Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 424842 (CVE-2012-2737) - <sys-apps/accountsservice-0.6.22: arbitrary local file read (CVE-2012-2737)
Summary: <sys-apps/accountsservice-0.6.22: arbitrary local file read (CVE-2012-2737)
Status: RESOLVED FIXED
Alias: CVE-2012-2737
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 424944
Blocks:
  Show dependency tree
 
Reported: 2012-07-05 05:49 UTC by Alexandre Rostovtsev (RETIRED)
Modified: 2012-08-12 00:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-07-05 05:49:12 UTC 
From RedHat bugzilla entry at URL:

Florian Weimer found a local file disclosure flaw in accountsservice, an account management system using D-Bus for querying and manipulating user accounts.  The implementation of the SetIconFile method of the org.freedesktop.Accounts.User D-Bus interface can disclose arbitrary files due to a race condition in user_change_icon_file_authorized_cb() in /usr/libexec/accounts-daemon.  When this function calls get_caller_uid(), it uses PolicyKit to obtain the UID of the requesting process from /proc.  At the time the UID is fetched, it may not match the original UID making the D-Bus request if the process has executed an SUID binary.

The vulnerability is present in the latest stable version in Gentoo (accountsservice-0.6.15).

It is fixed in >=sys-apps/accountsservice-0.6.22.

=sys-apps/accountsservice-0.6.22 should be stabilized.
Comment 1 Agostino Sarubbo gentoo-dev 2012-07-05 13:41:30 UTC 
thanks.


Arches, please test and mark stable:
=sys-apps/accountsservice-0.6.22
Target KEYWORDS : "amd64 arm x86"
Comment 2 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-07-05 21:47:11 UTC 
x86 stable
Comment 3 Agostino Sarubbo gentoo-dev 2012-07-06 09:52:05 UTC 
amd64 stable
Comment 4 Markus Meier gentoo-dev 2012-07-19 20:23:12 UTC 
arm stable, all arches done.
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-19 20:46:00 UTC 
Thanks, everyone. 

GLSA vote: no.
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2012-08-12 00:18:46 UTC 
Thanks, folks. GLSA Vote: no too. closing noglsa.