Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 485546 (CVE-2013-4327)

Summary: <sys-apps/systemd-204-r1: PolicyKit UID Checking Race Condition Privilege Escalation Weakness (CVE-2013-4327)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: systemd
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/54948/
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 485328    

Description Agostino Sarubbo gentoo-dev 2013-09-21 07:31:29 UTC 
From ${URL} :

Description

A weakness has been reported in systemd, which can be exploited by malicious, local users to gain 
escalated privileges.

The weakness is caused due to an insecure use of the DBUS interface when interacting with the 
polkit authority.

For more information:
SA54875

The weakness is reported in version 207. Other versions may also be affected.


Solution:
Fixed in the GIT repository.




@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2013-09-21 07:47:47 UTC 
Do I understand correctly that this is about:

commit 72fd713962ca2c2450e23b01d9e22017a7e28fd4
Author: Colin Walters <walters@verbum.org>
Date:   Thu Aug 22 13:55:21 2013 -0400

    polkit: Avoid race condition in scraping /proc
    
    If a calling process execve()s a setuid program, it can appear to be
    uid 0.  Since we're receiving requests over DBus, avoid this by simply
    passing system-bus-name as a subject.

?
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2013-09-22 08:36:31 UTC 
Fixed in -207-r2 and -204-r1. -204-r1 is ready for stabilization but it will require stabilizing =sys-apps/gentoo-systemd-integration-1 (it's basically a few files from FILESDIR moved to a separate package).
Comment 3 Agostino Sarubbo gentoo-dev 2013-09-22 11:39:39 UTC 
Arches, please test and mark stable:
=sys-apps/systemd-204-r1
=sys-apps/gentoo-systemd-integration-1
Target keywords : "amd64 arm ppc ppc64 x86"
Comment 4 Agostino Sarubbo gentoo-dev 2013-09-26 17:29:04 UTC 
arm stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-09-28 20:29:18 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-09-28 20:29:35 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-09-28 20:29:51 UTC 
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-09-28 20:30:06 UTC 
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-09-29 14:54:46 UTC 
Cleanup done, please file the request
Comment 10 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2013-09-29 15:08:20 UTC 
The offending versions has been removed from the tree.

(In reply to Agostino Sarubbo from comment #9)
> Cleanup done, please file the request

Sorry, I don't understand.
Comment 11 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-29 15:19:22 UTC 
GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2013-10-06 23:28:43 UTC 
CVE-2013-4327 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4327):
  systemd does not properly use D-Bus for communication with a polkit
  authority, which allows local users to bypass intended access restrictions
  by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1)
  setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-06-26 22:59:48 UTC 
This issue was resolved and addressed in
 GLSA 201406-27 at http://security.gentoo.org/glsa/glsa-201406-27.xml
by GLSA coordinator Chris Reffett (creffett).