Bug 878115 (CVE-2012-5535)

Summary: CVE-2012-5535 gnome-system-log: polkit policy too lax, allows reading arbitrary files on the system
Product: [Other] Security Response Reporter: Miloslav Trmač <mitr>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mclasen, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 21:57:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miloslav Trmač 2012-11-19 16:59:06 UTC 
gnome-system-log-3.6.0-1.fc18 is set up so that
> $ gnome-system-log
executes "logview" as root through pkexec, only asking for the invoking user's password (because the org.gnome.logview.config.date.pkexec.run (sic) action has default policy auth_self_keep).

Running an X11 application as root in a session of a completely unprivileged user is risky enough in itself; however logview also allows (via the "wheel" button/Open) opening any file on the system, including /etc/shadow.  This is at least a confidentiality violation; reading various authentication cookies or ssh private keys might even allow this to be amplified into a privilege escalation.

Please change the polkit policy to one of the auth_admin_* ones.
Comment 1 Vincent Danen 2012-11-19 23:11:29 UTC 
This is corrected in Fedora 18:

http://koji.fedoraproject.org/koji/buildinfo?buildID=367561
http://pkgs.fedoraproject.org/cgit/gnome-system-log.git/commit/?h=f18
Comment 2 Vincent Danen 2012-11-20 07:02:39 UTC 
And is currently in Fedora 17 testing:

https://admin.fedoraproject.org/updates/gnome-system-log-3.4.1-3.fc17
Comment 3 Vincent Danen 2012-11-20 07:06:18 UTC 
Note that this is due to a patch specific to Fedora and should not affect other vendors.

Statement:

Not vulnerable.  This issue did not affect the versions of gnome-utils as shipped with Red Hat Enterprise Linux 5 and 6 as they used usermode to request privileges, not pkexec.
Comment 4 Fedora Update System 2012-12-07 04:20:20 UTC 
gnome-system-log-3.6.1-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2012-12-09 05:55:44 UTC 
gnome-system-log-3.4.1-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.