Bug 864716 - (CVE-2014-5033) VUL-0: CVE-2014-5033: libKF5Auth4.x86_64: W: suse-dbus-unauthorized-service /etc/dbus-1/system.d/org.kde.kf5auth.conf
(CVE-2014-5033)
VUL-0: CVE-2014-5033: libKF5Auth4.x86_64: W: suse-dbus-unauthorized-service /...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
13.2 Milestone 0
Other Other
: P2 - High : Major (vote)
: ---
Assigned To: Security Team bot
E-mail List
CVSSv2:NVD:CVE-2013-4324:4.6:(AV...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-19 20:46 UTC by Hrvoje Senjan
Modified: 2019-05-01 16:09 UTC (History)
15 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
poor man's patch (1.53 KB, text/plain)
2014-03-25 21:33 UTC, Hrvoje Senjan
Details
Patch to KAuth (971 bytes, patch)
2014-07-16 15:59 UTC, Luca Beltrame
Details | Diff
Patch to KAuth v.2 (1.46 KB, text/plain)
2014-07-17 05:44 UTC, Hrvoje Senjan
Details
kdelibs4 patch (1.54 KB, text/plain)
2014-07-17 05:45 UTC, Hrvoje Senjan
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Hrvoje Senjan 2014-02-19 20:46:12 UTC
User-Agent:       Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.91 Safari/537.36 SUSE/33.0.1750.91

Source can be found at KDE:Frameworks5/kauth. As with kinit package, code is just ported to Qt5/KF5. org.kde.kf5auth.conf was renamed from org.kde.auth.conf so it can be co-installed with kdelibs4 package(s)
Thus - asking for whitelist =)
Thanks!

Reproducible: Always
Comment 1 Sebastian Krahmer 2014-03-10 13:30:20 UTC
Just noticed that KAuth is using 

PolkitQt1::UnixProcessSubject subject(pid);

which is polkit's deprecated way of checking authorizations: by pid.

UnixProcess subjects shall not be used. I am not familar on how
KAuth is used internally by KDE, but this doesnt look good.
Comment 2 Sebastian Krahmer 2014-03-18 08:04:21 UTC
Sent mail to some KDE developers and author of KAuth last week.
No presonse so far; escalating.
Comment 3 Sebastian Krahmer 2014-03-19 08:33:10 UTC
sent report to security@kde.org
Comment 4 Sebastian Krahmer 2014-03-24 09:29:20 UTC
sent to OSS-sec
Comment 5 Raymond Wooninck 2014-03-25 12:21:37 UTC
Sebastian, as a comment from my side. You indicate that KAuth is using a deprecated method from polkit. However if I look at building the bindings, I can only find the following deprecated method: 

[  104s] /home/abuild/rpmbuild/BUILD/polkit-qt-1-0.103.50/core/polkitqt1-subject.cpp:125:16: warning: 'PolkitSubject* polkit_unix_process_new(gint)' is deprecated (declared at /usr/include/polkit-1/polkit/polkitunixprocess.h:51): Use polkit_unix_process_new_for_owner instead [-Wdeprecated-declarations]
[  104s]      setSubject(polkit_unix_process_new(pid));

Is this the one you are referring ?  Otherwise it seems that Polkit didn't declare that particular way of checking authorizations as deprecated and would then be still a valid way. 

I don't think that KAuth is the issue here, but just the Qt-bindings around PolKit, which haven't been updated for the last two years. However checking a very recent PolKitQt-1 build against the polkit in factory, then the above is the only warning we receive about deprecated.
Comment 6 Raymond Wooninck 2014-03-25 12:55:59 UTC
Sebastian, Can you confirm that the above issue is based on the following bugreport https://bugzilla.redhat.com/show_bug.cgi?id=1002375  ?  

This is the CVE-2013-4288 polkit: unix-process subject for authorization is racy ? 

At this moment I have a possible patch for it and also the author of the polkit-qt bindings is looking into this one. 

Thanks
Comment 7 Sebastian Krahmer 2014-03-25 13:03:26 UTC
Right.
Comment 8 Sebastian Krahmer 2014-03-25 13:05:08 UTC
I have no idea whether the QT binding or the KAuth needs to be fixed.
But just passing the pid is definitely wrong.
Comment 9 Raymond Wooninck 2014-03-25 13:12:00 UTC
Sebastian, 

KAuth doesn't directly communicate with PolKit, but does this through the Qt bindings for PolKit. Therefore the bindings have to be adjusted as they perform the calls to PolKit. 

This is the proposed step, which should bring it up to the right level of PolKit: 
--- a/core/polkitqt1-subject.cpp
+++ b/core/polkitqt1-subject.cpp
@@ -122,13 +122,13 @@ Subject Subject::fromString(const QString &string)
 UnixProcessSubject::UnixProcessSubject(qint64 pid)
         : Subject()
 {
-    setSubject(polkit_unix_process_new(pid));
+    setSubject(polkit_unix_process_new_for_owner(pid, 0, getuid ()));
 }

 UnixProcessSubject::UnixProcessSubject(qint64 pid, quint64 startTime)
         : Subject()
 {
-    setSubject(polkit_unix_process_new_full(pid, startTime));
+    setSubject(polkit_unix_process_new_for_owner(pid, startTime, getuid ()));
 }

 UnixProcessSubject::UnixProcessSubject(PolkitUnixProcess *pkUnixProcess)

However Martin Briza (from redhat and the author of the Qt bindings for polkit) is also looking at the issue at this moment. 

So, hopefully we get this sorted out today or latest tomorrow. As soon as Polkit-qt-1 is patched, I will create an update and submit it.
Comment 10 Sebastian Krahmer 2014-03-25 13:56:00 UTC
If getuid() is what you want. If thats a DBUS activation as root,
that grants everything. Is there something in KAuth that allows
for credential passing?
Comment 11 Hrvoje Senjan 2014-03-25 13:59:54 UTC
please just note that we do not have polkit-qt-1 enabled for Qt5. there is upstream support for it in a branch, but the libs, pc files, etc, are not renamed. 
until rename is done, it will not be submitted in the distribution, and also KAuth is basically ineffective.
if this is a major issue - then it would be more important to adjust polkit-qt-1 and kdelibs(4).
Comment 12 Raymond Wooninck 2014-03-25 15:05:31 UTC
@Sebastian,  

As far as I know getuid() gives me the user of the current process. The call to  PolkitQt1::UnixProcessSubject subject(pid) comes from within KAuth where KAuth tries to validate if the user/process is authorized to perform that action and return that value back to the calling program. So I am not sure how this would fit in a DBUS activation as root ? 

This would mean that the program is running under root and then KAuth will indicate that the user is authorized. I just followed the same approach as that Red Hat did for the spicy-gtk library, so I guess that I am missing the point. Or I am a little bit too naive. 

@Hrvoje. This issue came up when asking for a security review for smb4k, where Sebastian mentioned that KDE upstream is not following up on security issues. That is where I picked this up and tried to come up with an acceptable solution. The patch was reviewed (https://git.reviewboard.kde.org/r/117056/) and I got a Ship It! for it so that it gets fixed for KDE4
Comment 13 Hrvoje Senjan 2014-03-25 21:33:09 UTC
Created attachment 583670 [details]
poor man's patch

Sebastian, could you review this one?

Raymond correctly pointed out that KAuth uses polkit-qt as a backend, so i don't think that we need to change function names in KAuth/kdelibs
Comment 14 Sebastian Krahmer 2014-03-26 07:05:42 UTC
Thanks for your efforts.

I dont think using uid is the right way for the framework to check
authorizations.

