Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 485546 (CVE-2013-4327) - <sys-apps/systemd-204-r1: PolicyKit UID Checking Race Condition Privilege Escalation Weakness (CVE-2013-4327)
Summary: <sys-apps/systemd-204-r1: PolicyKit UID Checking Race Condition Privilege Esc...
Status: RESOLVED FIXED
Alias: CVE-2013-4327
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/54948/
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks: 485328
  Show dependency tree
 
Reported: 2013-09-21 07:31 UTC by Agostino Sarubbo
Modified: 2014-06-26 22:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-09-21 07:31:29 UTC
From ${URL} :

Description

A weakness has been reported in systemd, which can be exploited by malicious, local users to gain 
escalated privileges.

The weakness is caused due to an insecure use of the DBUS interface when interacting with the 
polkit authority.

For more information:
SA54875

The weakness is reported in version 207. Other versions may also be affected.


Solution:
Fixed in the GIT repository.




@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2013-09-21 07:47:47 UTC
Do I understand correctly that this is about:

commit 72fd713962ca2c2450e23b01d9e22017a7e28fd4
Author: Colin Walters <walters@verbum.org>
Date:   Thu Aug 22 13:55:21 2013 -0400

    polkit: Avoid race condition in scraping /proc
    
    If a calling process execve()s a setuid program, it can appear to be
    uid 0.  Since we're receiving requests over DBus, avoid this by simply
    passing system-bus-name as a subject.

?
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2013-09-22 08:36:31 UTC
Fixed in -207-r2 and -204-r1. -204-r1 is ready for stabilization but it will require stabilizing =sys-apps/gentoo-systemd-integration-1 (it's basically a few files from FILESDIR moved to a separate package).
Comment 3 Agostino Sarubbo gentoo-dev 2013-09-22 11:39:39 UTC
Arches, please test and mark stable:
=sys-apps/systemd-204-r1
=sys-apps/gentoo-systemd-integration-1
Target keywords : "amd64 arm ppc ppc64 x86"
Comment 4 Agostino Sarubbo gentoo-dev 2013-09-26 17:29:04 UTC
arm stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-09-28 20:29:18 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-09-28 20:29:35 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-09-28 20:29:51 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-09-28 20:30:06 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-09-29 14:54:46 UTC
Cleanup done, please file the request
Comment 10 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2013-09-29 15:08:20 UTC
The offending versions has been removed from the tree.

(In reply to Agostino Sarubbo from comment #9)
> Cleanup done, please file the request

Sorry, I don't understand.
Comment 11 Sean Amoss gentoo-dev Security 2013-09-29 15:19:22 UTC
GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2013-10-06 23:28:43 UTC
CVE-2013-4327 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4327):
  systemd does not properly use D-Bus for communication with a polkit
  authority, which allows local users to bypass intended access restrictions
  by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1)
  setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-06-26 22:59:48 UTC
This issue was resolved and addressed in
 GLSA 201406-27 at http://security.gentoo.org/glsa/glsa-201406-27.xml
by GLSA coordinator Chris Reffett (creffett).