kdesu fails to authenticate with sudo from testing/unstable.

Examples: launching ksystemlog from the main menu, or trying to run
krusader root mode option via its 'Tools > Start Krusader Root Mode'
menu entry. Assuming that the current user is a member of the sudo group.

On entering the correct password authentication is refused, stating that
possibly an incorrect password has been entered.

It appears that kdesu fails to cope with the sudo config CVE fix in this
commit:

https://salsa.debian.org/sudo-team/sudo/-/commit/59db341d46aa4c26b54c1270e69f2562e7f3d751

KDE bug: https://bugs.kde.org/show_bug.cgi?id=452532

The issue can be worked around by adding /etc/sudoers.d/kdesu with the
contents

Defaults!/usr/lib/*/libexec/kf5/kdesu_stub !use_pty

kdesu is cordially invited to ship that file in the package, fixing the
issue for everybody. Please add a comment with the reference to this bug
report and remove the file once kdesu was fixed upstream.

Greetings
Marc

kdesu is cordially invited to ship that file in the package, fixing the
issue for everybody. Please add a comment with the reference to this bug
report and remove the file once kdesu was fixed upstream.

Greetings
Marc

We believe that the bug you reported is fixed in the latest version of
kdesu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1011624@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurélien COUDERC <coucouf@debian.org> (supplier of updated kdesu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 01 Jun 2022 11:20:21 +0200
Source: kdesu
Architecture: source
Version: 5.94.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Aurélien COUDERC <coucouf@debian.org>
Closes: 1011624
Changes:
 kdesu (5.94.0-2) unstable; urgency=medium
 .
   [ Rik Mills ]
   * Disable use of sudo 'Defaults use_pty' for kdesu. (Closes: #1011624)
   * Improve short description for libkf5su5.
Checksums-Sha1:
 98d61d7d14b89beb010bcac45004a1cfa88ecf6f 2850 kdesu_5.94.0-2.dsc
 cb6241bd4787396ca351d940a5cd49ade6f96040 11812 kdesu_5.94.0-2.debian.tar.xz
 764073cb20419d429748c95e8c8b787eaf6f87a2 12966 kdesu_5.94.0-2_source.buildinfo
Checksums-Sha256:
 acadef19775fdcc9e867ba1fe51d213efdd34271669d37c219f9454f8d8f1463 2850 kdesu_5.94.0-2.dsc
 f6858c2d3d475d61f2a33eb5c5a7a8eeb06e3ad87ef6b20ba77cd56e2b3e15e5 11812 kdesu_5.94.0-2.debian.tar.xz
 409c65014cbf153b8de74f276d44b5fe55357e0c51e127cec48f87a406057bac 12966 kdesu_5.94.0-2_source.buildinfo
Files:
 a8d44013d0331db34e35b57d570b648d 2850 libs optional kdesu_5.94.0-2.dsc
 2c673600b8f338359605a9e06554953d 11812 libs optional kdesu_5.94.0-2.debian.tar.xz
 178a55ace3d6c0270a6587b9b160a839 12966 libs optional kdesu_5.94.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEIW//QAAaDgcOKDsfcaflM/KRoyQFAmKXMjUTHGNvdWNvdWZA
ZGViaWFuLm9yZwAKCRBxp+Uz8pGjJC4GEACyBavTsVSERx021iHeksyPWjG17meY
682oPmZfv4ngZnUHCG0tsEUteb9HRyKuWv6u3p9ZjmSj90prQK2ljG6nJx65HRCh
7PqjclUsHfQcIy677FpnMWXmKoUiM5PPqFMXnjKvgBffXPK0AAhWMoTEInfhszE7
zRS8tRWEi1kLdW9XCyFYD09LsiTIs1pSSolNEKCUhI0Gs4knnNHh+l5YLKRtL6Zs
j5udG3+gERSOB5iLSfcz0pPc7mGinCRnrFL+0PrFef/D8xbGXBFSPfDsVBtF8i5f
Gwf/UhiD6XLYrj5pppTtLpw+4hatOpfL761+Z4vbCpNUzunioPHvAMnNEYPAdUb3
3AODVp6HYg8aHKrdjLPCgt/y/V5J2kujSHf4WJq1wFqNamvyPz4jAmwxO83iz2EJ
mZt0IQ92Fzb9YgFCGuWca5gYHcw255sN3lyja+k6BjH8CtU3AP8LWYnrtP5ncs4c
DAE5p8kBy4mkR7k3n1QaiTuwEVcFxeIscWLNMrB0L4au+TlGpgTJfwIQ6hFVHmhm
PG7Xn+3z0zxmjkKXUPJmd7t6JFHm0zpl3cEUytIL6IFSIr86b3GLbQUdM0V4BvWB
4gBw/TqaqHHZNElOzPu+USkzbTI/CiBa/jGFfgq3KwSwGMV1LaEaa8nGCcSTjClU
RXui+80swkuDuQ==
=WwbR
-----END PGP SIGNATURE-----

Dear Marc,

Le 26/05/2022 à 16:09, Marc Haber a écrit :

kdesu is now cordially shipping the file in the package. :-)

Would you mind to comment why this is OK from a security perspective ?

I’m no security expert at all but if I read the CVE description
correctly, the issue is with the su'ed command being able to escape the
su user session.
Is it OK in this case because kdesu is used to gain root from non-root
and so escaping the su session only gives you back the original non-root
user rights ?


Thanks,
--
Aurélien

Dear Marc,

Le 26/05/2022 à 16:09, Marc Haber a écrit :

kdesu is now cordially shipping the file in the package. :-)

Would you mind to comment why this is OK from a security perspective ?

I’m no security expert at all but if I read the CVE description
correctly, the issue is with the su'ed command being able to escape the
su user session.
Is it OK in this case because kdesu is used to gain root from non-root
and so escaping the su session only gives you back the original non-root
user rights ?


Thanks,
--
Aurélien

;-)

There is a discussion in the KDE bug ticket that seems to make sense to
me. kdesu is exploiting a vulnerability in sudo that we fixed by forcing
the pty. If we don't want to lose kdesu's functionality, we need either
fixing kdesu so that is uses "legal" methods to use sudo, or we need to
re-open the vulnerability to allow unmodified kdesu to work.

This is kdesu's vulnerability now ;-)

I would love to see kdesu fixed in some future, so that the "insecure"
sudo rule can be removed. It would be an idea to ship the file with the
rule commented out by default so that every local admin can cause their
own vulnerability, but that'd probable cause a new avalanche of "kdesu
broken" bug reports.

I hope that other people can comment on that, I would need to ponder
about that for some time.

Greetings
Marc

;-)

There is a discussion in the KDE bug ticket that seems to make sense to
me. kdesu is exploiting a vulnerability in sudo that we fixed by forcing
the pty. If we don't want to lose kdesu's functionality, we need either
fixing kdesu so that is uses "legal" methods to use sudo, or we need to
re-open the vulnerability to allow unmodified kdesu to work.

This is kdesu's vulnerability now ;-)

I would love to see kdesu fixed in some future, so that the "insecure"
sudo rule can be removed. It would be an idea to ship the file with the
rule commented out by default so that every local admin can cause their
own vulnerability, but that'd probable cause a new avalanche of "kdesu
broken" bug reports.

I hope that other people can comment on that, I would need to ponder
about that for some time.

Greetings
Marc