Consider org.kde.fontinst.service DBUS service, that is activated
on behalf of users request as a root service. It will therefore run with uid 0,
even if triggered by user.
For now it is just using the pid of user requesting the service.
Thats racy and the thing we want to fix. Your patch proposal also
integrates the uid, but I fear thats the uid of the currently running
process (root == 0). From the small patch I cannot see where the
uid is coming from. If that would be the uid of the requesting user,
that would be fine (although not perfect if suid helpers request DBUS
services).

The preferred way is to use system-bus-name polkit authorization.
polkit-qt bindings seem to offer SystemBusNameSubject class already,
so is it possible to use that in KAuth rather than UnixProcess subjects?
Comment 15 Raymond Wooninck 2014-03-26 08:46:51 UTC
Sebastian, 

uid comes from the following routine:

qint64 UnixProcessSubject::uid() const
{
    return polkit_unix_user_get_uid((PolkitUnixUser *) subject());
}



At this moment KDE is undergoing a heavy transformation into the KDE Frameworks and maybe we can get the changes for KAuth done there. However this will not resolve the KDE4 stuff. Therefore we are trying to make just small changes in order to make things work. And lets be fair, this has been working for the last years without major concerns until you discovered the racy condition. So we are trying to accommodate this and using the new method to resolve the racy condition. I don't see this rewrite for KAuth happening for KDE4 and my assumption is that openSUSE stands alone in this and as openSUSE doesn't deliver any developer resources to KDE, I guess we have to wait until it becomes an issue within Fedora/Red Hat. So in my opinion we have the following choices:

1)  We leave things as it is and accept the racy condition for KDE 
2)  We adjust polkit-qt-1 to move away from the deprecated method and using the new one that prevents the racy condition, but is still PID based.
3)  Neither of the above is accepted, which would mean that KDE is a security risk and it is then up to the security team to decide whether or not KDE should be removed from Factory. 

Maybe black and white, but these are the choices I see at the moment for KDE4 in openSUSE. 

I will test Hrvoje's patch today to see if this one works as expected and then I will submit it for review to KDE Upstream. And this is the best that I can do at the moment.
Comment 16 Hrvoje Senjan 2014-03-26 09:18:26 UTC
(In reply to comment #14)
First, just to say that this is a patch for polkit-qt-1, based and slightly extended on Raymond's.

> Thats racy and the thing we want to fix. Your patch proposal also
> integrates the uid, but I fear thats the uid of the currently running
> process (root == 0). From the small patch I cannot see where the
> uid is coming from. If that would be the uid of the requesting user,
> that would be fine (although not perfect if suid helpers request DBUS
> services).
In reality, we have no SUID helpers in KDE - except for the kdeinit's OOM killer ;-) UID is the one of the requesting user - i've tested the patch, and from user perspective, things still operate as before - e.g. for killing other users processes in KSysGuard i need to enter root pass, also for changing clock, etc.


> The preferred way is to use system-bus-name polkit authorization.
> polkit-qt bindings seem to offer SystemBusNameSubject class already,
> so is it possible to use that in KAuth rather than UnixProcess subjects?
As Raymond pointed out, our chances for chaning the internals are more for the KAuth framework/polkiq-qt-1 based on Qt5, rather than in kdelibs4/Qt4 world...
Comment 17 Raymond Wooninck 2014-03-26 09:28:07 UTC
I also tested the patch locally and have the same result as Hrvoje.  The same behavior (requesting authorization for killing processes, change system clock, etc) as before the patch is there. So from that perspective, I believe we have the right one and resolved the issue with the racy condition.
Comment 18 Sebastian Krahmer 2014-03-26 10:34:10 UTC
@Raymond,

I see that uid comes via

return polkit_unix_user_get_uid((PolkitUnixUser *) subject());

my question is how is it constructed into the subject at the first place,
as it was originally a process subject and I doubt the uid will magically
appear by just type-casting it to a PolkitUnixUser *.

If thats taken from the unix socket credentials - thats OK.

If thats filled in by polkit libs itself since it reads
/proc/$pid/status when no uid is explicitely given on construction, then
its a NULL patch and we should not waste time making updates for it. :)

(Serious, I am not deep enough into KDE and QT to see immediately which of both
is the case, but I fear its the later.)

