Hide Forgot
gnome-system-log-3.6.0-1.fc18 is set up so that > $ gnome-system-log executes "logview" as root through pkexec, only asking for the invoking user's password (because the org.gnome.logview.config.date.pkexec.run (sic) action has default policy auth_self_keep). Running an X11 application as root in a session of a completely unprivileged user is risky enough in itself; however logview also allows (via the "wheel" button/Open) opening any file on the system, including /etc/shadow. This is at least a confidentiality violation; reading various authentication cookies or ssh private keys might even allow this to be amplified into a privilege escalation. Please change the polkit policy to one of the auth_admin_* ones.
This is corrected in Fedora 18: http://koji.fedoraproject.org/koji/buildinfo?buildID=367561 http://pkgs.fedoraproject.org/cgit/gnome-system-log.git/commit/?h=f18
And is currently in Fedora 17 testing: https://admin.fedoraproject.org/updates/gnome-system-log-3.4.1-3.fc17
Note that this is due to a patch specific to Fedora and should not affect other vendors. Statement: Not vulnerable. This issue did not affect the versions of gnome-utils as shipped with Red Hat Enterprise Linux 5 and 6 as they used usermode to request privileges, not pkexec.
gnome-system-log-3.6.1-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
gnome-system-log-3.4.1-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.