Red Hat Bugzilla – Bug 1094890
CVE-2014-5033 polkit-qt: insecure calling of polkit
Last modified: 2015-11-25 05:12:53 EST
Sebastian Krahmer reported a security issue in polkit (CVE-2013-4288, bz 1002375). He also since reported [1],[2] that KAuth (which uses polkit-qt) is vulnerable to the same issue. The vulnerable function in this case is using: PolkitQt1::UnixProcessSubject subject(pid) The SUSE bug has more details and discussions with suggested patches, however they are currently not complete as they seem to not be obtaining much response/help from upstream. There has not been any activity in the SUSE bug for over a month, however the issue is not resolved and no CVE has been assigned as of yet. [1] http://seclists.org/oss-sec/2014/q1/642 [2] https://bugzilla.novell.com/show_bug.cgi?id=864716
Created polkit-qt tracking bugs for this issue: Affects: fedora-all [bug 1094891]
Is there any reasonable documentation on this issue? I looked through the bugreports from the CVE for polkit but couldn't understand completely - is switching from polkit_unix_process_new(pid) to polkit_unix_process_new_for_owner(pid, 0, -1) enough or not? Or should we track the the UID ourselves? Or should we switch to SystemBusName authentication? How would it help with the problem? The official generated docs on freedesktop.org say nothing about this (neither they mark the _new and _new_full functions deprecated)... Thank you.
More info is in the SUSE bug referenced in comment #0. It sounded like they were going to try to engage upstream, but I'm not sure how successful they were as there is nothing for a month and a half. Sorry, I don't know the appropriate way to fix this. My hope would have been for upstream to be interested in fixing their code, and given they wrote it they would have the best idea on how to fix it properly.
I am the upstream and the SUSE guys are as vague in regards of explaining why usage of the new methods is invalid as they can be. We're discussing the problem privately.
CVE has been requested for this issue: http://seclists.org/oss-sec/2014/q3/197 Also SUSE bug in comment #0 has some activity in it and might contain some more information.
CVE has been assigned to this: http://seclists.org/oss-sec/2014/q3/227
It is explained a bit better here: http://www.openwall.com/lists/oss-security/2013/09/18/4 Basically: - user process fires off dangerous DBUS operation - DBUS service goes and verifies who called, asks policy kit - user process in the meantime did "execv /bin/setuidrootbinary" and is a root process - policykit (or dbus) sees "ok, it was a root process who called, all fine" - dbus service executes bad thing.
Closed by polkit-qt-0.122.0-1 in the library. KAuth will be fixed upstream in kdelibs-4.14.
I assume you mean polkit-qt-0.112-1 here? (I see no updates for it yet)
polkit-qt-0.112.0-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
polkit-qt-0.112.0-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
> KAuth will be fixed upstream in kdelibs-4.14. So this means we need kdelibs updates too, doesn't it? F20 is getting 4.14.1 now, it should probably be marked as a security update. F19 needs a security update with a backported patch (or are we going to upgrade kdelibs from 4.11.5 to 4.14.x there? I'm not sure it's a good idea, despite the long-ongoing kdelibs feature freeze).
i think we need kdelibs updates too. And for f19 i think we should do backport the fix.
kdelibs-4.11.5-5.fc19 is built with the security fix. http://koji.fedoraproject.org/koji/taskinfo?taskID=7662104
