Date: Wed, 26 Mar 2014 08:10:53 +0100 From: Sebastian Krahmer <krahmer@...e.de> To: oss-security@...ts.openwall.com Subject: Re: KAuth security issues I love to talk to myself, in particular via mailing lists. This issue seems to be addressed meanwhile via https://git.reviewboard.kde.org/r/117056/ by fixing the underlying polkit qt binding. I think that will also affect recently seen smb4k issue, as it is using KAuth too. Sebastian On Mon, Mar 24, 2014 at 10:27:23AM +0100, Sebastian Krahmer wrote: > > I sent this to security@....org last week and to some KDE > developers one more week ago. No response so far, so here we go. > > regards, > Sebastian > > --------8<-------------------- > > Hi > > I sent this mail to the KAuth author a week ago. So far no reply, so > I am trying it here again. > > When I looked at the KAuth framework it seems like it is using > > PolkitQt1::UnixProcessSubject subject(pid) > > (i.e. unix process subjects) for the polkit auth, which is always racy. > Please refer to: > > CVE-2013-4288 polkit: unix-process subject for authorization is racy > CVE-2013-4311 libvirt: insecure calling of polkit via libgobject API > CVE-2013-4324 spice-gtk: use of insecure polkit libgobject-1 API > CVE-2013-4325 hplip: use of insecure polkit DBUS API > CVE-2013-4326 rtkit: use of insecure polkit DBUS API > CVE-2013-4327 systemd: use of insecure polkit DBUS API > > which were using exactly this vulnerable way auf authenticating > via polkit. > > The bug is semi-public: > > https://bugzilla.novell.com/show_bug.cgi?id=864716 > > A non-racy way would be to use system-bus subject for authentication. > (Yet I dont know how this fits in the KAuth API). > Nevertheless, there needs to be done something, as basically > the KAuth authentication is non-existing if using process subjects. > > regards, > Sebastian > > -- > > ~ perl self.pl > ~ $_='print"\$_=\47$_\47;eval"';eval > ~ krahmer@...e.de - SuSE Security Team > > ----- End forwarded message ----- > > -- > > ~ perl self.pl > ~ $_='print"\$_=\47$_\47;eval"';eval > ~ krahmer@...e.de - SuSE Security Team -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@...e.de - SuSE Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