[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-announce
Subject: [kde-announce] KAuth PID Reuse Flaw
From: Martin Sandsmark <martin.sandsmark () kde ! org>
Date: 2014-07-30 17:07:01
Message-ID: 20140730170701.GA15097 () viritrilbia ! samfundet ! no
[Download RAW message or body]
KDE Project Security Advisory
=============================
Title: KAuth PID Reuse Flaw
Risk Rating: Low
CVE: CVE-2014-5033
Platforms: All
Versions: kdelibs < 4.14, kauth < 5.1
Author: Martin Sandsmark <martin.sandsmark@kde.org>
Date: 30 July 2014
Overview
========
The KAuth framework uses polkit-1 API which tries to authenticate using the
requestors PID. This is prone to PID reuse race conditions.
Impact
======
This potentially allows a malicious application to pose as another for
authentication purposes when executing privileged actions.
Workaround
==========
Disable polkit-1 integration.
Solution
========
Upgrade to 4.14 or apply the patch at:
http://quickgit.kde.org/?p=kdelibs.git&a=commit&h=e4e7b53b71e2659adaf52691d4accc3594203b23
http://quickgit.kde.org/?p=kauth.git&a=commit&h=341b7d84b6d9c03cf56905cb277b47e11c81482a
Credits
=======
Thanks to the SuSE security team and packagers for discovery and notification.
--
Martin Sandsmark
_______________________________________________
kde-announce mailing list
kde-announce@kde.org
https://mail.kde.org/mailman/listinfo/kde-announce
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic