Date: Tue, 03 Apr 2012 21:07:59 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Vincent Danen <vdanen@...hat.com> Subject: Re: CVE request: privilege escalation in sectool On 04/03/2012 04:54 PM, Vincent Danen wrote: > Colin Guthrie reported that sectool would elevate user privileges when > it was installed on a system, due to an incorrect DBus file > (specifically org.fedoraproject.sectool.mechanism.conf). This could > allow a user with no additional privileges to elevate theirs (for > instance to restart a service they would not normally have permission to > restart). > > Further details are in the bug, and a patch is available: > > https://bugzilla.redhat.com/show_bug.cgi?id=809437 > http://pkgs.fedoraproject.org/gitweb/?p=sectool.git;a=blob;f=sectool-0.9.5-dbus.patch;h=aedb3ef7f7e5ab22d5438bfb7eee63489ccf3244;hb=4859832281f0e08c6fbe48fc252c4199a0e9e322 > > > Since this was reported and committed publicly, I'm requesting a CVE in > case one has already been assigned. > > Thanks. > Please use CVE-2012-1615 for this issue. -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