I wonder whether just using SystemBusNameSubject would be so
intrusive? I am sorry for playing the bad cop here but I am not
yet convinced that the patch makes sense.
Comment 19 Raymond Wooninck 2014-03-26 14:21:28 UTC
@Sebastian,

Unfortunately I am not a developer and I just manage to resolve some bug fixing, etc. So I am the wrong person to indicate that using SystemBusNameSubject is intrusive. It could mean that a part of KAuth has to be rewritten and the question is if there are resources available to do so as that almost everybody is working on getting KDE Frameworks 5 going. 

Do you have examples on how to use SystemBusNameSubject ??  Calls seem to be pretty similar to the UnixProcess one, but I am not sure what kind of parameter it requires. Can I make this equal to the name of the application that is requesting the authorization or does this needs to be a specific value ? e.g. Application has to register itself first on the SystemBus and then this name has to be used ? 

It would be great if you could assist me in this part and maybe together we can manage to rewrite KAuth. 

Thanks
Comment 20 Sebastian Krahmer 2014-03-31 08:20:45 UTC
The ideal case would be to ask the maintainer/author of KAuth,
because he should know best. Unfortunally security@kde is unresponsive,
and so is the KAuth author. :/

Maybe we can go ahead and getting help from polkit upstream.

Using SystemBusNameSubject requires to pass the sender (from dbus,
not the PID) as
an argument. I dont know where we can get that from in KAuth.
The callerID thats inside KAuth is also just the PID as a byte-array.
Seems like the whole KAuth is just based on the PID.

Maybe thats hard to backport it for existing
installs, but at least upcoming KDE should include a KAuth thats
using SystemBusNameSubject.

Thanks for your help. I will try harder to allocate ressources
to get that fixed in upcoming KDE versions.
Comment 21 Sebastian Krahmer 2014-03-31 08:25:13 UTC
Adding Will to Cc, maybe he has insight into hows it possible
in KDE to pass DBUS sender along into KAuth so it can be
used for authenticating requests.
Comment 22 Sebastian Krahmer 2014-03-31 09:03:39 UTC
Adding Dirk as well.
Comment 23 Raymond Wooninck 2014-03-31 09:10:07 UTC
@Sebastian,

Doesn't the openSUSE team within SuSE have their own KDE developer (Antonio Larrosa) ?  As far as I know when Will left the openSUSE team, a new developer was hired specifically to cover the KDE area. I guess he would be the right person from within SuSE.

Raymond
Comment 24 Sebastian Krahmer 2014-04-01 08:14:54 UTC
Added Antonio, maybe he can help.
Comment 25 Hrvoje Senjan 2014-07-14 18:11:03 UTC
Sebastian,
can we revisit the status of this? Missing DBus configuration is now starting to create some real problems with KF5 based desktop.

The deprecated polkit method in polkit-qt5 bindings has been updated to polkit_unix_process_new_for_owner.

Wrt SystemBusName, i have talked with de-facto maintainer of KDE's auth/polkit components, and he said that he didn't understand why would that be better than current solution. You can reach him at mbriza [at] redhat.com.
Comment 28 Raymond Wooninck 2014-07-15 14:15:21 UTC
@Sebastian,

It seems that this one is really becoming a blocker for delivering KDE for openSUSE. Crippling KDE with disabling KAuth is not the right approach as that would cause certain functionality to stop working or even break KDE itself. If this is the risk that SuSE want to take with SLE12, then this is up to the SLE maintainers. However I will not accept crippling KDE in such a way for openSUSE. 

So I guess that the Security team now really has to take the decision that they can accept something, that is accepted by all other distributions or that they want to continue the very strict policy (remember the words of Linus Torvald about the openSUSE security setups) and block this. 

In the latter, I will send delete requests for KDE to openSUSE:Factory and will blog that openSUSE has dropped official support for KDE in their distribution. We will then deliver KDE through other repositories on OBS for those users that still want to use KDE on openSUSE. 

