Bug 879044
Summary: | CVE-2012-5560 mate-settings-daemon: Any unprivileged user can change the system's timezone [fedora-all] | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Vincent Danen <vdanen> |
Component: | mate-settings-daemon | Assignee: | Dan Mashal <dan.mashal> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 17 | CC: | dan.mashal, mitr, rdieter |
Target Milestone: | --- | Keywords: | Reopened, Security, SecurityTracking |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Release Note | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-11-27 05:13:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 878102 |
Description
Vincent Danen
2012-11-21 22:16:29 UTC
Please use the following update submission link to create the Bodhi request for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. Please also ensure that the "Close bugs when update is stable" option remains checked. Bodhi update submission link: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=878102,879044 This is not a MATE problem. This is a dbus/polkit problem. Please talk to davidz or whoever maintains dbus/polkit now. /etc/dbus-1/system.conf contains the following: <!-- Holes must be punched in service configuration files for name ownership and sending method calls --> <deny own="*"/> <deny send_type="method_call"/> Sorry please disregard. I see the issue now. Fix submitted upstream. https://github.com/mate-desktop/mate-settings-daemon/pull/22 (In reply to comment #4) > Fix submitted upstream. > > https://github.com/mate-desktop/mate-settings-daemon/pull/22 Is this https://github.com/dmashal/mate-settings-daemon/commit/258f92953949ebd7ebca3bd34df973099b24f4dd ? I haven't tested it, but I don't think that fixes the problem (it seems to me that allowing more access can't fix a problem with too lax access), or at least not its cause. The piece of configuration is that allows any user to perform the operation is in /usr/share/polkit-1/actions/org.mate.settingsdaemon.datetimemechanism.policy; as described in bug 878102 comment 0, the policy can be fixed by replacing the only "auth_self_keep" by "auth_admin_keep". When running the command in the original bug you are now prompted for a password. This was taken from org.freedesktop.timedate1.conf > The piece of configuration is that allows any user to perform the operation
> is in
> /usr/share/polkit-1/actions/org.mate.settingsdaemon.datetimemechanism.policy;
> as described in bug 878102 comment 0, the policy can be fixed by replacing
> the only "auth_self_keep" by "auth_admin_keep".
This could be a MATE 1.4 problem but in MATE 1.5 I see the following:
/usr/share/polkit-1/actions/org.mate.settingsdaemon.datetimemechanism.policy
<defaults>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
I am submitting an update for this now. Please test.
mate-settings-daemon-1.5.3-4.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/mate-settings-daemon-1.5.3-4.fc17 F18 buildroot is broken right now due to NSS. Waiting for that to be fixed and will submit update for F18. mate-settings-daemon-1.5.3-4.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/mate-settings-daemon-1.5.3-4.fc18 mate-settings-daemon-1.5.3-5.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/mate-settings-daemon-1.5.3-5.fc17 1.5.3-5 should fix this for f17 and f18 Package mate-settings-daemon-1.5.3-5.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing mate-settings-daemon-1.5.3-5.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-18977/mate-settings-daemon-1.5.3-5.fc18 then log in and leave karma (feedback). Thanks, confirmed on f18. mate-settings-daemon-1.5.3-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. mate-settings-daemon-1.5.4-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/mate-settings-daemon-1.5.4-1.fc17 mate-settings-daemon-1.5.4-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. mate-settings-daemon-1.5.4-3.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/mate-settings-daemon-1.5.4-3.fc17 mate-settings-daemon-1.5.4-3.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/mate-settings-daemon-1.5.4-3.fc18 mate-settings-daemon-1.5.4-3.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. mate-settings-daemon-1.5.4-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |