CVE-2013-4288 CVE-2013-4324 CVE-2013-4311: polkit, spice-gtk, libvirt: bypass intended access restrictions
Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkexec process before the authorization check is performed, related to (1) the polkit_unix_process_new API function, (2) the dbus API, or (3) the —process (unix-process) option for authorization to pkcheck.
Seems to be fixed in polkit-0.112 (http://cgit.freedesktop.org/polkit/commit/?id=3968411b0c7ba193f9b9276ec911692aec248608). If so Alpine Linux v2.4 to v2.7 are vulnerable.
•MLIST:[oss-security] 20130918 Fwd: [vs-plain] polkit races
•URL:http://www.openwall.com/lists/oss-security/2013/09/18/4
•MLIST:[oss-security] 20130918 Re: Fwd: [vs-plain] polkit races
•URL:http://seclists.org/oss-sec/2013/q3/626
•MISC:http://bugzilla.redhat.com/bugzilla/show\_bug.cgi?id=1002375
•REDHAT:RHSA-2013:1270
•URL:http://rhn.redhat.com/errata/RHSA-2013-1270.html
•REDHAT:RHSA-2013:1460
•URL:http://rhn.redhat.com/errata/RHSA-2013-1460.html
•SUSE:openSUSE-SU-2013:1527
•URL:http://lists.opensuse.org/opensuse-updates/2013-10/msg00004.html
•SUSE:openSUSE-SU-2013:1528
•URL:http://lists.opensuse.org/opensuse-updates/2013-10/msg00005.html
•UBUNTU:USN-1953-1
•URL:http://www.ubuntu.com/usn/USN-1953-1
For Alpine Linux v2.7 only:
spice-gtk 0.14, and possibly other versions, invokes the polkit
authority using the insecure polkit_unix_process_new API function,
which allows local users to bypass intended access restrictions by
leveraging a PolkitUnixProcess PolkitSubject race condition via a (1)
setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
•MLIST:[oss-security] 20130918 Re: Fwd: [vs-plain] polkit races
•URL:http://www.openwall.com/lists/oss-security/2013/09/18/6
•REDHAT:RHSA-2013:1273
•URL:http://rhn.redhat.com/errata/RHSA-2013-1273.html
•SUSE:openSUSE-SU-2013:1562
•URL:http://lists.opensuse.org/opensuse-updates/2013-10/msg00031.html
•BID:62538
•URL:http://www.securityfocus.com/bid/62538
•SECUNIA:54947
•URL:http://secunia.com/advisories/54947
For Alpine Linux v2.6 only:
CVE-2013-4311 libvirt: insecure calling of polkit via libgobject API:
libvirt 1.0.5.x before 1.0.5.6, 0.10.2.x before 0.10.2.8, and 0.9.12.x
before 0.9.12.2 allows local users to bypass intended access
restrictions by leveraging a PolkitUnixProcess PolkitSubject race
condition in pkcheck via a (1) setuid process or (2) pkexec process, a
related issue to CVE-2013-4288.
•MLIST:[oss-security] 20130918 Re: Fwd: [vs-plain] polkit races
•URL:http://www.openwall.com/lists/oss-security/2013/09/18/6
•CONFIRM:http://wiki.libvirt.org/page/Maintenance\_Releases
•REDHAT:RHSA-2013:1272
•URL:http://rhn.redhat.com/errata/RHSA-2013-1272.html
•REDHAT:RHSA-2013:1460
•URL:http://rhn.redhat.com/errata/RHSA-2013-1460.html
•SUSE:openSUSE-SU-2013:1549
•URL:http://lists.opensuse.org/opensuse-updates/2013-10/msg00023.html
•SUSE:openSUSE-SU-2013:1550
•URL:http://lists.opensuse.org/opensuse-updates/2013-10/msg00024.html
•UBUNTU:USN-1954-1
•URL:http://www.ubuntu.com/usn/USN-1954-1
(from redmine: issue id 2471, created on 2013-12-03, closed on 2014-01-07)
- Relations:
- child #2472 (closed)
- child #2473 (closed)
- child #2474 (closed)
- child #2475 (closed)
- Changesets:
- Revision 6856c318 by Natanael Copa on 2013-12-05T16:22:26Z:
main/polkit: securitu fix for CVE-2013-4288
ref #2471
- Revision 368db46c by Natanael Copa on 2013-12-05T16:51:08Z:
main/polkit: security fix for CVE-2013-4288
ref #2471
- Revision 1c9db396 by Natanael Copa on 2013-12-10T11:34:44Z:
main/spice-gtk: security upgrade to 0.21 (CVE-2013-4324)
fixes #2475
ref #2471
- Revision b69f30fd by Natanael Copa on 2013-12-24T09:40:37Z:
main/polkit: security fix for CVE-2013-4288
ref #2471
ref #2474
- Revision f2acbea2 by Natanael Copa on 2013-12-24T10:47:03Z:
main/libvirt: security upgrade to 1.0.5.8 (CVE-2013-4291,CVE-2013-4296,CVE-2013-4311)
ref #2471
fixes #2474
- Revision b792bfcd by Natanael Copa on 2013-12-24T10:52:50Z:
main/polkit: security fix for CVE-2013-4288
ref #2471
fixes #2473
- Revision 43de28a5 by Natanael Copa on 2013-12-24T11:11:53Z:
main/polkit: security fix for CVE-2013-4288
ref #2471
fixes #2472