Date: Thu, 3 Apr 2014 00:24:16 -0400 (EDT) From: cve-assign@...re.org To: krahmer@...e.de Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: KAuth security issues -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It seems that, from the current https://bugzilla.novell.com/show_bug.cgi?id=864716 progress, this issue is not yet fixed, but possibly the primary affected "product" has been established. Two different products have been discussed: 1. KAuth 2. PolicyKit Library Qt Bindings (aka polkit-qt-1) The discussion seems to suggest that the issue can't be properly fixed by changing only polkit-qt-1, and letting KAuth continue to use polkit-qt-1 in exactly the current way. Thus, the issue apparently should be considered a KAuth vulnerability, not a polkit-qt-1 vulnerability. Also, based on the information provided in the http://www.openwall.com/lists/oss-security/2013/09/18/6 post, a separate CVE ID is needed, not CVE-2013-4288. Finally, there is apparently only one underlying problem in KAuth. The problem is restated in https://bugzilla.novell.com/show_bug.cgi?id=864716#c14 with an example, i.e., Consider org.kde.fontinst.service DBUS service, that is activated on behalf of users request as a root service. It will therefore run with uid 0, even if triggered by user. For now it is just using the pid of user requesting the service. Thats racy and the thing we want to fix. but this seems equivalent to the original problem statement in the http://www.openwall.com/lists/oss-security/2014/03/24/2 post. So, would it be best to assign one CVE ID now, even though the final approach to fixing the vulnerability is unknown? - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTPOH3AAoJEKllVAevmvmsoc4H/iAjcWjMCeRNAAcgMu9uCOyC rY7Se/TLWr3IswLAhB0W9ypyPkkO/vlO0lBocnoK5dzHCXhQK+SyqTUwcIBIeEsf mhNH+NTY6ezYDjBq/l++HZtx4ATbGhgSQq/RRzduAFBDJ/fX72Yk8zkKLqVUBjUi oUdEq0LyGzzs17094vgFUy4f5JpCXX4/5CjXJgMpQmTWz3DiA3heE1HS/CmJOWiq 3lxpX5zgdvsHOeK94KFFnnMdNs74h9KNYu89CWZn1/KOl8Ty5rvBterPOrlEHzb1 D4cnhxtMBBDFjmQpSpEIDJMv3rHTVg6oD8wb0SjpVCI/K8Ntyoc1FsjCN3cinzc= =WB0D -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