Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 26 Mar 2014 08:10:53 +0100
From: Sebastian Krahmer <krahmer@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: KAuth security issues

I love to talk to myself, in particular via mailing lists.
This issue seems to be addressed meanwhile via

https://git.reviewboard.kde.org/r/117056/

by fixing the underlying polkit qt binding. I think that will also
affect recently seen smb4k issue, as it is using KAuth too.

Sebastian

On Mon, Mar 24, 2014 at 10:27:23AM +0100, Sebastian Krahmer wrote:
> 
> I sent this to security@....org last week and to some KDE
> developers one more week ago. No response so far, so here we go.
> 
> regards,
> Sebastian
> 
> --------8<--------------------
> 
> Hi
> 
> I sent this mail to the KAuth author a week ago. So far no reply, so
> I am trying it here again.
> 
> When I looked at the KAuth framework it seems like it is using
> 
> PolkitQt1::UnixProcessSubject subject(pid)
> 
> (i.e. unix process subjects) for the polkit auth, which is always racy.
> Please refer to:
> 
> CVE-2013-4288 polkit: unix-process subject for authorization is racy
> CVE-2013-4311 libvirt: insecure calling of polkit via libgobject API
> CVE-2013-4324 spice-gtk: use of insecure polkit libgobject-1 API
> CVE-2013-4325 hplip: use of insecure polkit DBUS API
> CVE-2013-4326 rtkit: use of insecure polkit DBUS API
> CVE-2013-4327 systemd: use of insecure polkit DBUS API
> 
> which were using exactly this vulnerable way auf authenticating
> via polkit.
> 
> The bug is semi-public:
> 
> https://bugzilla.novell.com/show_bug.cgi?id=864716
> 
> A non-racy way would be to use system-bus subject for authentication.
> (Yet I dont know how this fits in the KAuth API).
> Nevertheless, there needs to be done something, as basically
> the KAuth authentication is non-existing if using process subjects.
> 
> regards,
> Sebastian
> 
> -- 
> 
> ~ perl self.pl
> ~ $_='print"\$_=\47$_\47;eval"';eval
> ~ krahmer@...e.de - SuSE Security Team
> 
> ----- End forwarded message -----
> 
> -- 
> 
> ~ perl self.pl
> ~ $_='print"\$_=\47$_\47;eval"';eval
> ~ krahmer@...e.de - SuSE Security Team

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@...e.de - SuSE Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