Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 24 Mar 2014 10:27:23 +0100
From: Sebastian Krahmer <>
Subject: KAuth security issues

I sent this to last week and to some KDE
developers one more week ago. No response so far, so here we go.




I sent this mail to the KAuth author a week ago. So far no reply, so
I am trying it here again.

When I looked at the KAuth framework it seems like it is using

PolkitQt1::UnixProcessSubject subject(pid)

(i.e. unix process subjects) for the polkit auth, which is always racy.
Please refer to:

CVE-2013-4288 polkit: unix-process subject for authorization is racy
CVE-2013-4311 libvirt: insecure calling of polkit via libgobject API
CVE-2013-4324 spice-gtk: use of insecure polkit libgobject-1 API
CVE-2013-4325 hplip: use of insecure polkit DBUS API
CVE-2013-4326 rtkit: use of insecure polkit DBUS API
CVE-2013-4327 systemd: use of insecure polkit DBUS API

which were using exactly this vulnerable way auf authenticating
via polkit.

The bug is semi-public:

A non-racy way would be to use system-bus subject for authentication.
(Yet I dont know how this fits in the KAuth API).
Nevertheless, there needs to be done something, as basically
the KAuth authentication is non-existing if using process subjects.



~ perl
~ $_='print"\$_=\47$_\47;eval"';eval
~ - SuSE Security Team

----- End forwarded message -----


~ perl
~ $_='print"\$_=\47$_\47;eval"';eval
~ - SuSE Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