Bug 13792

Summary: kdelibs4/polkit-qt-1 new security issue CVE-2014-5033
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Luc Menut <lmenut>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: balcaen.john, mageia
Version: 4   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/607289/
Whiteboard: MGA3TOO
Source RPM: kdelibs4-4.11.4-1.mga4.src.rpm, polkit-qt-1-0.103.0 CVE:
Status comment:
Bug Depends on: 13221, 13826    
Bug Blocks:    

Description David Walser 2014-07-23 16:04:21 CEST 
A CVE was allocated for a polkit-related security issue in KAuth:
http://openwall.com/lists/oss-security/2014/07/23/4

The Novell bug linked there has lots more information about the issue.  In the 72'nd comment, it was stated that patches have been merged upstream for KF5's kauth and kdelibs4 in 4.13 and 4.14, so Cauldron should be fixed the next time those packages are updated.  For Mageia 3 and Mageia 4, the patch will need to be added (it is attached in the 56'th comment in the Novell bug).

Reproducible: 

Steps to Reproduce:
David Walser 2014-07-23 16:04:37 CEST

CC: (none) => balcaen.john, mageia
Whiteboard: (none) => MGA3TOO

Luc Menut 2014-07-31 15:18:30 CEST

Depends on: (none) => 13826

Comment 1 Luc Menut 2014-07-31 15:35:00 CEST 
KDE reference:
http://www.kde.org/info/security/advisory-20140730-1.txt

Cauldron:
kdelibs fixed with kdelibs4-4.13.95-1.mga5

Mageia 3:
fixed in kdelibs4-4.10.5-1.2.mga3 pushed in updates_testing
update request in bug #13826

URL: (none) => http://www.kde.org/info/security/advisory-20140730-1.txt

David Walser 2014-07-31 19:41:14 CEST

Depends on: (none) => 13221

Comment 2 David Walser 2014-07-31 20:07:10 CEST 
Ubuntu has issued an advisory for this today (July 31):
http://www.ubuntu.com/usn/usn-2304-1/

URL: http://www.kde.org/info/security/advisory-20140730-1.txt => http://lwn.net/Vulnerabilities/607289/

Comment 3 David Walser 2014-09-19 17:22:53 CEST 
This also affects polkit-qt-1 (Mageia 3, 4, and Cauldron) and polkit-qt5 (Cauldron).

Fedora has issued an advisory for this on August 21:
https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137844.html

Summary: kdelibs4 new security issue CVE-2014-5033 => kdelibs4/polkit-qt-1/polkit-qt5 new security issue CVE-2014-5033
Source RPM: kdelibs4-4.11.4-1.mga4.src.rpm => kdelibs4-4.11.4-1.mga4.src.rpm, polkit-qt-1-0.112.0-3.mga5.src.rpm, polkit-qt5-0.112.0-2.mga5.src.rpm

Comment 4 Luc Menut 2014-09-21 23:39:57 CEST 
(In reply to David Walser from comment #3)
> This also affects polkit-qt-1 (Mageia 3, 4, and Cauldron) and polkit-qt5
> (Cauldron).

Cauldron already uses polkit-qt-1 0.112.0 used by Fedora in their update, so it doesn't seem affected.

> 
> Fedora has issued an advisory for this on August 21:
> https://lists.fedoraproject.org/pipermail/package-announce/2014-September/
> 137844.html

I'm not sure that we absolutly need to update polkit-qt-1 to 0.112.0 for mga3 and mga4 now that we have updated kdelibs4 to use system-bus-name instead of pid based auth. Fedora doesn't seem to have updated kdelibs in this way like us or OpenSuse.

I can easily update polkit-qt-1 to 0.112.0 in mga4.
It's more complicated for mga3, because polkit-qt-1 0.112.0 requires CMake 2.8.11 or higher, and mga3 has only CMake 2.8.10.2.

Hardware: i586 => All
Source RPM: kdelibs4-4.11.4-1.mga4.src.rpm, polkit-qt-1-0.112.0-3.mga5.src.rpm, polkit-qt5-0.112.0-2.mga5.src.rpm => kdelibs4-4.11.4-1.mga4.src.rpm, polkit-qt-1-0.103.0

Luc Menut 2014-09-21 23:41:45 CEST

Summary: kdelibs4/polkit-qt-1/polkit-qt5 new security issue CVE-2014-5033 => kdelibs4/polkit-qt-1 new security issue CVE-2014-5033

Comment 5 Luc Menut 2014-10-29 13:30:03 CET 
Fixed in KDE 4.12.5

Status: NEW => RESOLVED
Resolution: (none) => FIXED