CVE-2020-27187

Published: 26 October 2020

An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related commands, while KDE Partition Manager is running. the mount command can then be used to gain full root privileges.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
kpmcore
Launchpad, Ubuntu, Debian
Upstream
Released (4.2.0-1)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(4.2.0-2)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(4.2.0-2)
Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist