Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 28 Oct 2015 11:42:18 +0100
From: Sebastian Krahmer <>
Subject: csd-datetime forgets to authorize users


The csd-datetime-setting SetDate DBUS function apparently forgets
to check the polkit authorization for the caller. Unlike SetTime.
At least I couldnt find any restriction that its not callable by

Bug and patch proposal is here:

I am not big fan of calling binaries from inside DBUS functions, but
seems to be state of the art in desktop programming and doesnt
look exploitable. Yet, w/o authorization you may run into vulnerabilities
like the sudo time-ticket stuff.

csd seems to be fork of gnome-settings-daemon but to my knowledge
they dont offer a set_date(), at least in the version I looked at.
So this issue seems to be introduced by csd itself.

If upstream (cc) confirms, can someone please assign a CVE?



~ perl
~ $_='print"\$_=\47$_\47;eval"';eval
~ - SuSE Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.