In my opinion we have been discussing this issue already too long and a decision needs to be taken now as that we see that functionality is starting to fail. 

It would be a shame to see KDE disappear from the openSUSE distribution.

Raymond
Comment 29 Luca Beltrame 2014-07-15 14:43:17 UTC
> s the KDE folks was not responding to various mails from us

security@ko is not the right place to ask these questions. Either contact Martin Briza (see previous message from Hrvoje) or mail the Frameworks mailing list (kde-frameworks-devel@kde.org). These are the best places to contact upstream.

Nevertheless, this should not block KAuth from entering Factory. Not having this breaks several components needed for a basic desktop experience, including power management.
Comment 30 Marcus Meissner 2014-07-16 07:06:25 UTC
P0 is reserved. reduce sev/prio
Comment 31 Marcus Meissner 2014-07-16 07:09:38 UTC
Antonio?
Comment 32 Sebastian Krahmer 2014-07-16 07:46:25 UTC
I already contacted Martin Briza yesterday and I am looking into
the patches that were mentioned for qt5.
Comment 33 Sebastian Krahmer 2014-07-16 08:15:58 UTC
I just looked at the provided diffs and the same problem remains.
Using -1 as uid brings nothing, as it again looksup the UID via
/proc, which we want to avoid in the first place.

The problem in KAuth is that due to the layers there is no way
to determine who actually is trying to authenticate the polkit action.
The dbus sender is not available that should be used for this.
And getuid() might be misleading because its already running as root
due to DBUS activation on behalf of the user we want to authenticate.

I am sorry that the issue is stuck. We were not just contacting security@kde,
but also several developers and it was entirely silent. So its not
to blame us.

If I get an override from management to include the KAuth thats
actually not authenticating anything, I'll happily do that.
Comment 34 Luca Beltrame 2014-07-16 09:13:02 UTC
In KAuth, the action autentication is IIRC done by the helper KAuth is calling, not KAuth itself.

For a breakdown of how KAuth works, which may lead to an understanding of the issue:

https://techbase.kde.org/Development/Tutorials/KAuth/KAuth_Basics

As I said, KAuth is community-maintaned (no single maintainer). That's why I mentioned kde-frameworks-devel. Contacting individual developers is likely to be inefficient on this regard.
Comment 35 Luca Beltrame 2014-07-16 09:15:45 UTC
I correct my statement, KAuth is the one elevating privileges. (see the link and the "writing helpers" section)
Comment 36 Luca Beltrame 2014-07-16 09:21:27 UTC
Did you also try contacting Dario Freddi? Although he's not much involved in KDE nowadays, he's the original developer of this system.
Comment 37 Hrvoje Senjan 2014-07-16 11:03:05 UTC
(In reply to comment #33)
> The problem in KAuth is that due to the layers there is no way
> to determine who actually is trying to authenticate the polkit action.
> The dbus sender is not available that should be used for this.
> And getuid() might be misleading because its already running as root
> due to DBUS activation on behalf of the user we want to authenticate.

If the (potential) vulnerability is in case of SUID helpers, we can have this case closed. As i wrote somewhere above, Qt, since 5.3, aborts action if the Q*Application is SUID. Applications can explicitly override this, but i am happy to add a patch to our Qt5 packages that would also disallow even that.
Comment 38 Bruno Friedmann 2014-07-16 12:06:11 UTC
Adding myself as board watcher.
Comment 39 Ismail Dönmez 2014-07-16 12:19:13 UTC
To clear the confusion here. This is not about suid helpers. This is a possible root hole using KAuth. So a rogue app using KAuth could gain root privileges and this is due the way PID checking is done, which found to be racy.
Comment 40 Sebastian Krahmer 2014-07-16 13:29:16 UTC
If Dario is drf@, I mailed him about it on April 7th, Ccing to 2 other
ppl.
Comment 41 Sebastian Krahmer 2014-07-16 13:33:16 UTC
Two examples of vulnerable KDE services are:

 /usr/share/dbus-1/system-services/org.kde.fontinst.service or
 /usr/share/dbus-1/system-services/org.kde.kcontrol.kcmclock.service

which can be DBUs-activated by users to run as root and which use KAuth
to check whether this user would be allowed to do that action.
This check can by bypassed since process-subject, as used by KAuth, is
racy. Please refer to

CVE-2013-4288 and the followups CVE-2013-4311, CVE-2013-4324, CVE-2013-4325,
CVE-2013-4326 and CVE-2013-4327 which all fix exactly the same issue.
Comment 42 Luca Beltrame 2014-07-16 13:35:15 UTC
Please write to kde-frameworks-devel@kde.org then, so that the issue may reach people able to handle this. KAuth has no official maintainer, meaning that the responsibility of handling it is shared among all the people working on the KDE Frameworks.
Comment 43 Luca Beltrame 2014-07-16 13:38:05 UTC
Also, does one know how other distros such as Debian and Red Hat handled this?
Comment 44 Sebastian Krahmer 2014-07-16 14:01:36 UTC
I am tired of reaching-out to the KDE folks again and again
explaining the issue the 42nd time to them. Can you do the short
path of telling them about this bug#, as you seem to be member of
the KDE team anyway?

This issue has been reported to other distros via the OSS-sec
list but did not found major ack. Thats probably b/c of a missing
PoC. In such cases nobody sees the severity because its 'theoretical'.
Comment 45 Raymond Wooninck 2014-07-16 14:09:53 UTC
@sebastian, @Ismail,

Are we trying to make openSUSE into SLE here ??  Or are we trying to make the most secure distribution that nobody is able to use anymore due to all kind of security enhancements. Remember that in the eyes of many people SUSE already has the label of being the distribution that is kinda paranoid about security. Remember the flames by Linus Torvald ???

It seems also that this discussion is going around and around as that Sebastian is coming up again with the racy stuff in KAuth, despite that Martin Briza already indicated that this was resolved by moving to the the new polkit methods that were actually even coming sebastian, so if those are still racy then I don't know anymore but to believe we are on a witch hunt to get KDE kicked out from SLE and openSUSE. 

Other distributions like Fedora, etc do not seem to have any issues with the current situation as that they are using the code as it is being delivered from KDE upstream. 

At this moment, I really feel like just sending out the message to the whole world indicating that openSUSE will no longer deliver KDE due to the enhanced security setup and that the KAuth methodology doesn'f it in there. 

Raymond
Comment 46 Luca Beltrame 2014-07-16 14:17:13 UTC
Issue raised on kde-frameworks-devel: http://lists.kde.org/?l=kde-frameworks-devel&m=140552012224337&w=2
Comment 47 Sebastian Krahmer 2014-07-16 14:39:19 UTC
Raymond,

I am sorry you have such bad feelings against our sec-team but we are
just trying to get a real solution to this problem. We wont add
placebo-security fixes just so that everybody feels happy and honestly
I dont mind what Linus or other distros would think about it.

Due to KAuth layered lasagne-software, this is not just a one-line fix.

I hope recent posting will accelerate this. If you are in Berlin
one day I'll invite you to a beer to forget about all the hassle.
Its not that we dont honor or respect your work but we want to get
the KDE stuff sorted before its checked in.
Comment 48 Luca Beltrame 2014-07-16 14:46:29 UTC
I'm going through this on IRC, at least someone is looking at the code. I'll keep you posted.
Comment 49 Luca Beltrame 2014-07-16 14:47:55 UTC
And @Sebastian: the design of KAuth may not be the best, but as a Framework it supports also OSX and (perhaps in the future) Windows, so some abstraction is necessary (this of course doesn't mean it has no flaws). This is not a criticism, but helps in putthing things in context.
Comment 50 Luca Beltrame 2014-07-16 15:53:10 UTC
Currently testing patches that use SystemBusNameSubject. Will report back once finished.
Comment 51 Luca Beltrame 2014-07-16 15:59:40 UTC
Created attachment 598877 [details]
Patch to KAuth

Patch by Martin Sandsmark from KDE. Is this what is needed?
Comment 52 Ismail Dönmez 2014-07-16 18:09:59 UTC
(In reply to comment #51)
> Created an attachment (id=598877) [details]
> Patch to KAuth
> 
> Patch by Martin Sandsmark from KDE. Is this what is needed?

