Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 484486 (CVE-2013-4288) - <sys-auth/polkit-0.112: Unspecified vulnerability (CVE-2013-4288)
Summary: <sys-auth/polkit-0.112: Unspecified vulnerability (CVE-2013-4288)
Status: RESOLVED FIXED
Alias: CVE-2013-4288
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks: CVE-2013-4311 485328 CVE-2013-4324
  Show dependency tree
 
Reported: 2013-09-10 14:52 UTC by Doug Goldstein (RETIRED)
Modified: 2014-06-26 22:59 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Doug Goldstein (RETIRED) gentoo-dev 2013-09-10 14:52:32 UTC
embargo ends Sept 11th 2013
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-14 02:34:08 UTC
It's past the embargo date you specified and there is no information in this bug as to which package has a vulnerability, much less any information about the vulnerability. It defeats the purpose of having a restricted bug.

Unrestricting the bug and will close it invalid in 48 hours if more information is not provided.
Comment 2 Doug Goldstein (RETIRED) gentoo-dev 2013-09-14 03:25:39 UTC
(In reply to Sean Amoss from comment #1)
> It's past the embargo date you specified and there is no information in this
> bug as to which package has a vulnerability, much less any information about
> the vulnerability. It defeats the purpose of having a restricted bug.
> 
> Unrestricting the bug and will close it invalid in 48 hours if more
> information is not provided.

Embargo has been pushed back to Sept 18th by the vendor. I would provide some information on the bug that I can but now that its unrestricted I can't.
Comment 3 Sergey Popov (RETIRED) gentoo-dev 2013-09-15 11:56:41 UTC
(In reply to Doug Goldstein from comment #2)
> Embargo has been pushed back to Sept 18th by the vendor. I would provide
> some information on the bug that I can but now that its unrestricted I can't.

We are talked about this issue. Unless you provide some useful info, this bug will be marked as INVALID.

Reporting restricted bugs about some vulnerability in some product is counter-productive. Either provide info in RESTRICTED bug, which contents we, as a security team will keep in private for a certain date, or do not file such bugs at our bugzilla at all.
Comment 4 Doug Goldstein (RETIRED) gentoo-dev 2013-09-16 01:36:56 UTC
Let's all relax. What I agreed to said I would not disclose any information to people not on the list which apparently no one from security@gentoo.org is on. I needed clarification before I could fill details in, telling me that you won't disclose information is not good enough until I got clarification. By the time I did this bug was marked unrestricted so I couldn't add any information. This is the first time I'm getting back to it now that its toggled restricted again.

This bug was primarily made not for security@gentoo.org but for the maintainer of this package to coordinate with me on bug #484488 for stabilization.

This bug is for polkit. We'll have this be to stabilize polkit-0.110-r1 but add polkit-0.112 for the ~arch users.
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-17 22:27:35 UTC
Are we waiting until the embargo ends to stable sys-auth/polkit-0.110-r1 ?
Comment 6 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-19 15:52:13 UTC
Embargo over, hit oss-security yesterday. Ready to stable?
Comment 7 Doug Goldstein (RETIRED) gentoo-dev 2013-09-19 16:13:31 UTC
(In reply to Chris Reffett from comment #6)
> Embargo over, hit oss-security yesterday. Ready to stable?

Yes.

target version: 0.110-r1
Comment 8 Samuli Suominen (RETIRED) gentoo-dev 2013-09-19 17:18:05 UTC
(In reply to Doug Goldstein from comment #7)
> (In reply to Chris Reffett from comment #6)
> > Embargo over, hit oss-security yesterday. Ready to stable?
> 
> Yes.
> 
> target version: 0.110-r1

lets do 0.112 instead (I wanted 0.111 stable anyways and 0.112 is not much more than 0.111 + the patch)
Comment 9 Agostino Sarubbo gentoo-dev 2013-09-21 08:52:38 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-09-21 08:52:54 UTC
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-09-22 06:57:43 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-09-22 06:58:15 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-09-22 06:58:49 UTC
ppc64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-09-22 08:00:50 UTC
ia64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-09-22 14:25:21 UTC
alpha stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-09-23 19:17:06 UTC
sparc stable
Comment 17 Agostino Sarubbo gentoo-dev 2013-09-28 20:46:53 UTC
SH is not anymore a stable arch, removing it from the cc list
Comment 18 Agostino Sarubbo gentoo-dev 2013-09-28 20:49:52 UTC
S390 is not anymore a stable arch, removing it from the cc list
Comment 19 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-29 15:52:29 UTC
Added to existing GLSA request.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2013-10-06 23:25:50 UTC
CVE-2013-4288 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4288):
  Race condition in PolicyKit (aka polkit) allows local users to bypass
  intended PolicyKit restrictions and gain privileges by starting a setuid or
  pkexec process before the authorization check is performed, related to (1)
  the polkit_unix_process_new API function, (2) the dbus API, or (3) the
  --process (unix-process) option for authorization to pkcheck.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2014-06-26 22:59:31 UTC
This issue was resolved and addressed in
 GLSA 201406-27 at http://security.gentoo.org/glsa/glsa-201406-27.xml
by GLSA coordinator Chris Reffett (creffett).