Bugzilla – Bug 844967
VUL-1: CVE-2013-4324: spice-gtk: fix polkit pid race problem
Last modified: 2019-05-01 16:09:47 UTC
CVE-2013-4324 spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288. References: http://secunia.com/advisories/54947 http://www.securityfocus.com/bid/62538 https://rhn.redhat.com/errata/RHSA-2013-1273.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4324 https://bugzilla.redhat.com/show_bug.cgi?id=1006669 http://www.openwall.com/lists/oss-security/2013/09/18/6
openSUSE 13.1 / Factory are not affected; spice-gtk 0.21 (as shipped there) already contain the fix. (checked with grep polkit_unix_process_new . -r ) for 12.2 / 12.3: 202719 State:new By:dimstar When:2013-10-09T15:03:05 maintenance_incident: home:dimstar:bnc844967/spice-gtk.openSUSE_12.2_Update -> openSUSE:Maintenance (release in openSUSE:12.2:Update) maintenance_incident: home:dimstar:bnc844967/spice-gtk.openSUSE_12.3_Update -> openSUSE:Maintenance (release in openSUSE:12.3:Update) Descr: Release fix for bnc#844967 for openSUSE 12.2 and 12.3 Will make a sep. submission for Factory / 13.1.
the src project is not there somehow osc meta prj home:dimstar:bnc844967 Server returned an error: HTTP Error 404: Not Found home:dimstar:bnc844967
> osc meta prj home:dimstar:bnc844967 <project name="home:dimstar:bnc844967"> <title>Branch project for package spice-gtk</title> <description>This project was created for package spice-gtk via attribute OBS:Maintained</description> <person userid="dimstar" role="maintainer"/> <build> <disable/> </build> <publish> <disable/> </publish> <debuginfo> <enable/> <enable/> </debuginfo> <access> <disable/> </access> <repository name="openSUSE_12.3_Update_ports"> <releasetarget project="openSUSE:12.3:Update" repository="ports"/> <path project="openSUSE:12.3:Update" repository="ports"/> <arch>armv7l</arch> <arch>ppc</arch> <arch>ppc64</arch> </repository> <repository name="openSUSE_12.3_Update"> <releasetarget project="openSUSE:12.3:Update" repository="standard"/> <path project="openSUSE:12.3:Update" repository="standard"/> <arch>i586</arch> <arch>x86_64</arch> </repository> <repository name="openSUSE_12.2_Update"> <releasetarget project="openSUSE:12.2:Update" repository="standard"/> <path project="openSUSE:12.2:Update" repository="standard"/> <arch>i586</arch> <arch>x86_64</arch> </repository> </project> oohh.. I did a --noaccess.. that's why.. let me remove that (the vul anyway is public)
This is an autogenerated message for OBS integration: This bug (844967) was mentioned in https://build.opensuse.org/request/show/202719 12.2+12.3 / spice-gtk
bugbot adjusting priority
openSUSE-SU-2013:1562-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 844967 CVE References: CVE-2013-4324 Sources used: openSUSE 12.3 (src): spice-gtk-0.14-3.4.1 openSUSE 12.2 (src): spice-gtk-0.12-2.4.1
released