Patch looks right but I am not an expert. NEEDINFO for Sebastian. Also could you please test the patched kdelibs and make sure systemsettings->clock still works as expected? Thanks a lot!
Comment 53 Hrvoje Senjan 2014-07-16 18:32:05 UTC
The patch works with KAuth. (iow consumers do correctly authenticate, execute actions, etc)
I am not a fan of patching kdelibs4 though, unless *really* necessary
Comment 54 Luca Beltrame 2014-07-16 18:48:08 UTC
I rebased the patch on kdelibs as well (the previous one was for KDE Frameworks 5). We'll be testing it while awaiting Sebastian's assessment.
Comment 55 Hrvoje Senjan 2014-07-17 05:44:37 UTC
Created attachment 598930 [details]
Patch to KAuth v.2

Updated patch, was one more place with PID usage
Comment 56 Hrvoje Senjan 2014-07-17 05:45:56 UTC
Created attachment 598931 [details]
kdelibs4 patch

Patch for kdelibs4 (just a line/dir replace, otherwise is the same)
Comment 57 Luca Beltrame 2014-07-17 08:16:46 UTC
@Ismail: From a functional point of view, the patch works in both the KF5 and the kdelibs 4.x versions (tested: backlight helper for PM init, ksysguard process helper, date and time helper).

All that's left to know if it addresses the security concerns.
Comment 58 Ismail Dönmez 2014-07-17 08:24:47 UTC
(In reply to comment #57)
> @Ismail: From a functional point of view, the patch works in both the KF5 and
> the kdelibs 4.x versions (tested: backlight helper for PM init, ksysguard
> process helper, date and time helper).

Thanks a lot for handling this. A crippled KDE means a black eye for openSUSE and SLE, for which we never wanted to cripple it in the first place.

> All that's left to know if it addresses the security concerns.

As soon as Sebastian approves we can proceed. I'll handle the SLE side obviously.
Comment 59 Marcus Meissner 2014-07-17 15:27:23 UTC
Sebastian is not present on Thursday and Friday. 

I am not so familar with kauth/polkit.

Not sure if it is correct, we match the system busname (?) and not client identifiers?

Luca, did you also do negative checks? like testing that stuff corrctly gets forbidden or admin dialog popups?
Comment 60 Luca Beltrame 2014-07-17 15:33:48 UTC
I tried:

- non-interactive helpers (backlight, where no password is requested)
- interactive helpers (ksysguard + clock): in this case the authorization dialog pops up and requests the root password. 

Canceling or inserting the wrong password does not execute the action (as expected).
Comment 61 Luca Beltrame 2014-07-17 15:36:26 UTC
@Marcus http://www.freedesktop.org/software/polkit/docs/latest/PolkitSystemBusName.html

Basically it uses DBus, to my understanding, to get the process instead of using the PID, which is open to race conditions (the objection raised by Sebastian).
Comment 62 Luca Beltrame 2014-07-17 15:41:36 UTC
I made a further negative test with multiple wrong passwords: as expected, the actions refuse to be executed and errors are displayed (I also checked that the action - increase clock time by 1 min - was not actually done).
Comment 63 Marcus Meissner 2014-07-17 16:14:20 UTC
Thanks for doing this!

I think we are probably good for approval and I will do that.

