Privilege Escalation via KDE Clock KCM polkit helper

[David Edmundson <davidedmundson () kde org>]

Hello, I found a security issue in KDE which under Ubuntu and some other
distros allows a program to run arbitrary processes as root from an admin
user without any prompts.

I need a CVE number.  I understand you are an authority that can provide
this.

Let me know if I can help provide anything else.


KDE Project Security Advisory
=============================

Title:          kde-workspace:
Risk Rating:    Medium (??)
CVE: ???
Platforms:      All
Versions:       kde-workspace < 4.14.3
Author:         David Edmundson <davidedmundson () kde org>
Date:           4 November 2014

Overview
========

KDE workspace configuration module for setting the date and time has a
helper program
which runs as root for performing actions. This is secured with polkit.

This helper takes the name of the ntp utility to run as an argument. This
allows a hacker
to run any arbitrary command as root under the guise of updating the time.

Impact
======

An application can gain root priveledges from an admin user with either
misleading information
or no interaction.

On some systems the user will be shown a prompt to change the time.
However, if the system has
policykit-desktop-privileges installed, the datetime helper will be invoked
by an admin user
without any prompts.


Workaround
==========

Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save action

Solution
========

Upgrade kde-desktop to 4.14.3 once released or apply the following patch:
https://git.reviewboard.kde.org/r/120977/


Credits
=======

Thanks to David Edmundson for finding and fixing the issue