patday8472 wrote: ⤴Sun Jan 20, 2019 2:27 pm
when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during installation of a VirtualBox extension pack.
I am not quite sure what the above quote means. You would still have to have access to the computer itself for the attack to work correct? It also couldn't be done remotely?
What I understand of it is enough reason for me to avoid it and use the more modern approach for elevated privileges using sudo/su/pkexec/admin:/// to get done what I need/want locally.
As far as can it be/it couldn't be done remotely question/statement, yes, it appears to be vulnerable to remote exploit.
Drilling down from the CVE page here:
https://nvd.nist.gov/vuln/detail/CVE-2014-2886
I see two pieces of info that caution me, one is what CWE-264 means:
https://cwe.mitre.org/data/definitions/264.html
CWE CATEGORY: Permissions, Privileges, and Access Controls
Category ID: 264
+ Summary
Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
and
Base Score: 6.8 MEDIUM
Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) (V2 legend)
Impact Subscore: 6.4
Exploitability Subscore: 8.6
Access Vector (AV): Network
V2 legend is a link to:
https://www.first.org/cvss/v2/guide
which explains the codes in vector as well "access vector: network" as:
Network (N) A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed "remotely exploitable". An example of a network attack is an RPC buffer overflow.
the CVE also includes these links, which I would consider first to help decide if I wanted to use the vulnerable software/service at all:
http://savannah.nongnu.org/bugs/?40023
https://community.rapid7.com/community/ ... n-via-gksu (Exploit) <---this is marked as so in the CVE
https://launchpad.net/bugs/1186676
https://security.gentoo.org/glsa/201812-10
patday8472 wrote: ⤴Sun Jan 20, 2019 2:27 pm
As far my Gksu issue itself. I got it installed thanks to another poster.
I am still curious about what does this mean (see quote below) for the xfce fedora spin?
Although this spin failed to compose for the final release, this test compose contains fixes over the final content to allow for a successful compose and should meet most users' needs. You can verify the test compose image with a dedicated CHECKSUM file for 64-bit and 32-bit images.
Not sure what that means either!
where did you get that quote from?
edit to add:
the gentoo link above confirms it is still exploitable (at least version used by gentoo) and verified very recently:
https://security.gentoo.org/glsa/201812-10
Release Date December 30, 2018
Latest Revision December 30, 2018: 1
Severity normal
Exploitable remote
and their advice?
no workaround, simply uninstall it
Resolution
Gentoo has discontinued support for GKSu and recommends that users unmerge the package
I imagine it is similar to why Debian pulled it, affecting Mint. My due diligence is done on the matter, I'm convinced it is unsafe and replacements are sufficient. I do hope this helps you make an appropriately informed decision as well!