Bug 844967 - (CVE-2013-4324) VUL-1: CVE-2013-4324: spice-gtk: fix polkit pid race problem
(CVE-2013-4324)
VUL-1: CVE-2013-4324: spice-gtk: fix polkit pid race problem
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Dominique Leuenberger
Security Team bot
CVSSv2:NVD:CVE-2013-4324:4.6:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-09 13:56 UTC by Marcus Meissner
Modified: 2019-05-01 16:09 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-10-09 13:56:32 UTC
CVE-2013-4324

spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.

References:
http://secunia.com/advisories/54947
http://www.securityfocus.com/bid/62538
https://rhn.redhat.com/errata/RHSA-2013-1273.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4324
https://bugzilla.redhat.com/show_bug.cgi?id=1006669
http://www.openwall.com/lists/oss-security/2013/09/18/6
Comment 1 Dominique Leuenberger 2013-10-09 15:05:27 UTC
openSUSE 13.1 / Factory are not affected; spice-gtk 0.21 (as shipped there) already contain the fix.

(checked with
 grep polkit_unix_process_new . -r
)

for 12.2 / 12.3:

202719  State:new        By:dimstar      When:2013-10-09T15:03:05
        maintenance_incident: home:dimstar:bnc844967/spice-gtk.openSUSE_12.2_Update -> openSUSE:Maintenance (release in openSUSE:12.2:Update)
        maintenance_incident: home:dimstar:bnc844967/spice-gtk.openSUSE_12.3_Update -> openSUSE:Maintenance (release in openSUSE:12.3:Update)
        Descr: Release fix for bnc#844967 for openSUSE 12.2 and 12.3  Will make
               a sep. submission for Factory / 13.1.
Comment 2 Marcus Meissner 2013-10-09 15:24:30 UTC
the src project is not there somehow

osc meta prj home:dimstar:bnc844967
Server returned an error: HTTP Error 404: Not Found
home:dimstar:bnc844967
Comment 3 Dominique Leuenberger 2013-10-09 15:50:35 UTC
> osc meta prj home:dimstar:bnc844967
<project name="home:dimstar:bnc844967">
  <title>Branch project for package spice-gtk</title>
  <description>This project was created for package spice-gtk via attribute OBS:Maintained</description>
  <person userid="dimstar" role="maintainer"/>
  <build>
    <disable/>
  </build>
  <publish>
    <disable/>
  </publish>
  <debuginfo>
    <enable/>
    <enable/>
  </debuginfo>
  <access>
    <disable/>
  </access>
  <repository name="openSUSE_12.3_Update_ports">
    <releasetarget project="openSUSE:12.3:Update" repository="ports"/>
    <path project="openSUSE:12.3:Update" repository="ports"/>
    <arch>armv7l</arch>
    <arch>ppc</arch>
    <arch>ppc64</arch>
  </repository>
  <repository name="openSUSE_12.3_Update">
    <releasetarget project="openSUSE:12.3:Update" repository="standard"/>
    <path project="openSUSE:12.3:Update" repository="standard"/>
    <arch>i586</arch>
    <arch>x86_64</arch>
  </repository>
  <repository name="openSUSE_12.2_Update">
    <releasetarget project="openSUSE:12.2:Update" repository="standard"/>
    <path project="openSUSE:12.2:Update" repository="standard"/>
    <arch>i586</arch>
    <arch>x86_64</arch>
  </repository>
</project>


oohh.. I did a --noaccess.. that's why.. let me remove that (the vul anyway is public)
Comment 4 Bernhard Wiedemann 2013-10-09 16:00:10 UTC
This is an autogenerated message for OBS integration:
This bug (844967) was mentioned in
https://build.opensuse.org/request/show/202719 12.2+12.3 / spice-gtk
Comment 5 Swamp Workflow Management 2013-10-11 07:42:03 UTC
bugbot adjusting priority
Comment 6 Swamp Workflow Management 2013-10-22 09:04:27 UTC
openSUSE-SU-2013:1562-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 844967
CVE References: CVE-2013-4324
Sources used:
openSUSE 12.3 (src):    spice-gtk-0.14-3.4.1
openSUSE 12.2 (src):    spice-gtk-0.12-2.4.1
Comment 7 Marcus Meissner 2013-10-22 09:15:34 UTC
released