kpmcore is vulnerable to privilege escalation. The kpmcore_externalcommand
helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab
, and execute the mount command to gain root privileges.
bugzilla.redhat.com/show_bug.cgi?id=1890199
github.com/KDE/partitionmanager/compare/v4.1.0...v4.2.0
kde.org/info/security/advisory-20201017-1.txt
secdb.alpinelinux.org/edge/community.yaml
secdb.alpinelinux.org/v3.12/community.yaml
secdb.alpinelinux.org/v3.13/community.yaml
security.gentoo.org/glsa/202011-03