Bug 878102 (CVE-2012-5560) - CVE-2012-5560 mate-settings-daemon: Any unprivileged user can change the system's timezone
Summary: CVE-2012-5560 mate-settings-daemon: Any unprivileged user can change the syst...
Alias: CVE-2012-5560
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 879044
TreeView+ depends on / blocked
Reported: 2012-11-19 16:40 UTC by Miloslav Trmač
Modified: 2019-09-29 12:57 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-12-01 21:31:16 UTC

Attachments (Terms of Use)

Description Miloslav Trmač 2012-11-19 16:40:15 UTC
Version-Release number of selected component (if applicable):
e.g. mate-settings-daemon-1.5.3-1.fc8

mate-settings-daemon's datetime mechanism provides a D-Bus method to set the timezone, which is guarded by polkit's action org.mate.settingsdaemon.datetimemechanism.settimezone; this has the default policy "auth_self_keep", which allows any local user to perform the operation with only knowing their own password.

This seems not to be currently exposed in the mate UI, but it is available through manual D-Bus calls, e.g. 
> dbus-send --system --print-reply --type=method_call --dest=org.mate.SettingsDaemon.DateTimeMechanism / org.mate.SettingsDaemon.DateTimeMechanism.SetTimezone string:/usr/share/zoneinfo/Cuba 

Because the time zone setting is a global resource, it should be restricted to system administrators (== root or users in the "wheel" group), by having a policy auth_admin_*.  That's also what the other timezone setting mechanisms (in systemd and control-center) do.

Comment 1 Vincent Danen 2012-11-21 22:10:14 UTC
I can confirm this on Fedora 17 as well.

Comment 2 Vincent Danen 2012-11-21 22:15:57 UTC
I'm going to make this issue public, it's not something we need to keep private, and we also should get this fixed in Fedora ASAP.  Just changing the allow_active setting from "auth_self_keep" to "auth_admin" will work.

Comment 3 Vincent Danen 2012-11-21 22:16:37 UTC
Created mate-settings-daemon tracking bugs for this issue

Affects: fedora-all [bug 879044]

Comment 4 Fedora Update System 2012-11-27 05:13:22 UTC
mate-settings-daemon-1.5.3-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.