Candidate: CVE-2020-27187
PublicDate: 2020-10-26 17:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27187
 https://kde.org/info/security/advisory-20201017-1.txt
 https://invent.kde.org/system/kpmcore/-/commit/c466c5db11b5cee546d1ec0594c2f1105a354fed (fix)
 https://invent.kde.org/system/kpmcore/-/commit/7ec4b611dcf822439b081613cca4184689266454 (removes KF5 5.73 dependency)
 https://bugzilla.redhat.com/show_bug.cgi?id=1890199
Description:
 An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The
 kpmcore_externalcommand helper contains a logic flaw in which the service
 invoking D-Bus is not properly checked. An attacker on the local machine
 can replace /etc/fstab, and execute mount and other partitioning related
 commands, while KDE Partition Manager is running. the mount command can
 then be used to gain full root privileges.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH]


Patches_kpmcore:
upstream_kpmcore: released (4.2.0-1)
precise/esm_kpmcore: DNE
trusty_kpmcore: ignored (out of standard support)
trusty/esm_kpmcore: DNE
xenial_kpmcore: DNE
bionic_kpmcore: needs-triage
focal_kpmcore: needs-triage
groovy_kpmcore: ignored (reached end-of-life)
hirsute_kpmcore: not-affected (4.2.0-2)
impish_kpmcore: not-affected (4.2.0-2)
jammy_kpmcore: not-affected (4.2.0-2)
devel_kpmcore: not-affected (4.2.0-2)