Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 517864 (CVE-2014-5033) - <kde-base/kdelibs-4.12.5-r2: KAuth authentication bypass (CVE-2014-5033)
Summary: <kde-base/kdelibs-4.12.5-r2: KAuth authentication bypass (CVE-2014-5033)
Status: RESOLVED FIXED
Alias: CVE-2014-5033
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-23 10:26 UTC by Agostino Sarubbo
Modified: 2015-01-04 20:40 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-07-23 10:26:48 UTC
From ${URL} :

The polkit authentication backend in KDE's KAuth code
used the UnixProcess subject for authenticating actions.
This is subject to race conditions and allows local users
to elevate their privileges by bypassing any of the KAuth checks.
A followup of CVE-2013-4288.

Discussion and patch can be found here:

https://bugzilla.novell.com/show_bug.cgi?id=864716



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Michael Palimaka (kensington) gentoo-dev 2014-07-23 10:37:42 UTC
Patching now.
Comment 2 Michael Palimaka (kensington) gentoo-dev 2014-07-23 11:09:24 UTC
+  23 Jul 2014; Michael Palimaka <kensington@gentoo.org>
+  +files/kdelibs-4.13.3-CVE-2014-5033.patch, +kdelibs-4.12.5-r2.ebuild,
+  +kdelibs-4.13.3-r1.ebuild, -kdelibs-4.13.3.ebuild:
+  Backport patch from upstream to solve CVE-2014-5033 wrt bug #517864.

kdelibs-4.12.5-r2 is fine to stabilise, unless we want to do 4.13 a bit early.
Comment 3 Johannes Huber (RETIRED) gentoo-dev 2014-07-23 15:18:11 UTC
Thanks Michael. 4.13 is not ready yet. So lets go the fast track.

Arches please stabilize =kde-base/kdelibs-4.12.5-r2
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-07-24 02:04:08 UTC
Arches, please test and mark stable:

=kde-base/kdelibs-4.12.5-r2

Target Keywords : "amd64 ppc ppc64 x86"

Thank you!
Comment 5 Richard Freeman gentoo-dev 2014-07-27 13:41:56 UTC
amd64 stable
Comment 6 Andreas Schürch gentoo-dev 2014-08-08 14:00:11 UTC
x86 done, thanks.
Comment 7 Agostino Sarubbo gentoo-dev 2014-08-08 21:36:04 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-08-09 10:49:19 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 9 Johannes Huber (RETIRED) gentoo-dev 2014-08-09 11:09:46 UTC
Thanks all, cleanup done. Nothing to do for kde herd here anymore, removing from cc.

+
+  09 Aug 2014; Johannes Huber <johu@gentoo.org> -kdelibs-4.12.5-r1.ebuild:
+  Remove vulnerable version, bug #517864.
+
Comment 10 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-08-09 11:52:35 UTC
GLSA vote: no.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2014-08-19 05:13:17 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
No GLSA - Closing Bug as Resolved
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 20:40:27 UTC
CVE-2014-5033 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5033):
  KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for
  communication with a polkit authority, which allows local users to bypass
  intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject
  race condition via a (1) setuid process or (2) pkexec process, related to
  CVE-2013-4288 and "PID reuse race conditions."