akonadi-1.13.0-2.fc20, libkgapi-2.2.0-1.fc20, libkolab-0.5.2-1.fc20, amor-4.14.1-1.fc20, analitza-4.14.1-1.fc20, ark-4.14.1-1.fc20, audiocd-kio-4.14.1-1.fc20, baloo-4.14.1-1.fc20, baloo-widgets-4.14.1-1.fc20, blinken-4.14.1-1.fc20, cantor-4.14.1-1.fc20, dragon-4.14.1-1.fc20, filelight-4.14.1-1.fc20, gwenview-4.14.1-1.fc20, jovie-4.14.1-1.fc20, juk-4.14.1-1.fc20, kaccessible-4.14.1-1.fc20, kalgebra-4.14.1-1.fc20, kalzium-4.14.1-1.fc20, kamera-4.14.1-1.fc20, kanagram-4.14.1-1.fc20, kate-4.14.1-1.fc20, kbruch-4.14.1-1.fc20, kcalc-4.14.1-1.fc20, kcharselect-4.14.1-1.fc20, kcolorchooser-4.14.1-1.fc20, kcron-4.14.1-1.fc20, kde-base-artwork-4.14.1-1.fc20, kde-l10n-4.14.1-1.fc20, kde-print-manager-4.14.1-1.fc20, kde-runtime-4.14.1-1.fc20, kde-wallpapers-4.14.1-1.fc20, kdeaccessibility-4.14.1-1.fc20, kdeadmin-4.14.1-1.fc20, kdeartwork-4.14.1-1.fc20, kdebindings-4.14.1-1.fc20, kdeedu-4.14.1-1.fc20, kdegraphics-4.14.1-1.fc20, kdegraphics-mobipocket-4.14.1-1.fc20, kdegraphics-strigi-analyzer-4.14.1-1.fc20, kdegraphics-thumbnailers-4.14.1-1.fc20, kdelibs-4.14.1-1.fc20, kdemultimedia-4.14.1-1.fc20, kdenetwork-4.14.1-1.fc20, kdenetwork-filesharing-4.14.1-1.fc20, kdenetwork-strigi-analyzers-4.14.1-1.fc20, kdepim-4.14.1-1.fc20, kdepim-runtime-4.14.1-2.fc20, kdepimlibs-4.14.1-1.fc20, kdeplasma-addons-4.14.1-1.fc20, kdetoys-4.14.1-1.fc20, kdeutils-4.14.1-1.fc20, kdf-4.14.1-1.fc20, kdnssd-4.14.1-1.fc20, kfilemetadata-4.14.1-1.fc20, kfloppy-4.14.1-1.fc20, kgamma-4.14.1-1.fc20, kgeography-4.14.1-1.fc20, kget-4.14.1-1.fc20, kgpg-4.14.1-1.fc20, khangman-4.14.1-1.fc20, kig-4.14.1-1.fc20, kimono-4.14.1-1.fc20, kiten-4.14.1-1.fc20, klettres-4.14.1-1.fc20, kmag-4.14.1-1.fc20, kmix-4.14.1-1.fc20, kmousetool-4.14.1-1.fc20, kmouth-4.14.1-1.fc20, kmplot-4.14.1-1.fc20, kolourpaint-4.14.1-1.fc20, kopete-4.14.1-1.fc20, kppp-4.14.1-1.fc20, kqtquickcharts-4.14.1-1.fc20, krdc-4.14.1-1.fc20, kremotecontrol-4.14.1-1.fc20, krfb-4.14.1-1.fc20, kross-interpreters-4.14.1-1.fc20, kruler-4.14.1-1.fc20, ksaneplugin-4.14.1-1.fc20, kscd-4.14.1-1.fc20, ksnapshot-4.14.1-1.fc20, kstars-4.14.1-1.fc20, ksystemlog-4.14.1-1.fc20, kteatime-4.14.1-1.fc20, ktimer-4.14.1-1.fc20, ktouch-4.14.1-1.fc20, kturtle-4.14.1-1.fc20, ktux-4.14.1-1.fc20, kuser-4.14.1-1.fc20, kwalletmanager-4.14.1-1.fc20, kwordquiz-4.14.1-1.fc20, libkcddb-4.14.1-1.fc20, libkcompactdisc-4.14.1-1.fc20, libkdcraw-4.14.1-1.fc20, libkdeedu-4.14.1-1.fc20, libkexiv2-4.14.1-2.fc20, libkipi-4.14.1-1.fc20, libksane-4.14.1-1.fc20, marble-4.14.1-1.fc20, nepomuk-core-4.14.1-1.fc20, nepomuk-widgets-4.14.1-1.fc20, okular-4.14.1-1.fc20, oxygen-icon-theme-4.14.1-1.fc20, pairs-4.14.1-1.fc20, parley-4.14.1-1.fc20, pykde4-4.14.1-1.fc20, qyoto-4.14.1-1.fc20, rocs-4.14.1-1.fc20, ruby-korundum-4.14.1-1.fc20, ruby-qt-4.14.1-1.fc20, smokegen-4.14.1-1.fc20, smokekde-4.14.1-1.fc20, smokeqt-4.14.1-1.fc20, step-4.14.1-1.fc20, superkaramba-4.14.1-1.fc20, svgpart-4.14.1-1.fc20, sweeper-4.14.1-1.fc20, kphotoalbum-4.5-2.fc20, subsurface-4.2-1.fc20.1, digikam-4.3.0-2.fc20, konsole-4.14.1-2.fc20, kde-baseapps-4.14.1-2.fc20, calligra-l10n-2.8.6-1.fc20, calligra-2.8.6-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
IssueDescription: It was found that polkit-qt handled authorization requests with PolicyKit via a D-Bus API that is vulnerable to a race condition. A local user could use this flaw to bypass intended PolicyKit authorizations.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1359 https://rhn.redhat.com/errata/RHSA-2014-1359.html
Upstream patch: https://projects.kde.org/projects/kdesupport/polkit-qt-1/repository/revisions/41573ebe060f2c1ab8e1f84df622daefcc61b42d https://projects.kde.org/projects/kdesupport/polkit-qt-1/repository/revisions/d8e3de624ad55b567fd6a36fc03dd993368942c2
kdelibs-4.11.5-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.