Summary: | <sys-auth/polkit-0.112: Unspecified vulnerability (CVE-2013-4288) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Doug Goldstein (RETIRED) <cardoe> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | critical | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4288 | ||
Whiteboard: | A1 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 484488, 485328, 485420 |
Description
Doug Goldstein (RETIRED)
2013-09-10 14:52:32 UTC
It's past the embargo date you specified and there is no information in this bug as to which package has a vulnerability, much less any information about the vulnerability. It defeats the purpose of having a restricted bug. Unrestricting the bug and will close it invalid in 48 hours if more information is not provided. (In reply to Sean Amoss from comment #1) > It's past the embargo date you specified and there is no information in this > bug as to which package has a vulnerability, much less any information about > the vulnerability. It defeats the purpose of having a restricted bug. > > Unrestricting the bug and will close it invalid in 48 hours if more > information is not provided. Embargo has been pushed back to Sept 18th by the vendor. I would provide some information on the bug that I can but now that its unrestricted I can't. (In reply to Doug Goldstein from comment #2) > Embargo has been pushed back to Sept 18th by the vendor. I would provide > some information on the bug that I can but now that its unrestricted I can't. We are talked about this issue. Unless you provide some useful info, this bug will be marked as INVALID. Reporting restricted bugs about some vulnerability in some product is counter-productive. Either provide info in RESTRICTED bug, which contents we, as a security team will keep in private for a certain date, or do not file such bugs at our bugzilla at all. Let's all relax. What I agreed to said I would not disclose any information to people not on the list which apparently no one from security@gentoo.org is on. I needed clarification before I could fill details in, telling me that you won't disclose information is not good enough until I got clarification. By the time I did this bug was marked unrestricted so I couldn't add any information. This is the first time I'm getting back to it now that its toggled restricted again. This bug was primarily made not for security@gentoo.org but for the maintainer of this package to coordinate with me on bug #484488 for stabilization. This bug is for polkit. We'll have this be to stabilize polkit-0.110-r1 but add polkit-0.112 for the ~arch users. Are we waiting until the embargo ends to stable sys-auth/polkit-0.110-r1 ? Embargo over, hit oss-security yesterday. Ready to stable? (In reply to Chris Reffett from comment #6) > Embargo over, hit oss-security yesterday. Ready to stable? Yes. target version: 0.110-r1 (In reply to Doug Goldstein from comment #7) > (In reply to Chris Reffett from comment #6) > > Embargo over, hit oss-security yesterday. Ready to stable? > > Yes. > > target version: 0.110-r1 lets do 0.112 instead (I wanted 0.111 stable anyways and 0.112 is not much more than 0.111 + the patch) amd64 stable x86 stable arm stable ppc stable ppc64 stable ia64 stable alpha stable sparc stable SH is not anymore a stable arch, removing it from the cc list S390 is not anymore a stable arch, removing it from the cc list Added to existing GLSA request. CVE-2013-4288 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4288): Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkexec process before the authorization check is performed, related to (1) the polkit_unix_process_new API function, (2) the dbus API, or (3) the --process (unix-process) option for authorization to pkcheck. This issue was resolved and addressed in GLSA 201406-27 at http://security.gentoo.org/glsa/glsa-201406-27.xml by GLSA coordinator Chris Reffett (creffett). |