Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2012-5535 gnome-system-log: polkit policy too lax, allows reading arbitrary files on the system|
|Product:||[Other] Security Response||Reporter:||Miloslav Trmač <mitr>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||NEW ---||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Miloslav Trmač 2012-11-19 11:59:06 EST
gnome-system-log-3.6.0-1.fc18 is set up so that > $ gnome-system-log executes "logview" as root through pkexec, only asking for the invoking user's password (because the org.gnome.logview.config.date.pkexec.run (sic) action has default policy auth_self_keep). Running an X11 application as root in a session of a completely unprivileged user is risky enough in itself; however logview also allows (via the "wheel" button/Open) opening any file on the system, including /etc/shadow. This is at least a confidentiality violation; reading various authentication cookies or ssh private keys might even allow this to be amplified into a privilege escalation. Please change the polkit policy to one of the auth_admin_* ones.
Comment 1 Vincent Danen 2012-11-19 18:11:29 EST
This is corrected in Fedora 18: http://koji.fedoraproject.org/koji/buildinfo?buildID=367561 http://pkgs.fedoraproject.org/cgit/gnome-system-log.git/commit/?h=f18
Comment 2 Vincent Danen 2012-11-20 02:02:39 EST
And is currently in Fedora 17 testing: https://admin.fedoraproject.org/updates/gnome-system-log-3.4.1-3.fc17
Comment 3 Vincent Danen 2012-11-20 02:06:18 EST
Note that this is due to a patch specific to Fedora and should not affect other vendors. Statement: Not vulnerable. This issue did not affect the versions of gnome-utils as shipped with Red Hat Enterprise Linux 5 and 6 as they used usermode to request privileges, not pkexec.
Comment 4 Fedora Update System 2012-12-06 23:20:20 EST
gnome-system-log-3.6.1-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2012-12-09 00:55:44 EST
gnome-system-log-3.4.1-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.