Bug 1006677 (CVE-2013-4326)

Summary: CVE-2013-4326 rtkit: insecure calling of polkit
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jkurik, lpoetter, rhack, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-24 15:37:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1005140, 1007174, 1007175, 1009543    
Bug Blocks: 1002376    
Attachments:
Description Flags
rtkit patch none

Description Huzaifa S. Sidhpurwala 2013-09-11 05:42:03 UTC 
Sebastian Krahmer reported a security issue was found in polkit (CVE-2013-4288
bz 1002375).

It was found that rtkit was vulnerable to this issue as well, since it
communicated to polkit authority using an unsafe DBUS interface. 

This issue has been assigned CVE-2013-4326
Comment 1 Huzaifa S. Sidhpurwala 2013-09-11 06:00:54 UTC 
Created attachment 796255 [details]
rtkit patch
Comment 3 Vincent Danen 2013-09-18 15:15:27 UTC 
This is now public:

http://www.openwall.com/lists/oss-security/2013/09/18/4
Comment 4 Vincent Danen 2013-09-18 15:27:36 UTC 
Created rtkit tracking bugs for this issue:

Affects: fedora-all [bug 1009543]
Comment 6 errata-xmlrpc 2013-09-24 18:06:24 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1282 https://rhn.redhat.com/errata/RHSA-2013-1282.html