Date: Wed, 28 Oct 2015 11:42:18 +0100 From: Sebastian Krahmer <krahmer@...e.com> To: oss-security@...ts.openwall.com Cc: clement.lefebvre@...uxmint.com Subject: csd-datetime forgets to authorize users Hi The csd-datetime-setting SetDate DBUS function apparently forgets to check the polkit authorization for the caller. Unlike SetTime. At least I couldnt find any restriction that its not callable by users. Bug and patch proposal is here: https://bugzilla.suse.com/show_bug.cgi?id=951830 I am not big fan of calling binaries from inside DBUS functions, but seems to be state of the art in desktop programming and doesnt look exploitable. Yet, w/o authorization you may run into vulnerabilities like the sudo time-ticket stuff. csd seems to be fork of gnome-settings-daemon but to my knowledge they dont offer a set_date(), at least in the version I looked at. So this issue seems to be introduced by csd itself. If upstream (cc) confirms, can someone please assign a CVE? Sebastian -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@...e.com - SuSE Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.