oss-sec mailing list archives
accountsservice local file disclosure flaw (CVE-2012-2737)
From: Vincent Danen <vdanen () redhat com>
Date: Thu, 28 Jun 2012 08:59:30 -0600
Good day, all. A local file disclosure flaw was discovered by Florian Weimer of the Red Hat Product Security Team in accountsservice. From what I understand, there are a few distros that use this due to newer GNOME. The offending code was added here: http://cgit.freedesktop.org/accountsservice/commit/?id=69b526a6cd4c078732068de2ba393cf9242a404b A patch to correct the flaw is attached to our bugzilla bug and will be committed upstream shortly. https://bugzilla.redhat.com/show_bug.cgi?id=832532 The issue is described as follows: Florian Weimer found a local file disclosure flaw in accountsservice, an account management system using D-Bus for querying and manipulating user accounts. The implementation of the SetIconFile method of the org.freedesktop.Accounts.User D-Bus interface can disclose arbitrary files due to a race condition in user_change_icon_file_authorized_cb() in /usr/libexec/accounts-daemon. When this function calls get_caller_uid(), it uses PolicyKit to obtain the UID of the requesting process from /proc. At the time the UID is fetched, it may not match the original UID making the D-Bus request if the process has executed an SUID binary. It has been assigned the name CVE-2012-2737. The distros mailing list was notified of this flaw on Monday (20120625) and made public today (20120628). -- Vincent Danen / Red Hat Security Response Team
Current thread:
- accountsservice local file disclosure flaw (CVE-2012-2737) Vincent Danen (Jun 28)