CVE-2019-7443: Input Validation
First published: Tue May 07 2019(Updated: )
KDE KAuth before 5.55 allows the passing of parameters with arbitrary types to helpers running as root over DBus via DBusHelperProxy.cpp. Certain types can cause crashes, and trigger the decoding of arbitrary images with dynamically loaded plugins. In other words, KAuth unintentionally causes this plugin code to run as root, which increases the severity of any possible exploitation of a plugin vulnerability.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| KDE KAuth | <5.55.0 | |
| openSUSE Leap | =15.0 | |
| openSUSE Leap | =42.3 | |
| Opensuse Backports | ||
| SUSE Linux Enterprise | =15.0 | |
| Fedoraproject Fedora | =28 | |
| Fedoraproject Fedora | =29 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00060.html
- http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00065.html
- https://bugzilla.suse.com/show_bug.cgi?id=1124863
- https://cgit.kde.org/kauth.git/commit/?id=fc70fb0161c1b9144d26389434d34dd135cd3f4a
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAWLQKTUQJOAPXOFWJQAQCA4LVM2P45F/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXVUJNXB6QKGPT6YJPJSG3U2BIR5XK5Y/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DAWLQKTUQJOAPXOFWJQAQCA4LVM2P45F/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PXVUJNXB6QKGPT6YJPJSG3U2BIR5XK5Y/
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2019-7443.
What is the severity level of CVE-2019-7443?
CVE-2019-7443 has a severity level of critical (8.1).
How does CVE-2019-7443 affect KDE KAuth?
CVE-2019-7443 affects KDE KAuth versions up to and excluding 5.55.0.
How can this vulnerability be exploited?
This vulnerability can be exploited by passing parameters with arbitrary types to helpers running as root over DBus via DBusHelperProxy.cpp.
Are there any known fixes for CVE-2019-7443?
Yes, updating KDE KAuth to version 5.55.0 or higher is the recommended fix for this vulnerability.
- collector/nvd-index
- agent/severity
- agent/references
- agent/author
- agent/type
- agent/event
- agent/weakness
- agent/description
- agent/remedy
- agent/softwarecombine
- agent/last-modified-date
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/kde
- canonical/kde kauth
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.0
- version/opensuse leap/42.3
- canonical/opensuse backports
- vendor/suse
- canonical/suse linux enterprise
- version/suse linux enterprise/15.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/28
- version/fedoraproject fedora/29