Bug 878102 - (CVE-2012-5560) CVE-2012-5560 mate-settings-daemon: Any unprivileged user can change the system's timezone
CVE-2012-5560 mate-settings-daemon: Any unprivileged user can change the syst...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20121120,repor...
: Security
Depends On: 879044
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-19 11:40 EST by Miloslav Trmač
Modified: 2015-08-19 05:18 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-01 16:31:16 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Miloslav Trmač 2012-11-19 11:40:15 EST
Version-Release number of selected component (if applicable):
e.g. mate-settings-daemon-1.5.3-1.fc8

mate-settings-daemon's datetime mechanism provides a D-Bus method to set the timezone, which is guarded by polkit's action org.mate.settingsdaemon.datetimemechanism.settimezone; this has the default policy "auth_self_keep", which allows any local user to perform the operation with only knowing their own password.

This seems not to be currently exposed in the mate UI, but it is available through manual D-Bus calls, e.g. 
> dbus-send --system --print-reply --type=method_call --dest=org.mate.SettingsDaemon.DateTimeMechanism / org.mate.SettingsDaemon.DateTimeMechanism.SetTimezone string:/usr/share/zoneinfo/Cuba 

Because the time zone setting is a global resource, it should be restricted to system administrators (== root or users in the "wheel" group), by having a policy auth_admin_*.  That's also what the other timezone setting mechanisms (in systemd and control-center) do.
Comment 1 Vincent Danen 2012-11-21 17:10:14 EST
I can confirm this on Fedora 17 as well.
Comment 2 Vincent Danen 2012-11-21 17:15:57 EST
I'm going to make this issue public, it's not something we need to keep private, and we also should get this fixed in Fedora ASAP.  Just changing the allow_active setting from "auth_self_keep" to "auth_admin" will work.
Comment 3 Vincent Danen 2012-11-21 17:16:37 EST
Created mate-settings-daemon tracking bugs for this issue

Affects: fedora-all [bug 879044]
Comment 4 Fedora Update System 2012-11-27 00:13:22 EST
mate-settings-daemon-1.5.3-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.