Date: Tue, 03 Apr 2012 21:07:59 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Vincent Danen <vdanen@...hat.com> Subject: Re: CVE request: privilege escalation in sectool On 04/03/2012 04:54 PM, Vincent Danen wrote: > Colin Guthrie reported that sectool would elevate user privileges when > it was installed on a system, due to an incorrect DBus file > (specifically org.fedoraproject.sectool.mechanism.conf). This could > allow a user with no additional privileges to elevate theirs (for > instance to restart a service they would not normally have permission to > restart). > > Further details are in the bug, and a patch is available: > > https://bugzilla.redhat.com/show_bug.cgi?id=809437 > http://pkgs.fedoraproject.org/gitweb/?p=sectool.git;a=blob;f=sectool-0.9.5-dbus.patch;h=aedb3ef7f7e5ab22d5438bfb7eee63489ccf3244;hb=4859832281f0e08c6fbe48fc252c4199a0e9e322 > > > Since this was reported and committed publicly, I'm requesting a CVE in > case one has already been assigned. > > Thanks. > Please use CVE-2012-1615 for this issue. -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.