Bug 1002375 (CVE-2013-4288)
Summary: | CVE-2013-4288 polkit: unix-process subject for authorization is racy | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||||||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||||||||
Severity: | high | Docs Contact: | |||||||||||||
Priority: | high | ||||||||||||||
Version: | unspecified | CC: | berrange, carnil, cfergeau, eblake, hdegoede, jdenemar, jlieskov, lpoetter, mitr, pmatouse, pvrabec, security-response-team, walters, zeuthen | ||||||||||||
Target Milestone: | --- | Keywords: | Security | ||||||||||||
Target Release: | --- | ||||||||||||||
Hardware: | All | ||||||||||||||
OS: | Linux | ||||||||||||||
Whiteboard: | |||||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||
Clone Of: | Environment: | ||||||||||||||
Last Closed: | 2021-10-20 10:40:43 UTC | Type: | --- | ||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||
Documentation: | --- | CRM: | |||||||||||||
Verified Versions: | Category: | --- | |||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
Embargoed: | |||||||||||||||
Bug Depends On: | 1005135, 1006262, 1006264, 1009538 | ||||||||||||||
Bug Blocks: | 1002376 | ||||||||||||||
Attachments: |
|
Description
Vincent Danen
2013-08-29 04:02:35 UTC
Created attachment 795472 [details]
polkit patch
Created attachment 795473 [details]
spice-gtk patch
Instead of using polkit_unix_process_new() which can be racy, spice-gtk is modified to use polkit_unix_process_new_for_owner()
Created attachment 795474 [details]
hplip patch
hplip invokes polkit via dbus, the patch passes system-bus-name as subject, not pid to polkit
Created attachment 795475 [details]
rtkit patch
Pass uid of caller to polkit
Created attachment 795476 [details]
systemd.patch
As per polkit documentation: "polkit applications are applications using the polkit authority as a decider component. They do this by installing a .policy file into the /usr/share/polkit-1/actions directory and communicating with the polkit authority at runtime (either via the D-Bus API or indirectly through the libpolkit-gobject-1 library or the pkcheck command)." So the attached pokit patch attempts to address this issue in all the 3 ways by which the polkit authority is invoked. 1. libpolkit-gobject-1: polkit_unix_process_new() is deprecated and is polkit_unix_process_new_for_owner() should now be used in its place. This way we avoid a race condition if the parent execve()s a setuid program. 2. dbus API: Modify dbus API to accept system-bus-name as subject, not pid 3. pkcheck: Modify pkcheck: Support --process=pid,start-time,uid Based on the above changes consumers of polkit using specific API are also changed. spice-gtk: Uses polkit_unix_process_new(), changed to now use polkit_unix_process_new_for_owner() hplip/rtkit/systemd: Used dbus, modified to use the new dbus syntax. libvirt: Uses pkcheck, modified to use newer pkcheck syntax, major changes were made to incorporate the new change. (In reply to Huzaifa S. Sidhpurwala from comment #11) > Created attachment 795472 [details] > polkit patch Note I recommend that clients only update with patches 1 and 2 here - 3 and 4 are merely cleanups that I want to do as a separate step. Or really, only patch 2 is needed. I've updated my git repository to reflect that by moving 1,3,4 to a separate cleanups/ directory. Note: The components described in Comment #16 are also affected by this flaw. They have been assigned separate CVEs as per the following: CVE-2013-4311 libvirt: insecure calling of polkit via libgobject API CVE-2013-4324 spice-gtk: use of insecure polkit libgobject-1 API CVE-2013-4325 hplip: use of insecure polkit DBUS API CVE-2013-4326 rtkit: use of insecure polkit DBUS API CVE-2013-4327 systemd: use of insecure polkit DBUS API Acknowledgements: Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue. This is now public: http://www.openwall.com/lists/oss-security/2013/09/18/4 Created polkit tracking bugs for this issue: Affects: fedora-all [bug 1009538] This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1270 https://rhn.redhat.com/errata/RHSA-2013-1270.html polkit-0.112-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. polkit-0.107-6.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. polkit-0.112-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |