Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 485904 (CVE-2013-4325) - <net-print/hplip-3.14.1: Polkit race condition (CVE-2013-4325)
Summary: <net-print/hplip-3.14.1: Polkit race condition (CVE-2013-4325)
Status: RESOLVED FIXED
Alias: CVE-2013-4325
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa]
Keywords:
Depends on: 484474 497722
Blocks: 485328
  Show dependency tree
 
Reported: 2013-09-24 22:37 UTC by GLSAMaker/CVETool Bot
Modified: 2014-06-26 22:59 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2013-09-24 22:37:23 UTC
CVE-2013-4325 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4325):
  The check_permission_v1 function in base/pkit.py in HP Linux Imaging and
  Printing (HPLIP) through 3.13.9 does not properly use D-Bus for
  communication with a polkit authority, which allows local users to bypass
  intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject
  race condition via a (1) setuid process or (2) pkexec process.


Red Hat's patch: https://bugzilla.redhat.com/attachment.cgi?id=796256&action=diff&context=patch&collapsed=&headers=1&format=raw
Comment 1 Daniel Pielmeier gentoo-dev 2013-09-28 10:19:03 UTC
+*hplip-3.13.9 (28 Sep 2013)
+
+  28 Sep 2013; Daniel Pielmeier <billie@gentoo.org> +hplip-3.13.9.ebuild:
+  Version bump. Includes Red Hat's patch to fix CVE-2013-4325.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-03-14 01:31:05 UTC
Stabilized and cleaned up as part of Bug 497722.

Arhes and Maintainers thank you for your work.

Added to existing GLSA Draf.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-06-26 22:59:52 UTC
This issue was resolved and addressed in
 GLSA 201406-27 at http://security.gentoo.org/glsa/glsa-201406-27.xml
by GLSA coordinator Chris Reffett (creffett).