From ${URL} : The polkit authentication backend in KDE's KAuth code used the UnixProcess subject for authenticating actions. This is subject to race conditions and allows local users to elevate their privileges by bypassing any of the KAuth checks. A followup of CVE-2013-4288. Discussion and patch can be found here: https://bugzilla.novell.com/show_bug.cgi?id=864716 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Patching now.
+ 23 Jul 2014; Michael Palimaka <kensington@gentoo.org> + +files/kdelibs-4.13.3-CVE-2014-5033.patch, +kdelibs-4.12.5-r2.ebuild, + +kdelibs-4.13.3-r1.ebuild, -kdelibs-4.13.3.ebuild: + Backport patch from upstream to solve CVE-2014-5033 wrt bug #517864. kdelibs-4.12.5-r2 is fine to stabilise, unless we want to do 4.13 a bit early.
Thanks Michael. 4.13 is not ready yet. So lets go the fast track. Arches please stabilize =kde-base/kdelibs-4.12.5-r2
Arches, please test and mark stable: =kde-base/kdelibs-4.12.5-r2 Target Keywords : "amd64 ppc ppc64 x86" Thank you!
amd64 stable
x86 done, thanks.
ppc stable
ppc64 stable. Maintainer(s), please cleanup. Security, please vote.
Thanks all, cleanup done. Nothing to do for kde herd here anymore, removing from cc. + + 09 Aug 2014; Johannes Huber <johu@gentoo.org> -kdelibs-4.12.5-r1.ebuild: + Remove vulnerable version, bug #517864. +
GLSA vote: no.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No No GLSA - Closing Bug as Resolved
CVE-2014-5033 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5033): KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."