Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 918551 (CVE-2023-3297)

Summary: sys-apps/accountsservice: local privilege escalation via crafted dbus message
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: critical CC: ajak, gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://securitylab.github.com/advisories/GHSL-2023-139_accountsservice/
Whiteboard: A1 [ebuild]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-25 19:37:30 UTC 
CVE-2023-3297 (https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/2024182):

In Ubuntu's accountsservice an unprivileged local attacker can trigger a use-after-free vulnerability in accountsservice by sending a D-Bus message to the accounts-daemon process.

I'm not certain that we're affected, the advisory mentioned that the
vulnerability can be exploited via an Ubuntu patch but I'm not sure if
it's reachable elsewhere.
Comment 1 Hans de Graaff gentoo-dev Security 2024-04-05 13:54:03 UTC 
The upstream Ubuntu bug has been resolved as fixed with only changes to the specific patch. We don't carry that patch so this vulnerability does not apply to us.

@ajak: do you want to double-check this, or can I close this bug?
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-04-06 15:50:05 UTC 
Hm, the original report says "This is done incorrectly in several places in accountsservice. For example, [in the patch]", which would lead me to think that there's multiple instances of this problem in various places throughout accountsservice, rather than exclusively in the patch. But it seems Ubuntu only patched the patch, so I'm happy following them on that.