Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 485904 (CVE-2013-4325)

Summary: <net-print/hplip-3.14.1: Polkit race condition (CVE-2013-4325)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: billie, printing
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://launchpad.net/bugs/1232409
https://bugzilla.redhat.com/show_bug.cgi?id=1006674
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 484474, 497722    
Bug Blocks: 485328    

Description GLSAMaker/CVETool Bot gentoo-dev 2013-09-24 22:37:23 UTC
CVE-2013-4325 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4325):
  The check_permission_v1 function in base/pkit.py in HP Linux Imaging and
  Printing (HPLIP) through 3.13.9 does not properly use D-Bus for
  communication with a polkit authority, which allows local users to bypass
  intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject
  race condition via a (1) setuid process or (2) pkexec process.


Red Hat's patch: https://bugzilla.redhat.com/attachment.cgi?id=796256&action=diff&context=patch&collapsed=&headers=1&format=raw
Comment 1 Daniel Pielmeier gentoo-dev 2013-09-28 10:19:03 UTC
+*hplip-3.13.9 (28 Sep 2013)
+
+  28 Sep 2013; Daniel Pielmeier <billie@gentoo.org> +hplip-3.13.9.ebuild:
+  Version bump. Includes Red Hat's patch to fix CVE-2013-4325.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2014-03-14 01:31:05 UTC
Stabilized and cleaned up as part of Bug 497722.

Arhes and Maintainers thank you for your work.

Added to existing GLSA Draf.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-06-26 22:59:52 UTC
This issue was resolved and addressed in
 GLSA 201406-27 at http://security.gentoo.org/glsa/glsa-201406-27.xml
by GLSA coordinator Chris Reffett (creffett).