Bug 16135

Summary: polkit new security issues CVE-2015-3218, CVE-2015-325[56], and CVE-2015-4625
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, mageia, mageia, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/650307/
Whiteboard: MGA4TOO MGA4-64-OK MGA4-32-OK advisory MGA5-64-OK MGA5-32-OK
Source RPM: polkit-0.112-8.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-06-16 23:50:53 CEST 
A CVE has been assigned for a security issue in polkit:
http://openwall.com/lists/oss-security/2015/06/16/21

It looks like patches are pending upstream.  A new version might be released once everything's committed.

Reproducible: 

Steps to Reproduce:
David Walser 2015-06-16 23:51:04 CEST

CC: (none) => mageia
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 2 David Walser 2015-07-02 22:30:00 CEST 
polkit 0.113 has been released today (July 2), fixing this issue and others:
http://lists.freedesktop.org/archives/polkit-devel/2015-July/000432.html

Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated polkit packages fix security vulnerabilities:

Local privilege escalation in polkit before 0.113 due to predictable
authentication session cookie values (CVE-2015-4625).

Various memory corruption vulnerabilities in polkit before 0.113 in the use of
the JavaScript interpreter, possibly leading to local privilege escalation
(CVE-2015-3256).

Memory corruption vulnerability in polkit before 0.113 in handling duplicate
action IDs, possibly leading to local privilege escalation (CVE-2015-3255).

Denial of service issue in polkit before 0.113 which allowed any local user to
crash polkitd (CVE-2015-3218).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3218
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3255
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3256
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4625
http://lists.freedesktop.org/archives/polkit-devel/2015-July/000432.html
========================

Updated packages in core/updates_testing:
========================
polkit-0.113-1.mga4
polkit-desktop-policy-0.113-1.mga4
libpolkit1_0-0.113-1.mga4
libpolkit-gir1.0-0.113-1.mga4
libpolkit1-devel-0.113-1.mga4
polkit-0.113-1.mga5
libpolkit1_0-0.113-1.mga5
libpolkit-gir1.0-0.113-1.mga5
libpolkit1-devel-0.113-1.mga5

from SRPMS:
polkit-0.113-1.mga4.src.rpm
polkit-0.113-1.mga5.src.rpm

CC: (none) => mageia
Version: Cauldron => 5
Assignee: mageia => qa-bugs
Summary: polkit new security issue CVE-2015-4625 => polkit new security issues CVE-2015-3218, CVE-2015-325[56], and CVE-2015-4625
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 3 Dave Hodgins 2015-07-02 23:30:14 CEST 
Testing complete on Mageia 4. Just testing that I can start mcc as a regular
user, and that it starts after entering the password.

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO => MGA4TOO MGA4-64-OK MGA4-32-OK

Comment 4 Dave Hodgins 2015-07-02 23:37:50 CEST 
Advisory committed to svn. I'll test Mageia 5 shortly.

Whiteboard: MGA4TOO MGA4-64-OK MGA4-32-OK => MGA4TOO MGA4-64-OK MGA4-32-OK advisory

Comment 5 Dave Hodgins 2015-07-03 00:22:28 CEST 
Testing complete.

Someone from the sysadmin team please push 16135.adv to updates for Mageia 4 and 5.

Keywords: (none) => validated_update
Whiteboard: MGA4TOO MGA4-64-OK MGA4-32-OK advisory => MGA4TOO MGA4-64-OK MGA4-32-OK advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-07-05 19:23:33 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0262.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-07-06 20:27:28 CEST

URL: (none) => http://lwn.net/Vulnerabilities/650307/