Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 28 Oct 2015 11:42:18 +0100
From: Sebastian Krahmer <>
Subject: csd-datetime forgets to authorize users


The csd-datetime-setting SetDate DBUS function apparently forgets
to check the polkit authorization for the caller. Unlike SetTime.
At least I couldnt find any restriction that its not callable by

Bug and patch proposal is here:

I am not big fan of calling binaries from inside DBUS functions, but
seems to be state of the art in desktop programming and doesnt
look exploitable. Yet, w/o authorization you may run into vulnerabilities
like the sudo time-ticket stuff.

csd seems to be fork of gnome-settings-daemon but to my knowledge
they dont offer a set_date(), at least in the version I looked at.
So this issue seems to be introduced by csd itself.

If upstream (cc) confirms, can someone please assign a CVE?



~ perl
~ $_='print"\$_=\47$_\47;eval"';eval
~ - SuSE Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