Bug 1094890 (CVE-2014-5033) - CVE-2014-5033 polkit-qt: insecure calling of polkit
Summary: CVE-2014-5033 polkit-qt: insecure calling of polkit
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-5033
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1094891 1147368 1147369
Blocks: 1122585
TreeView+ depends on / blocked
 
Reported: 2014-05-06 17:06 UTC by Vincent Danen
Modified: 2019-09-29 13:17 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that polkit-qt handled authorization requests with PolicyKit via a D-Bus API that is vulnerable to a race condition. A local user could use this flaw to bypass intended PolicyKit authorizations.
Clone Of:
Environment:
Last Closed: 2014-10-07 04:54:24 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1359 normal SHIPPED_LIVE Important: polkit-qt security update 2014-10-06 20:56:52 UTC

Description Vincent Danen 2014-05-06 17:06:06 UTC
Sebastian Krahmer reported a security issue in polkit (CVE-2013-4288, bz 1002375).  He also since reported [1],[2] that KAuth (which uses polkit-qt) is vulnerable to the same issue.  The vulnerable function in this case is using:

PolkitQt1::UnixProcessSubject subject(pid)

The SUSE bug has more details and discussions with suggested patches, however they are currently not complete as they seem to not be obtaining much response/help from upstream.  There has not been any activity in the SUSE bug for over a month, however the issue is not resolved and no CVE has been assigned as of yet.


[1] http://seclists.org/oss-sec/2014/q1/642
[2] https://bugzilla.novell.com/show_bug.cgi?id=864716

Comment 1 Vincent Danen 2014-05-06 17:09:12 UTC
Created polkit-qt tracking bugs for this issue:

Affects: fedora-all [bug 1094891]

Comment 2 Martin Bříza 2014-05-13 10:42:41 UTC
Is there any reasonable documentation on this issue? I looked through the bugreports from the CVE for polkit but couldn't understand completely - is switching from polkit_unix_process_new(pid) to polkit_unix_process_new_for_owner(pid, 0, -1) enough or not? Or should we track the the UID ourselves?
Or should we switch to SystemBusName authentication? How would it help with the problem?
The official generated docs on freedesktop.org say nothing about this (neither they mark the _new and _new_full functions deprecated)...
Thank you.

Comment 3 Vincent Danen 2014-05-14 16:49:24 UTC
More info is in the SUSE bug referenced in comment #0.  It sounded like they were going to try to engage upstream, but I'm not sure how successful they were as there is nothing for a month and a half.

Sorry, I don't know the appropriate way to fix this.  My hope would have been for upstream to be interested in fixing their code, and given they wrote it they would have the best idea on how to fix it properly.

Comment 4 Martin Bříza 2014-06-24 14:14:08 UTC
I am the upstream and the SUSE guys are as vague in regards of explaining why usage of the new methods is invalid as they can be.
We're discussing the problem privately.

Comment 5 Vasyl Kaigorodov 2014-07-21 13:44:13 UTC
CVE has been requested for this issue: http://seclists.org/oss-sec/2014/q3/197
Also SUSE bug in comment #0 has some activity in it and might contain some more information.

Comment 6 Vasyl Kaigorodov 2014-07-23 14:28:06 UTC
CVE has been assigned to this: http://seclists.org/oss-sec/2014/q3/227

Comment 7 Marcus Meissner 2014-07-24 06:42:01 UTC
It is explained a bit better here:

http://www.openwall.com/lists/oss-security/2013/09/18/4

Basically:

- user process fires off dangerous DBUS operation

- DBUS service goes and verifies who called, asks policy kit

- user process in the meantime did "execv /bin/setuidrootbinary" and is a root process

- policykit (or dbus) sees "ok, it was a root process who called, all fine"

- dbus service executes bad thing.

Comment 8 Martin Bříza 2014-08-19 14:29:54 UTC
Closed by polkit-qt-0.122.0-1 in the library.
KAuth will be fixed upstream in kdelibs-4.14.

Comment 9 Rex Dieter 2014-08-19 14:33:57 UTC
I assume you mean polkit-qt-0.112-1 here?  (I see no updates for it yet)

Comment 12 Fedora Update System 2014-09-19 10:09:42 UTC
polkit-qt-0.112.0-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2014-09-19 10:19:18 UTC
polkit-qt-0.112.0-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Kevin Kofler 2014-09-22 17:15:07 UTC
> KAuth will be fixed upstream in kdelibs-4.14.

So this means we need kdelibs updates too, doesn't it?

F20 is getting 4.14.1 now, it should probably be marked as a security update.
F19 needs a security update with a backported patch (or are we going to upgrade kdelibs from 4.11.5 to 4.14.x there? I'm not sure it's a good idea, despite the long-ongoing kdelibs feature freeze).

Comment 15 Ngo Than 2014-09-23 08:31:18 UTC
i think we need kdelibs updates too. And for f19 i think we should do backport the fix.

