Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <201407222100.s6ML068N029428@linus.mitre.org>
Date: Tue, 22 Jul 2014 17:00:06 -0400 (EDT)
From: cve-assign@...re.org
To: krahmer@...e.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE-Request: KAuth authentication bypass

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://bugzilla.novell.com/show_bug.cgi?id=864716

This was previously discussed in, for example:

  http://openwall.com/lists/oss-security/2014/04/03/1

but apparently nobody responded to our question then. It would have
been useful for your new CVE request to have included a pointer back
to the earlier discussion here about exactly the same
bugzilla.novell.com bug number.

We understand that a patch now exists (one did not exist at the time
of the previous discussion).

We also understand that org.kde.fontinst.service and
org.kde.kcontrol.kcmclock.service have been mentioned as examples of
services that can be attacked on systems without the patch.


Can you confirm that you are asking for a CVE ID for the KAuth
product, not the "PolicyKit Library Qt Bindings" product?

Should there also be a separate CVE ID for

  https://bugzilla.novell.com/show_bug.cgi?id=864716#c25

  "The deprecated polkit method in polkit-qt5 bindings has been
   updated to polkit_unix_process_new_for_owner."

?

Should there also be a separate CVE ID for

  https://bugzilla.novell.com/show_bug.cgi?id=864716#c37

  "Qt, since 5.3, aborts action if the Q*Application is SUID."

?

(This may be a largely unrelated issue, but perhaps "Qt before 5.3
proceeds with an action even if the Q*Application is SUID" is an
implied vulnerability report.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTztBxAAoJEKllVAevmvms8hYH/163QCQpWJS884zElop5AcaZ
2c9zQOJUNgD7LZX/8wZmjQe/FllyKN5kLOSroxHyP3gINwMFgPPtxzGYuiZCy55H
Z/Ncm+/gQI2tF5GSVfOBPYV9r93bNHwxy+gVCCMH4sODCbImiZn0+Pec0ZbuiJs3
6nHbnTZmUCWnQ8XgDgtWlzh72P6HjVXCHwvVczw+IXYpSeXmm6qKkx+Co+ueNWgN
1v30E/TKUbqlZ9nO9i3AkeTJD1D93lsysqLH+XW8GOt19TO/hW40VDGGc7ZH9srB
KixViBvTCJKRL4bkKFVwB9NrTIw8CJzgNTIlI5J3TQlJOLNHeiI6GLxVo1gQWe4=
=ZJrr
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.