Summary: | <kde-base/kdelibs-4.12.5-r2: KAuth authentication bypass (CVE-2014-5033) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/07/21/4 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
![]() Patching now. + 23 Jul 2014; Michael Palimaka <kensington@gentoo.org> + +files/kdelibs-4.13.3-CVE-2014-5033.patch, +kdelibs-4.12.5-r2.ebuild, + +kdelibs-4.13.3-r1.ebuild, -kdelibs-4.13.3.ebuild: + Backport patch from upstream to solve CVE-2014-5033 wrt bug #517864. kdelibs-4.12.5-r2 is fine to stabilise, unless we want to do 4.13 a bit early. Thanks Michael. 4.13 is not ready yet. So lets go the fast track. Arches please stabilize =kde-base/kdelibs-4.12.5-r2 Arches, please test and mark stable: =kde-base/kdelibs-4.12.5-r2 Target Keywords : "amd64 ppc ppc64 x86" Thank you! amd64 stable x86 done, thanks. ppc stable ppc64 stable. Maintainer(s), please cleanup. Security, please vote. Thanks all, cleanup done. Nothing to do for kde herd here anymore, removing from cc. + + 09 Aug 2014; Johannes Huber <johu@gentoo.org> -kdelibs-4.12.5-r1.ebuild: + Remove vulnerable version, bug #517864. + GLSA vote: no. Arches and Maintainer(s), Thank you for your work. GLSA Vote: No No GLSA - Closing Bug as Resolved CVE-2014-5033 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5033): KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions." |