oss-sec mailing list archives
KAuth security issues
From: Sebastian Krahmer <krahmer () suse de>
Date: Mon, 24 Mar 2014 10:27:23 +0100
I sent this to security () kde org last week and to some KDE developers one more week ago. No response so far, so here we go. regards, Sebastian --------8<-------------------- Hi I sent this mail to the KAuth author a week ago. So far no reply, so I am trying it here again. When I looked at the KAuth framework it seems like it is using PolkitQt1::UnixProcessSubject subject(pid) (i.e. unix process subjects) for the polkit auth, which is always racy. Please refer to: CVE-2013-4288 polkit: unix-process subject for authorization is racy CVE-2013-4311 libvirt: insecure calling of polkit via libgobject API CVE-2013-4324 spice-gtk: use of insecure polkit libgobject-1 API CVE-2013-4325 hplip: use of insecure polkit DBUS API CVE-2013-4326 rtkit: use of insecure polkit DBUS API CVE-2013-4327 systemd: use of insecure polkit DBUS API which were using exactly this vulnerable way auf authenticating via polkit. The bug is semi-public: https://bugzilla.novell.com/show_bug.cgi?id=864716 A non-racy way would be to use system-bus subject for authentication. (Yet I dont know how this fits in the KAuth API). Nevertheless, there needs to be done something, as basically the KAuth authentication is non-existing if using process subjects. regards, Sebastian -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team ----- End forwarded message ----- -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team
Current thread:
- KAuth security issues Sebastian Krahmer (Mar 24)
- Re: KAuth security issues Sebastian Krahmer (Mar 26)
- Re: KAuth security issues Florian Weimer (Mar 26)
- Re: KAuth security issues Sebastian Krahmer (Mar 26)
- Re: KAuth security issues Florian Weimer (Mar 26)
- Re: KAuth security issues Sebastian Krahmer (Mar 26)