Sebastian might have comments when he is back on Monday.
Comment 64 Hrvoje Senjan 2014-07-17 16:46:23 UTC
(In reply to comment #59)
> Sebastian is not present on Thursday and Friday. 
> 
> I am not so familar with kauth/polkit.
> 
> Not sure if it is correct, we match the system busname (?) and not client
> identifiers?
> 
> Luca, did you also do negative checks? like testing that stuff corrctly gets
> forbidden or admin dialog popups?

In case of successful authentication, one now gets e.g.:

polkitd[22395]: 06:46:24.368: Operator of unix-session:59 successfully authenticated as unix-user:root to gain ONE-SHOT authorization for action org.kde.ksysguard.processlisthelper.sendsignal for system-bus-name::1.3728 [/usr/bin/systemmonitor] (owned by unix-user:hrvoje)

in case of failure:
polkitd[22395]: Operator of unix-session:59 FAILED to authenticate to gain authorization for action org.kde.ksysguard.processlisthelper.sendsignal for system-bus-name::1.3885 [/usr/bin/systemmonitor] (owned by unix-user:hrvoje)

So this indeed looks like the procedure that was asked for ;-)

(In reply to comment #63)
> I think we are probably good for approval and I will do that
Many thanks for resolving this! (also to others involved!)
Comment 65 Bernhard Wiedemann 2014-07-17 17:00:58 UTC
This is an autogenerated message for OBS integration:
This bug (864716) was mentioned in
https://build.opensuse.org/request/show/241367 Factory / rpmlint
Comment 66 Bernhard Wiedemann 2014-07-18 09:01:11 UTC
This is an autogenerated message for OBS integration:
This bug (864716) was mentioned in
https://build.opensuse.org/request/show/241428 Factory / kauth
Comment 67 Sebastian Krahmer 2014-07-21 07:55:53 UTC
Ok, this one looks much better!

I am not KDE expert but the patch looks as this subject indeed
is the race-free object bound to the DBUS originator of the request.


Ismail, can we revert recent SLE12 FAKE patch to be substituted by this?
Comment 68 Sebastian Krahmer 2014-07-21 07:57:01 UTC
I hope the patch covers all necessary subject-based code in Kauth.
Comment 69 Luca Beltrame 2014-07-21 08:05:27 UTC
This patch went through code review upstream (which prompted the generation of the v2 patch) as well, along with some direct (on IRC) discussion with the person who wrote the initial version.

Sebastian, if you do not have further objections let us know: I'll tell upstream to merge this in stable and development branches (so that everyone benefits from this security review).
Comment 70 Sebastian Krahmer 2014-07-21 08:19:07 UTC
I just requested a CVE and Cc'ed oss-sec so other distributors can
also benefit from our hard work.
Comment 71 Ismail Dönmez 2014-07-21 09:15:19 UTC
SLE part was checked in last Friday. Thanks for all those involved!
Comment 72 Luca Beltrame 2014-07-21 21:34:30 UTC
FYI, the patch has been merged upstream for both 4.13, 4.14 and KF5.
Comment 73 Hrvoje Senjan 2014-07-21 21:57:55 UTC
(In reply to comment #72)
> FYI, the patch has been merged upstream for both 4.13, 4.14 and KF5.

once we get CVE, i'll start maintenance sr's for 12.3 and 13.1.

this one can be closed now though
Comment 75 Sebastian Krahmer 2014-07-23 07:53:10 UTC
CVE-2014-5033
Comment 76 Bernhard Wiedemann 2014-07-25 23:00:36 UTC
This is an autogenerated message for OBS integration:
This bug (864716) was mentioned in
https://build.opensuse.org/request/show/242441 13.1 / kdelibs4-apidocs+kdelibs4+kdebase4-workspace
Comment 77 Swamp Workflow Management 2014-08-11 08:09:35 UTC
openSUSE-SU-2014:0981-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 819437,864716
CVE References: CVE-2014-5033
Sources used:
openSUSE 13.1 (src):    kdebase4-workspace-4.11.11-115.3, kdelibs4-4.11.5-484.1, kdelibs4-apidocs-4.11.5-484.1