin vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)
Debian Bugs921995, 922727

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kauth (PTS)stretch5.28.0-2+deb9u1fixed
buster, sid5.54.0-2fixed
kde4libs (PTS)jessie (security), jessie4:4.14.2-5+deb8u2vulnerable
stretch4:4.14.26-2vulnerable
buster, sid4:4.14.38-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kauthsource(unstable)5.54.0-2high921995
kauthsourcestretch5.28.0-2+deb9u1high
kde4libssource(unstable)(unfixed)high922727

Notes

[buster] - kde4libs <no-dsa> (Minor issue)
[stretch] - kde4libs <no-dsa> (Minor issue)
[jessie] - kde4libs <no-dsa> (Minor issue)
https://mail.kde.org/pipermail/kde-announce/2019-February/000011.html
https://cgit.kde.org/kauth.git/commit/?id=fc70fb0161c1b9144d26389434d34dd135cd3f4a

Search for package or bug name: Reporting problems