samples/powerbtn/powerbtn.sh in acpid (aka acpid2) 2.0.16 and earlier uses
the pidof program incorrectly, which allows local users to gain privileges
by running a program with the name kded4 and a DBUS_SESSION_BUS_ADDRESS
environment variable containing commands.
References (with patch):
Let's stabilize 2.0.17 then
Thanks, everyone. GLSA request filed. IA64 should continue with stabilization, but not needed for GLSA.
Ok, so 2.0.17 is stable for all architectures 2.0.16 was stable before and 2.0.16 was removed from the tree, is there still anything left or can we close this one?
I think once you drop vulnerable versions, that is all from maintainer part and you can unCC, while keeping bug opened to let security team fill glsa and that things
Ok, so vulnerable version dropped, everything ready for security guys :-) Thanks.
This issue was resolved and addressed in
GLSA 201310-20 at http://security.gentoo.org/glsa/glsa-201310-20.xml
by GLSA coordinator Sergey Popov (pinkbyte).