Bugzilla – Bug 1176268
AUDIT-0: CVE-2020-26164: kdeconnect-kde: review of default-enabled network service in openSUSE Leap 15.2, Tumbleweed
Last modified: 2020-12-29 13:10:13 UTC
This is an embargoed bug. This means that this information is not public. Please - Do not talk to other people about this unless they're involved in fixing the issue - Do not make this bug public - Do not submit this into OBS (e.g. fix Leap) until this bug becomes public (e.g. no EMBARGOED tag on the header) - Consult security team if you think that the issue is public and the bug is still Embargoed - Please be aware that the SUSE:SLE-15-SP3:GA codestream is available via OBS. This means that you can't submit security fixes for embargoed issues to this GA codestream under development until they become public. In doubt please talk to us on IRC (#security), RocketChat (#security) or send us an e-mail.
Internal CRD: 2020-12-07 preliminary
Created attachment 841471 [details] tarball containing reproducer script
The preliminary publication date for these issues as communicated by upstream will be 2020-10-03. We have received a set of bugfixes that I still need to review.
Created attachment 842110 [details] patchset against version 20.08
I reviewed the patchset provided by upstream and it fixes all issues described in the report. You can find the patch in attachment 842110 [details]. Please don't publish this yet in OBS or anywhere else. Still missing is a safe pairing procedure. Let's see whether upstream will do something about it. I raised this issue once more with them.
The individual issues are now public via https://kde.org/info/security/advisory-20201002-1.txt. Please start submitting updates for all maintained kdeconnect-kde codestreams. Thank you!
Thanks, Matthias. We're in the process of preparing updates for 15.1, 15.2 and Tumbleweed.
This is an autogenerated message for OBS integration: This bug (1176268) was mentioned in https://build.opensuse.org/request/show/839182 15.1 / kdeconnect-kde https://build.opensuse.org/request/show/839186 15.2 / kdeconnect-kde
This is an autogenerated message for OBS integration: This bug (1176268) was mentioned in https://build.opensuse.org/request/show/839235 15.1 / kdeconnect-kde
Thank you for submitting the updates. There is still the topic of the default enablement of the kdeconnectd in openSUSE installations. Can you please find an approach to avoid that? A simple approach might be to remove kdeconnect from the default KDE installation pattern. If a user explicitly installs this package then he hopefully knows what he does. But exposing all users to the potential risks of a network service that isn't mature yet and provides these kinds of remote access features is not okay.
openSUSE-SU-2020:1631-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1176268 CVE References: CVE-2020-26164 JIRA References: Sources used: openSUSE Leap 15.2 (src): kdeconnect-kde-20.04.2-lp152.2.3.1 openSUSE Leap 15.1 (src): kdeconnect-kde-1.3.3-lp151.2.3.1
openSUSE-SU-2020:1647-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1176268 CVE References: CVE-2020-26164 JIRA References: Sources used: openSUSE Backports SLE-15-SP1 (src): kdeconnect-kde-1.3.3-bp151.4.3.1
openSUSE-SU-2020:1650-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1176268 CVE References: CVE-2020-26164 JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): kdeconnect-kde-20.04.2-bp152.2.3.1
The audit and its ramifications should be covered by now. Closing.