Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 489206 (CVE-2013-4326)

Summary: sys-auth/rtkit: Polkit race condition (CVE-2013-4326)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: major CC: ford_prefect, maintainer-needed
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 485328    

Description GLSAMaker/CVETool Bot gentoo-dev 2013-10-23 23:33:26 UTC 
CVE-2013-4326 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4326):
  RealtimeKit (aka rtkit) 0.5 does not properly use D-Bus for communication
  with a polkit authority, which allows local users to bypass intended access
  restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition
  via a (1) setuid process or (2) pkexec process, a related issue to
  CVE-2013-4288.


https://bugzilla.redhat.com/attachment.cgi?id=796255 is the Red Hat patch for this issue.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-23 23:48:59 UTC 
My mistake, I didn't realize that we never had this version. Closing.
Comment 2 Pacho Ramos gentoo-dev 2014-12-19 10:53:46 UTC 
Looks strange to me that all distributions are applying the patch to 0.11 version too for fixing this bug :/, anyway, I have just filled bug 533012 as it also fixes a bug with current systemd version