[v2.7] CVE-2013-4288 CVE-2013-4324 CVE-2013-4311: polkit, spice-gtk, libvirt: bypass intended access restrictions
Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkexec process before the authorization check is performed, related to (1) the polkit_unix_process_new API function, (2) the dbus API, or (3) the —process (unix-process) option for authorization to pkcheck.
Seems to be fixed in polkit-0.112 (http://cgit.freedesktop.org/polkit/commit/?id=3968411b0c7ba193f9b9276ec911692aec248608). If so Alpine Linux v2.4 to v2.7 are vulnerable.
•MLIST:[oss-security] 20130918 Fwd: [vs-plain] polkit races
•URL:http://www.openwall.com/lists/oss-security/2013/09/18/4
•MLIST:[oss-security] 20130918 Re: Fwd: [vs-plain] polkit races
•URL:http://seclists.org/oss-sec/2013/q3/626
•MISC:http://bugzilla.redhat.com/bugzilla/show\_bug.cgi?id=1002375
•REDHAT:RHSA-2013:1270
•URL:http://rhn.redhat.com/errata/RHSA-2013-1270.html
•REDHAT:RHSA-2013:1460
•URL:http://rhn.redhat.com/errata/RHSA-2013-1460.html
•SUSE:openSUSE-SU-2013:1527
•URL:http://lists.opensuse.org/opensuse-updates/2013-10/msg00004.html
•SUSE:openSUSE-SU-2013:1528
•URL:http://lists.opensuse.org/opensuse-updates/2013-10/msg00005.html
•UBUNTU:USN-1953-1
•URL:http://www.ubuntu.com/usn/USN-1953-1
For Alpine Linux v2.7 only:
CVE-2013-4324
spice-gtk 0.14, and possibly other versions, invokes the polkit
authority using the insecure polkit_unix_process_new API function,
which allows local users to bypass intended access restrictions by
leveraging a PolkitUnixProcess PolkitSubject race condition via a (1)
setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
•MLIST:[oss-security] 20130918 Re: Fwd: [vs-plain] polkit races
•URL:http://www.openwall.com/lists/oss-security/2013/09/18/6
•REDHAT:RHSA-2013:1273
•URL:http://rhn.redhat.com/errata/RHSA-2013-1273.html
•SUSE:openSUSE-SU-2013:1562
•URL:http://lists.opensuse.org/opensuse-updates/2013-10/msg00031.html
•BID:62538
•URL:http://www.securityfocus.com/bid/62538
•SECUNIA:54947
•URL:http://secunia.com/advisories/54947
(from redmine: issue id 2475, created on 2013-12-03, closed on 2014-01-07)
- Relations:
- parent #2471 (closed)
- Changesets:
- Revision 1c9db396 by Natanael Copa on 2013-12-10T11:34:44Z:
main/spice-gtk: security upgrade to 0.21 (CVE-2013-4324)
fixes #2475
ref #2471