Comment 16 Ngo Than 2014-09-23 09:37:07 UTC
kdelibs-4.11.5-5.fc19 is built with the security fix.

http://koji.fedoraproject.org/koji/taskinfo?taskID=7662104

Comment 18 Fedora Update System 2014-09-27 09:43:11 UTC
akonadi-1.13.0-2.fc20, libkgapi-2.2.0-1.fc20, libkolab-0.5.2-1.fc20, amor-4.14.1-1.fc20, analitza-4.14.1-1.fc20, ark-4.14.1-1.fc20, audiocd-kio-4.14.1-1.fc20, baloo-4.14.1-1.fc20, baloo-widgets-4.14.1-1.fc20, blinken-4.14.1-1.fc20, cantor-4.14.1-1.fc20, dragon-4.14.1-1.fc20, filelight-4.14.1-1.fc20, gwenview-4.14.1-1.fc20, jovie-4.14.1-1.fc20, juk-4.14.1-1.fc20, kaccessible-4.14.1-1.fc20, kalgebra-4.14.1-1.fc20, kalzium-4.14.1-1.fc20, kamera-4.14.1-1.fc20, kanagram-4.14.1-1.fc20, kate-4.14.1-1.fc20, kbruch-4.14.1-1.fc20, kcalc-4.14.1-1.fc20, kcharselect-4.14.1-1.fc20, kcolorchooser-4.14.1-1.fc20, kcron-4.14.1-1.fc20, kde-base-artwork-4.14.1-1.fc20, kde-l10n-4.14.1-1.fc20, kde-print-manager-4.14.1-1.fc20, kde-runtime-4.14.1-1.fc20, kde-wallpapers-4.14.1-1.fc20, kdeaccessibility-4.14.1-1.fc20, kdeadmin-4.14.1-1.fc20, kdeartwork-4.14.1-1.fc20, kdebindings-4.14.1-1.fc20, kdeedu-4.14.1-1.fc20, kdegraphics-4.14.1-1.fc20, kdegraphics-mobipocket-4.14.1-1.fc20, kdegraphics-strigi-analyzer-4.14.1-1.fc20, kdegraphics-thumbnailers-4.14.1-1.fc20, kdelibs-4.14.1-1.fc20, kdemultimedia-4.14.1-1.fc20, kdenetwork-4.14.1-1.fc20, kdenetwork-filesharing-4.14.1-1.fc20, kdenetwork-strigi-analyzers-4.14.1-1.fc20, kdepim-4.14.1-1.fc20, kdepim-runtime-4.14.1-2.fc20, kdepimlibs-4.14.1-1.fc20, kdeplasma-addons-4.14.1-1.fc20, kdetoys-4.14.1-1.fc20, kdeutils-4.14.1-1.fc20, kdf-4.14.1-1.fc20, kdnssd-4.14.1-1.fc20, kfilemetadata-4.14.1-1.fc20, kfloppy-4.14.1-1.fc20, kgamma-4.14.1-1.fc20, kgeography-4.14.1-1.fc20, kget-4.14.1-1.fc20, kgpg-4.14.1-1.fc20, khangman-4.14.1-1.fc20, kig-4.14.1-1.fc20, kimono-4.14.1-1.fc20, kiten-4.14.1-1.fc20, klettres-4.14.1-1.fc20, kmag-4.14.1-1.fc20, kmix-4.14.1-1.fc20, kmousetool-4.14.1-1.fc20, kmouth-4.14.1-1.fc20, kmplot-4.14.1-1.fc20, kolourpaint-4.14.1-1.fc20, kopete-4.14.1-1.fc20, kppp-4.14.1-1.fc20, kqtquickcharts-4.14.1-1.fc20, krdc-4.14.1-1.fc20, kremotecontrol-4.14.1-1.fc20, krfb-4.14.1-1.fc20, kross-interpreters-4.14.1-1.fc20, kruler-4.14.1-1.fc20, ksaneplugin-4.14.1-1.fc20, kscd-4.14.1-1.fc20, ksnapshot-4.14.1-1.fc20, kstars-4.14.1-1.fc20, ksystemlog-4.14.1-1.fc20, kteatime-4.14.1-1.fc20, ktimer-4.14.1-1.fc20, ktouch-4.14.1-1.fc20, kturtle-4.14.1-1.fc20, ktux-4.14.1-1.fc20, kuser-4.14.1-1.fc20, kwalletmanager-4.14.1-1.fc20, kwordquiz-4.14.1-1.fc20, libkcddb-4.14.1-1.fc20, libkcompactdisc-4.14.1-1.fc20, libkdcraw-4.14.1-1.fc20, libkdeedu-4.14.1-1.fc20, libkexiv2-4.14.1-2.fc20, libkipi-4.14.1-1.fc20, libksane-4.14.1-1.fc20, marble-4.14.1-1.fc20, nepomuk-core-4.14.1-1.fc20, nepomuk-widgets-4.14.1-1.fc20, okular-4.14.1-1.fc20, oxygen-icon-theme-4.14.1-1.fc20, pairs-4.14.1-1.fc20, parley-4.14.1-1.fc20, pykde4-4.14.1-1.fc20, qyoto-4.14.1-1.fc20, rocs-4.14.1-1.fc20, ruby-korundum-4.14.1-1.fc20, ruby-qt-4.14.1-1.fc20, smokegen-4.14.1-1.fc20, smokekde-4.14.1-1.fc20, smokeqt-4.14.1-1.fc20, step-4.14.1-1.fc20, superkaramba-4.14.1-1.fc20, svgpart-4.14.1-1.fc20, sweeper-4.14.1-1.fc20, kphotoalbum-4.5-2.fc20, subsurface-4.2-1.fc20.1, digikam-4.3.0-2.fc20, konsole-4.14.1-2.fc20, kde-baseapps-4.14.1-2.fc20, calligra-l10n-2.8.6-1.fc20, calligra-2.8.6-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Martin Prpič 2014-10-06 07:27:31 UTC
IssueDescription:

It was found that polkit-qt handled authorization requests with PolicyKit via a D-Bus API that is vulnerable to a race condition. A local user could use this flaw to bypass intended PolicyKit authorizations.

Comment 22 errata-xmlrpc 2014-10-06 16:57:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1359 https://rhn.redhat.com/errata/RHSA-2014-1359.html

Comment 24 Fedora Update System 2014-10-10 15:56:32 UTC
kdelibs-4.11.5-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.