KDE Project Security Advisory ============================= Title: kdesu: Displayed command truncated by unicode string terminator Risk Rating: Important CVE: CVE-2016-7787 Versions: kde-cli-tools < 5.7.5 Author: Albert Astals Cid [email protected] Date: 30 September 2016
Overview ======== A maliciously crafted command line for kdesu can result in the user only seeing part of the commands that will actually get executed as super user. Impact ====== Users can unwillingly run commands as root. Workaround ========== Users should be careful when running kdesu with a command line they have not written themselves. Solution ======== kde-cli-tools 5.7.5, released as part of KDE Plasma does not allow the execution of commands with such characters. Alternatively, commit 5eda179a099ba68a20dc21dc0da63e85a565a171 in kde-cli-tools.git can be applied to previous releases. Thanks to Fabian Vogt for reporting this issue. Thanks to Martin Sandsmark for fixing this issue.
