Bug 878115 (CVE-2012-5535)
Summary: | CVE-2012-5535 gnome-system-log: polkit policy too lax, allows reading arbitrary files on the system | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Miloslav Trmač <mitr> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | mclasen, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-19 21:57:44 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
This is corrected in Fedora 18: http://koji.fedoraproject.org/koji/buildinfo?buildID=367561 http://pkgs.fedoraproject.org/cgit/gnome-system-log.git/commit/?h=f18 And is currently in Fedora 17 testing: https://admin.fedoraproject.org/updates/gnome-system-log-3.4.1-3.fc17 Note that this is due to a patch specific to Fedora and should not affect other vendors. Statement: Not vulnerable. This issue did not affect the versions of gnome-utils as shipped with Red Hat Enterprise Linux 5 and 6 as they used usermode to request privileges, not pkexec. gnome-system-log-3.6.1-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. gnome-system-log-3.4.1-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |
gnome-system-log-3.6.0-1.fc18 is set up so that > $ gnome-system-log executes "logview" as root through pkexec, only asking for the invoking user's password (because the org.gnome.logview.config.date.pkexec.run (sic) action has default policy auth_self_keep). Running an X11 application as root in a session of a completely unprivileged user is risky enough in itself; however logview also allows (via the "wheel" button/Open) opening any file on the system, including /etc/shadow. This is at least a confidentiality violation; reading various authentication cookies or ssh private keys might even allow this to be amplified into a privilege escalation. Please change the polkit policy to one of the auth_admin_* ones.