Dear Marc,
Le 26/05/2022 à 16:09, Marc Haber a écrit :
On Wed, May 25, 2022 at 01:58:58PM +0100, Rik Mills wrote:
The issue can be worked around by adding /etc/sudoers.d/kdesu with the
contents
Defaults!/usr/lib/*/libexec/kf5/kdesu_stub !use_pty
kdesu is cordially invited to ship that file in the package, fixing the
issue for everybody. Please add a comment with the reference to this bug
report and remove the file once kdesu was fixed upstream.
kdesu is now cordially shipping the file in the package. :-)
Would you mind to comment why this is OK from a security perspective ?
I’m no security expert at all but if I read the CVE description
correctly, the issue is with the su'ed command being able to escape the
su user session.
Is it OK in this case because kdesu is used to gain root from non-root
and so escaping the su session only gives you back the original non-root
user rights ?
Thanks,
--
Aurélien
