Bug 844967 - (CVE-2013-4324) VUL-1: CVE-2013-4324: spice-gtk: fix polkit pid race problem
VUL-1: CVE-2013-4324: spice-gtk: fix polkit pid race problem
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Minor
: ---
Assigned To: Dominique Leuenberger
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2013-10-09 13:56 UTC by Marcus Meissner
Modified: 2019-05-01 16:09 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-10-09 13:56:32 UTC

spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.

Comment 1 Dominique Leuenberger 2013-10-09 15:05:27 UTC
openSUSE 13.1 / Factory are not affected; spice-gtk 0.21 (as shipped there) already contain the fix.

(checked with
 grep polkit_unix_process_new . -r

for 12.2 / 12.3:

202719  State:new        By:dimstar      When:2013-10-09T15:03:05
        maintenance_incident: home:dimstar:bnc844967/spice-gtk.openSUSE_12.2_Update -> openSUSE:Maintenance (release in openSUSE:12.2:Update)
        maintenance_incident: home:dimstar:bnc844967/spice-gtk.openSUSE_12.3_Update -> openSUSE:Maintenance (release in openSUSE:12.3:Update)
        Descr: Release fix for bnc#844967 for openSUSE 12.2 and 12.3  Will make
               a sep. submission for Factory / 13.1.
Comment 2 Marcus Meissner 2013-10-09 15:24:30 UTC
the src project is not there somehow

osc meta prj home:dimstar:bnc844967
Server returned an error: HTTP Error 404: Not Found
Comment 3 Dominique Leuenberger 2013-10-09 15:50:35 UTC
> osc meta prj home:dimstar:bnc844967
<project name="home:dimstar:bnc844967">
  <title>Branch project for package spice-gtk</title>
  <description>This project was created for package spice-gtk via attribute OBS:Maintained</description>
  <person userid="dimstar" role="maintainer"/>
  <repository name="openSUSE_12.3_Update_ports">
    <releasetarget project="openSUSE:12.3:Update" repository="ports"/>
    <path project="openSUSE:12.3:Update" repository="ports"/>
  <repository name="openSUSE_12.3_Update">
    <releasetarget project="openSUSE:12.3:Update" repository="standard"/>
    <path project="openSUSE:12.3:Update" repository="standard"/>
  <repository name="openSUSE_12.2_Update">
    <releasetarget project="openSUSE:12.2:Update" repository="standard"/>
    <path project="openSUSE:12.2:Update" repository="standard"/>

oohh.. I did a --noaccess.. that's why.. let me remove that (the vul anyway is public)
Comment 4 Bernhard Wiedemann 2013-10-09 16:00:10 UTC
This is an autogenerated message for OBS integration:
This bug (844967) was mentioned in
https://build.opensuse.org/request/show/202719 12.2+12.3 / spice-gtk
Comment 5 Swamp Workflow Management 2013-10-11 07:42:03 UTC
bugbot adjusting priority
Comment 6 Swamp Workflow Management 2013-10-22 09:04:27 UTC
openSUSE-SU-2013:1562-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 844967
CVE References: CVE-2013-4324
Sources used:
openSUSE 12.3 (src):    spice-gtk-0.14-3.4.1
openSUSE 12.2 (src):    spice-gtk-0.12-2.4.1
Comment 7 Marcus Meissner 2013-10-22 09:15:34 UTC