[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] accountsservice local file disclosure flaw (CVE-2012-2737)
From:       Vincent Danen <vdanen () redhat ! com>
Date:       2012-06-28 14:59:30
Message-ID: 20120628145930.GD1302 () redhat ! com
[Download RAW message or body]

Good day, all.

A local file disclosure flaw was discovered by Florian Weimer of the Red
Hat Product Security Team in accountsservice.  From what I understand,
there are a few distros that use this due to newer GNOME.

The offending code was added here:

http://cgit.freedesktop.org/accountsservice/commit/?id=69b526a6cd4c078732068de2ba393cf9242a404b

A patch to correct the flaw is attached to our bugzilla bug and will be
committed upstream shortly.

https://bugzilla.redhat.com/show_bug.cgi?id=832532

The issue is described as follows:

Florian Weimer found a local file disclosure flaw in accountsservice, an
account management system using D-Bus for querying and manipulating user
accounts.  The implementation of the SetIconFile method of the
org.freedesktop.Accounts.User D-Bus interface can disclose arbitrary
files due to a race condition in user_change_icon_file_authorized_cb()
in /usr/libexec/accounts-daemon.  When this function calls
get_caller_uid(), it uses PolicyKit to obtain the UID of the requesting
process from /proc.  At the time the UID is fetched, it may not match
the original UID making the D-Bus request if the process has executed an
SUID binary.

It has been assigned the name CVE-2012-2737.

The distros mailing list was notified of this flaw on Monday (20120625)
and made public today (20120628).

-- 
Vincent Danen / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]