Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 3 Apr 2014 00:24:16 -0400 (EDT)
From: cve-assign@...re.org
To: krahmer@...e.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: KAuth security issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It seems that, from the current
https://bugzilla.novell.com/show_bug.cgi?id=864716 progress, this
issue is not yet fixed, but possibly the primary affected "product"
has been established.

Two different products have been discussed:

1. KAuth
2. PolicyKit Library Qt Bindings (aka polkit-qt-1)

The discussion seems to suggest that the issue can't be properly fixed
by changing only polkit-qt-1, and letting KAuth continue to use
polkit-qt-1 in exactly the current way. Thus, the issue apparently
should be considered a KAuth vulnerability, not a polkit-qt-1
vulnerability.

Also, based on the information provided in the
http://www.openwall.com/lists/oss-security/2013/09/18/6 post, a
separate CVE ID is needed, not CVE-2013-4288.

Finally, there is apparently only one underlying problem in KAuth. The
problem is restated in
https://bugzilla.novell.com/show_bug.cgi?id=864716#c14 with an
example, i.e.,

  Consider org.kde.fontinst.service DBUS service, that is activated on
  behalf of users request as a root service. It will therefore run with
  uid 0, even if triggered by user. For now it is just using the pid of
  user requesting the service. Thats racy and the thing we want to fix.

but this seems equivalent to the original problem statement in the
http://www.openwall.com/lists/oss-security/2014/03/24/2 post.

So, would it be best to assign one CVE ID now, even though the final
approach to fixing the vulnerability is unknown?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTPOH3AAoJEKllVAevmvmsoc4H/iAjcWjMCeRNAAcgMu9uCOyC
rY7Se/TLWr3IswLAhB0W9ypyPkkO/vlO0lBocnoK5dzHCXhQK+SyqTUwcIBIeEsf
mhNH+NTY6ezYDjBq/l++HZtx4ATbGhgSQq/RRzduAFBDJ/fX72Yk8zkKLqVUBjUi
oUdEq0LyGzzs17094vgFUy4f5JpCXX4/5CjXJgMpQmTWz3DiA3heE1HS/CmJOWiq
3lxpX5zgdvsHOeK94KFFnnMdNs74h9KNYu89CWZn1/KOl8Ty5rvBterPOrlEHzb1
D4cnhxtMBBDFjmQpSpEIDJMv3rHTVg6oD8wb0SjpVCI/K8Ntyoc1FsjCN3cinzc=
=WB0D
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