[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] accountsservice local file disclosure flaw (CVE-2012-2737)
From: Vincent Danen <vdanen () redhat ! com>
Date: 2012-06-28 14:59:30
Message-ID: 20120628145930.GD1302 () redhat ! com
[Download RAW message or body]
Good day, all.
A local file disclosure flaw was discovered by Florian Weimer of the Red
Hat Product Security Team in accountsservice. From what I understand,
there are a few distros that use this due to newer GNOME.
The offending code was added here:
http://cgit.freedesktop.org/accountsservice/commit/?id=69b526a6cd4c078732068de2ba393cf9242a404b
A patch to correct the flaw is attached to our bugzilla bug and will be
committed upstream shortly.
https://bugzilla.redhat.com/show_bug.cgi?id=832532
The issue is described as follows:
Florian Weimer found a local file disclosure flaw in accountsservice, an
account management system using D-Bus for querying and manipulating user
accounts. The implementation of the SetIconFile method of the
org.freedesktop.Accounts.User D-Bus interface can disclose arbitrary
files due to a race condition in user_change_icon_file_authorized_cb()
in /usr/libexec/accounts-daemon. When this function calls
get_caller_uid(), it uses PolicyKit to obtain the UID of the requesting
process from /proc. At the time the UID is fetched, it may not match
the original UID making the D-Bus request if the process has executed an
SUID binary.
It has been assigned the name CVE-2012-2737.
The distros mailing list was notified of this flaw on Monday (20120625)
and made public today (20120628).
--
Vincent Danen / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic