| === vlm_ is now known as vlm | ||
| Eickmeyer | Hey security team! I've got a fun one for you guys. A fix for CVE-2005-4890 in sudo broke kdesu in both Kubuntu and Ubuntu Studio and we've got this nasty bug 1965439 going on. | 15:53 |
|---|---|---|
| ubottu | Bug 1965439 in ubuntustudio-default-settings (Ubuntu Jammy) "software-properties-qt can no longer launch when called by kdesu" [High, In Progress] https://launchpad.net/bugs/1965439 | 15:53 |
| ubottu | There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4890> | 15:54 |
| Eickmeyer | We're not sure if bugging Debian about a different approach to fixing the CVE would be more appropriate or bugging KDE to work around the issue is more appropreiate, but it's extremely complicated and we've got some major breakage. | 15:54 |
| === vlm_ is now known as vlm | ||
| Eickmeyer | Would love to hear some thoughts on this. Just ping me. | 15:57 |
| === vlm_ is now known as vlm | ||
| rbasak | leosilva: ^ | 16:21 |
| * leosilva looks | 16:23 | |
| leosilva | it sounds comment use_pty line makes it works as previous, and by the fix comment in the possibly culprit patch, sounds like/2 a thing was added to be opt. I don't think debian would bored about it at all. | 16:33 |
| Eickmeyer | leosilva: So, should we file a bug against it saying this was basically the wrong approach to fix the CVE and to try something else because they broke our stuff in the process? | 16:43 |
| mdeslaur | well, that assumes it's the wrong approach... | 16:44 |
| Eickmeyer | This is what I'm saying, I just don't have enough info to assume that. | 16:44 |
| mdeslaur | running stuff with pkexec definitely isn't the right approach | 16:44 |
| mdeslaur | but changing that is a large undertaking | 16:44 |
| Eickmeyer | Right, and discover, for instance, is hardcoded to use kdesu. | 16:44 |
| mdeslaur | so finding a work-around is needed | 16:44 |
| mdeslaur | I don't really know what the work-around could be | 16:45 |
| Eickmeyer | The workaround we're using for driver manager (a kubuntu/studio specfic kde control center module) is to open xterm to run 'sudo software-properties-qt', but it's a hack at best and is very... gross. | 16:46 |
| mdeslaur | yeah, far from ideal | 16:47 |
| Eickmeyer | Unfortunately, that doesn't work for KDE apps that are hardcoded for kdesu. | 16:47 |
| Eickmeyer | I suppose I could write a kdesu shim that runs pkexec instead (again, ew). | 16:47 |
| mdeslaur | "kdesu can work without the kdesud daemon, but for it to use the kdesud daemon it must be setgid, that has been the case for a long time..." | 16:49 |
| mdeslaur | does that mean kdesu is using sudo when not using the kdesud daemon? | 16:49 |
| mdeslaur | I'm trying to understand what exactly is using sudo | 16:49 |
| Eickmeyer | Me too. RikMills ^ ? | 16:49 |
| * Eickmeyer is running out of time and must take his son to school on his late start Friday morning | 16:50 | |
| Eickmeyer | mdeslaur: I think that might be the case. | 16:53 |
| RikMills | I think maybe. However 1st thing I tried was setting that setgid, and it didn't help one jot | 16:55 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!