Summary: | [Tracker] polkit races | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | systemd |
Priority: | Normal | Keywords: | Tracker |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2013/09/18/4 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 484486, 484488, 485420, 485546, 485904, 489206 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2013-09-18 18:32:20 UTC
This is a (probably preliminary) list of CVEs and applications affected: CVE-2013-4288 polkit: unix-process subject for authorization is racy CVE-2013-4311 libvirt: insecure calling of polkit via libgobject API CVE-2013-4324 spice-gtk: use of insecure polkit libgobject-1 API CVE-2013-4325 hplip: use of insecure polkit DBUS API CVE-2013-4326 rtkit: use of insecure polkit DBUS API CVE-2013-4327 systemd: use of insecure polkit DBUS API I suppose it's this? http://cgit.freedesktop.org/systemd/systemd/commit/?id=72fd713962ca2c2450e23b01d9e22017a7e28fd4 Plus Cardoe committed 0.112 to tree today for this CVE. I know at least rtkit, hplip, and systemd are all vulnerable to this. |