| Name | CVE-2022-23853 |
| Description | The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2 and KTextEditor before 5.91.0 tries to execute the associated LSP server binary when opening a file of a given type. If this binary is absent from the PATH, it will try running the LSP server binary in the directory of the file that was just opened (due to a misunderstanding of the QProcess API, that was never intended). This can be an untrusted directory. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1010180 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| kate (PTS) | jessie | 4:4.14.2-2 | vulnerable |
| stretch | 4:16.08.3-1 | vulnerable | |
| buster | 4:18.08.0-1 | vulnerable | |
| bullseye | 4:20.12.2-1 | vulnerable | |
| bookworm | 4:22.12.3-1 | fixed | |
| sid, trixie | 4:23.08.1-1 | fixed | |
| ktexteditor (PTS) | stretch | 5.28.0-2 | vulnerable |
| buster | 5.54.0-1 | vulnerable | |
| bullseye | 5.78.0-3 | vulnerable | |
| bookworm | 5.103.0-1.1 | fixed | |
| sid, trixie | 5.107.0-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| kate | source | jessie | (unfixed) | end-of-life | ||
| kate | source | (unstable) | 4:21.12.2-1 | |||
| ktexteditor | source | (unstable) | 5.93.0-1 | 1010180 |
[bullseye] - kate <no-dsa> (Minor issue)
[buster] - kate <no-dsa> (Minor issue)
[stretch] - kate <no-dsa> (Minor issue)
[bullseye] - ktexteditor <no-dsa> (Minor issue)
[buster] - ktexteditor <no-dsa> (Minor issue)
[stretch] - ktexteditor <no-dsa> (Minor issue)
https://kde.org/info/security/advisory-20220131-1.txt
KTextEditor: Fixed by: https://commits.kde.org/ktexteditor/804e49444c093fe58ec0df2ab436565e50dc147e
KTextEditor: Fixed by: https://commits.kde.org/ktexteditor/c80f935c345de2e2fb10635202800839ca9697bf
Kate: prerequisites:
https://commits.kde.org/kate/361dd43e42994829dbdb35e78fb7698d27cbb0e2
https://commits.kde.org/kate/6fc3bf6e5bd540e842e32c4a959c2158c8573be5
https://commits.kde.org/kate/92a9c65e30b4b63b8b116eb5c8dcb1e1a2d867bc
Fixed by: https://commits.kde.org/kate/c5d66f3b70ae4778d6162564309aee95f643e7c9
Fixed by: https://commits.kde.org/kate/7e08a58fb50d28ba96aedd5f5cd79a9479b4a0ad