Bug 878115 (CVE-2012-5535)

Summary: CVE-2012-5535 gnome-system-log: polkit policy too lax, allows reading arbitrary files on the system
Product: [Other] Security Response Reporter: Miloslav Trmač <mitr>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mclasen, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: impact=moderate,public=20121119,reported=20121119,source=redhat,cvss2=4.9/AV:L/AC:L/Au:N/C:C/I:N/A:N,fedora-17/gnome-system-log=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Miloslav Trmač 2012-11-19 11:59:06 EST
gnome-system-log-3.6.0-1.fc18 is set up so that
> $ gnome-system-log
executes "logview" as root through pkexec, only asking for the invoking user's password (because the org.gnome.logview.config.date.pkexec.run (sic) action has default policy auth_self_keep).

Running an X11 application as root in a session of a completely unprivileged user is risky enough in itself; however logview also allows (via the "wheel" button/Open) opening any file on the system, including /etc/shadow.  This is at least a confidentiality violation; reading various authentication cookies or ssh private keys might even allow this to be amplified into a privilege escalation.

Please change the polkit policy to one of the auth_admin_* ones.
Comment 2 Vincent Danen 2012-11-20 02:02:39 EST
And is currently in Fedora 17 testing:

https://admin.fedoraproject.org/updates/gnome-system-log-3.4.1-3.fc17
Comment 3 Vincent Danen 2012-11-20 02:06:18 EST
Note that this is due to a patch specific to Fedora and should not affect other vendors.

Statement:

Not vulnerable.  This issue did not affect the versions of gnome-utils as shipped with Red Hat Enterprise Linux 5 and 6 as they used usermode to request privileges, not pkexec.
Comment 4 Fedora Update System 2012-12-06 23:20:20 EST
gnome-system-log-3.6.1-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2012-12-09 00:55:44 EST
gnome-system-log-3.4.1-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.