[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] csd-datetime forgets to authorize users
From: Sebastian Krahmer <krahmer () suse ! com>
Date: 2015-10-28 10:42:18
Message-ID: 20151028104218.GA14987 () suse ! de
[Download RAW message or body]
Hi
The csd-datetime-setting SetDate DBUS function apparently forgets
to check the polkit authorization for the caller. Unlike SetTime.
At least I couldnt find any restriction that its not callable by
users.
Bug and patch proposal is here:
https://bugzilla.suse.com/show_bug.cgi?id=951830
I am not big fan of calling binaries from inside DBUS functions, but
seems to be state of the art in desktop programming and doesnt
look exploitable. Yet, w/o authorization you may run into vulnerabilities
like the sudo time-ticket stuff.
csd seems to be fork of gnome-settings-daemon but to my knowledge
they dont offer a set_date(), at least in the version I looked at.
So this issue seems to be introduced by csd itself.
If upstream (cc) confirms, can someone please assign a CVE?
Sebastian
--
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@suse.com - SuSE Security Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic