Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 489206 (CVE-2013-4326) - sys-auth/rtkit: Polkit race condition (CVE-2013-4326)
Summary: sys-auth/rtkit: Polkit race condition (CVE-2013-4326)
Status: RESOLVED INVALID
Alias: CVE-2013-4326
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL:
Whiteboard: B1 [noglsa]
Keywords:
Depends on:
Blocks: 485328
  Show dependency tree
 
Reported: 2013-10-23 23:33 UTC by GLSAMaker/CVETool Bot
Modified: 2014-12-19 10:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2013-10-23 23:33:26 UTC 
CVE-2013-4326 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4326):
  RealtimeKit (aka rtkit) 0.5 does not properly use D-Bus for communication
  with a polkit authority, which allows local users to bypass intended access
  restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition
  via a (1) setuid process or (2) pkexec process, a related issue to
  CVE-2013-4288.


https://bugzilla.redhat.com/attachment.cgi?id=796255 is the Red Hat patch for this issue.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-23 23:48:59 UTC 
My mistake, I didn't realize that we never had this version. Closing.
Comment 2 Pacho Ramos gentoo-dev 2014-12-19 10:53:46 UTC 
Looks strange to me that all distributions are applying the patch to 0.11 version too for fixing this bug :/, anyway, I have just filled bug 533012 as it also fixes a bug with current systemd version