CVE-2019-7443

NameCVE-2019-7443
DescriptionKDE KAuth before 5.55 allows the passing of parameters with arbitrary types to helpers running as root over DBus via DBusHelperProxy.cpp. Certain types can cause crashes, and trigger the decoding of arbitrary images with dynamically loaded plugins. In other words, KAuth unintentionally causes this plugin code to run as root, which increases the severity of any possible exploitation of a plugin vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs921995, 922727

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kauth (PTS)stretch5.28.0-2+deb9u1fixed
buster5.54.0-2fixed
bullseye5.78.0-2fixed
bookworm5.103.0-1fixed
sid, trixie5.115.0-2fixed
kde4libs (PTS)jessie, jessie (lts)4:4.14.2-5+deb8u3vulnerable
stretch (lts), stretch4:4.14.26-2+deb9u1vulnerable
buster4:4.14.38-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kauthsourcestretch5.28.0-2+deb9u1
kauthsource(unstable)5.54.0-2921995
kde4libssource(unstable)(unfixed)922727

Notes

[buster] - kde4libs <ignored> (Minor issue)
[stretch] - kde4libs <ignored> (Minor issue)
[jessie] - kde4libs <no-dsa> (Minor issue)
https://mail.kde.org/pipermail/kde-announce/2019-February/000011.html
https://github.com/KDE/kauth/commit/fc70fb0161c1b9144d26389434d34dd135cd3f4a

Search for package or bug name: Reporting problems