[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] csd-datetime forgets to authorize users
From:       Sebastian Krahmer <krahmer () suse ! com>
Date:       2015-10-28 10:42:18
Message-ID: 20151028104218.GA14987 () suse ! de
[Download RAW message or body]


Hi

The csd-datetime-setting SetDate DBUS function apparently forgets
to check the polkit authorization for the caller. Unlike SetTime.
At least I couldnt find any restriction that its not callable by
users.

Bug and patch proposal is here:

https://bugzilla.suse.com/show_bug.cgi?id=951830


I am not big fan of calling binaries from inside DBUS functions, but
seems to be state of the art in desktop programming and doesnt
look exploitable. Yet, w/o authorization you may run into vulnerabilities
like the sudo time-ticket stuff.

csd seems to be fork of gnome-settings-daemon but to my knowledge
they dont offer a set_date(), at least in the version I looked at.
So this issue seems to be introduced by csd itself.

If upstream (cc) confirms, can someone please assign a CVE?

Sebastian

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@suse.com - SuSE Security Team

[prev in list] [next in list] [prev in thread] [next in thread]