Bug 11260 - polkit process authorization race condition (CVE-2013-4288)
: polkit process authorization race condition (CVE-2013-4288)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/567524/
: MGA2TOO has_procedure mga3-32-ok mga3...
: validated_update
:
: 11274
  Show dependency treegraph
 
Reported: 2013-09-19 21:27 CEST by David Walser
Modified: 2013-10-05 20:02 CEST (History)
10 users (show)

See Also:
Source RPM: polkit
CVE:


Attachments

Description David Walser 2013-09-19 21:27:33 CEST
Several packages needs to be fixed for this.  If I understand it correctly, the change in polkit to fix this causes an API change, forcing other software using this part of the API to be adapted.  More info:
http://www.openwall.com/lists/oss-security/2013/09/18/6

which lists the following CVEs and affected packages:
CVE-2013-4288 polkit: unix-process subject for authorization is racy
CVE-2013-4311 libvirt: insecure calling of polkit via libgobject API
CVE-2013-4324 spice-gtk: use of insecure polkit libgobject-1 API
CVE-2013-4325 hplip: use of insecure polkit DBUS API
CVE-2013-4326 rtkit: use of insecure polkit DBUS API
CVE-2013-4327 systemd: use of insecure polkit DBUS API

Some fixes have already hit LWN:
polkit - http://lwn.net/Vulnerabilities/567524/
libvirt - http://lwn.net/Vulnerabilities/567522/
hplip - http://lwn.net/Vulnerabilities/567517/
rtkit - http://lwn.net/Vulnerabilities/567525/
systemd - http://lwn.net/Vulnerabilities/567528/

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-09-19 22:38:37 CEST
I should also mention that a new spice-gtk version is out upstream (0.21) that we need to update Cauldron to.  The freecode (formerly freshmeat) release announcement lists another polkit CVE that we fixed in 2011 (Bug 1298).  I'm not sure if that's correct.
http://freecode.com/projects/spice-gtk/releases/357869
Comment 2 David Walser 2013-09-20 21:02:05 CEST
spice-gtk - http://lwn.net/Vulnerabilities/567693/
Comment 3 Colin Guthrie 2013-09-22 18:27:40 CEST
OK, so Cauldron has been updated with new polkit and systemd already, and I've today submitted patched rtkit, hplip and libvirt and updated spice-gtk to 0.21.

I've applied patches for everything listed above in MGA3 *except* libvirt. The patching process there will take some time and I'm not very familiar with the software. I would advise that we should update to 1.0.5.6 instead (this is what Fedora has done). I have prepared a 1.0.5.6 build (not actually built, but dropped upstream patches and confirmed everything applies - it fails to build under cauldron due to automake but I'm sure it would work with minimal changes under mga3).

 * polkit-0.107-6.1.mga3
 * spice-gtk-0.15-3.1.mga3
 * hplip-3.12.9-6.1.mga3
 * rtkit-0.11-3.1.mga3
 * systemd-195-22.1.mga3

I've not yet looked at MGA2.
Comment 4 Colin Guthrie 2013-09-22 19:39:33 CEST
Now looked at Mageia 2 - same deal as mga3 re libvirt, I would suggest we update to 0.9.12 and apply all patches on the v0.9.12-maint branch: http://libvirt.org/git/?p=libvirt.git;a=shortlog;h=refs/heads/v0.9.12-maint

And to be fair re: mga3, we could use the v1.0.2-maint branch upstream for patches which may be safer than updating to 1.0.5.6 as suggested above.


 * polkit-0.104-4.2.mga2
 * spice-gtk-0.9-1.2.mga2 
 * hplip-3.12.4-1.3.mga2  
 * rtkit-0.10-3.1.mga2   
 * systemd-44-13.1.mga2
Comment 5 Colin Guthrie 2013-09-22 20:58:17 CEST
And I've now updated mga2 & 3 libvirt:

 * libvirt-1.0.2-8.2.mga3

So this does indeed bump the libvirt version from 0.9.10 to 0.9.12 under mga2. But both mga2 and mga3 now have all patches from their respective upstream "-maint" branches applied.

Sadly the mga2 is not currently building, but I will hopefully solve that soon.
Comment 6 Colin Guthrie 2013-09-22 22:08:41 CEST
OK, so I've now fixed the mga2 build, but it has some spec filelist issues which I cannot easily resolve without having an mga2 machine/chroot handy which i don't currently have. If someone could fix it easily that would be great, otherwise I'll take a look tomorrow.
Comment 7 Colin Guthrie 2013-09-23 10:48:23 CEST
Right, I studied the configure.ac this morning and noticed the missing buildreq that was causing problems on mga2 build and it's now ready.

 * libvirt-0.9.12-1.mga2


Keep in mind this is updated from 0.9.10 and also has several other bugfixes on top.

From my perspective all the required patches are now applied and testing packages built.
Comment 8 David Walser 2013-09-23 15:26:08 CEST
Thank you so much Colin for taking care of this!

Assigning to QA, advisory to follow.

Here's the packages list:
------------------------
polkit-0.104-4.2.mga2
polkit-desktop-policy-0.104-4.2.mga2
libpolkit1_0-0.104-4.2.mga2
libpolkit-gir1.0-0.104-4.2.mga2
libpolkit1-devel-0.104-4.2.mga2
libvirt0-0.9.12-1.mga2
libvirt-devel-0.9.12-1.mga2
libvirt-static-devel-0.9.12-1.mga2
python-libvirt-0.9.12-1.mga2
libvirt-utils-0.9.12-1.mga2
spice-gtk-0.9-1.2.mga2
libspice-client-glib2.0_1-0.9-1.2.mga2
libspice-client-glib-gir2.0-0.9-1.2.mga2
libspice-client-gtk3.0_1-0.9-1.2.mga2
libspice-client-gtk-gir3.0-0.9-1.2.mga2
libspice-controller0-0.9-1.2.mga2
libspice-gtk-devel-0.9-1.2.mga2
hplip-3.12.4-1.3.mga2
libhpip0-3.12.4-1.3.mga2
libhpip0-devel-3.12.4-1.3.mga2
libsane-hpaio1-3.12.4-1.3.mga2
hplip-model-data-3.12.4-1.3.mga2
hplip-gui-3.12.4-1.3.mga2
hplip-hpijs-3.12.4-1.3.mga2
hplip-hpijs-ppds-3.12.4-1.3.mga2
hplip-doc-3.12.4-1.3.mga2
rtkit-0.10-3.1.mga2
systemd-44-13.1.mga2
systemd-tools-44-13.1.mga2
systemd-units-44-13.1.mga2
systemd-sysvinit-44-13.1.mga2
libsystemd-daemon0-44-13.1.mga2
libsystemd-daemon0-devel-44-13.1.mga2
libsystemd-login0-44-13.1.mga2
libsystemd-login0-devel-44-13.1.mga2
libsystemd-journal0-44-13.1.mga2
libsystemd-journal0-devel-44-13.1.mga2
libsystemd-id1280-44-13.1.mga2
libsystemd-id1280-devel-44-13.1.mga2
polkit-0.107-6.1.mga3
polkit-desktop-policy-0.107-6.1.mga3
libpolkit1_0-0.107-6.1.mga3
libpolkit-gir1.0-0.107-6.1.mga3
libpolkit1-devel-0.107-6.1.mga3
libvirt0-1.0.2-8.2.mga3
libvirt-devel-1.0.2-8.2.mga3
python-libvirt-1.0.2-8.2.mga3
libvirt-utils-1.0.2-8.2.mga3
spice-gtk-0.15-3.1.mga3
libspice-client-glib2.0_8-0.15-3.1.mga3
libspice-client-glib-gir2.0-0.15-3.1.mga3
libspice-client-gtk2.0_4-0.15-3.1.mga3
libspice-client-gtk-gir2.0-0.15-3.1.mga3
libspice-client-gtk3.0_4-0.15-3.1.mga3
libspice-client-gtk-gir3.0-0.15-3.1.mga3
libspice-controller0-0.15-3.1.mga3
python-spice-client-gtk-0.15-3.1.mga3
libspice-gtk-devel-0.15-3.1.mga3
hplip-3.12.9-6.1.mga3
libhpip0-3.12.9-6.1.mga3
libhpip0-devel-3.12.9-6.1.mga3
libsane-hpaio1-3.12.9-6.1.mga3
hplip-model-data-3.12.9-6.1.mga3
hplip-gui-3.12.9-6.1.mga3
hplip-hpijs-3.12.9-6.1.mga3
hplip-hpijs-ppds-3.12.9-6.1.mga3
hplip-doc-3.12.9-6.1.mga3
rtkit-0.11-3.1.mga3
systemd-195-22.1.mga3
systemd-tools-195-22.1.mga3
systemd-units-195-22.1.mga3
python-systemd-195-22.1.mga3
systemd-devel-195-22.1.mga3
libsystemd-daemon0-195-22.1.mga3
libsystemd-login0-195-22.1.mga3
libsystemd-journal0-195-22.1.mga3
libsystemd-id128_0-195-22.1.mga3
libudev1-195-22.1.mga3
libudev-devel-195-22.1.mga3
libgudev1.0_0-195-22.1.mga3
libgudev-gir1.0-195-22.1.mga3
libgudev1.0-devel-195-22.1.mga3

from SRPMS:
polkit-0.104-4.2.mga2.src.rpm
libvirt-0.9.12-1.mga2.src.rpm
spice-gtk-0.9-1.2.mga2.src.rpm
hplip-3.12.4-1.3.mga2.src.rpm
rtkit-0.10-3.1.mga2.src.rpm
systemd-44-13.1.mga2.src.rpm
polkit-0.107-6.1.mga3.src.rpm
libvirt-1.0.2-8.2.mga3.src.rpm
spice-gtk-0.15-3.1.mga3.src.rpm
hplip-3.12.9-6.1.mga3.src.rpm
rtkit-0.11-3.1.mga3.src.rpm
systemd-195-22.1.mga3.src.rpm
Comment 9 David Walser 2013-09-23 15:59:52 CEST
Note that there are two other CVEs that we're fixing in libvirt, so I'll make a new bug for that one and not include it in this update.

Advisory:
========================

Updated polkit packages fix security vulnerability:

A race condition was found in the way the PolicyKit pkcheck utility
checked process authorization when the process was specified by its process
ID via the --process option. A local user could use this flaw to bypass
intended PolicyKit authorizations and escalate their privileges
(CVE-2013-4288).

Note: Applications that invoke pkcheck with the --process option need to be
modified to use the pid,pid-start-time,uid argument for that option, to
allow pkcheck to check process authorization correctly.

Because of the change in the PolicyKit API, the spice-gtk (CVE-2013-4324),
hplip (CVE-2013-4325), rtkit (CVE-2013-4326), and systemd (CVE-2013-4327)
packages have been updated to use a different API that is not affected by
this PolicyKit vulnerability.  The libvirt package will also be updated for
the same reason, but this update will come in a separate advisory.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4288
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4324
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4325
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4326
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4327
https://rhn.redhat.com/errata/RHSA-2013-1270.html
https://rhn.redhat.com/errata/RHSA-2013-1273.html
https://rhn.redhat.com/errata/RHSA-2013-1274.html
http://www.ubuntu.com/usn/usn-1959-1/
http://www.ubuntu.com/usn/usn-1961-1/
========================

Updated packages in core/updates_testing:
========================
polkit-0.104-4.2.mga2
polkit-desktop-policy-0.104-4.2.mga2
libpolkit1_0-0.104-4.2.mga2
libpolkit-gir1.0-0.104-4.2.mga2
libpolkit1-devel-0.104-4.2.mga2
spice-gtk-0.9-1.2.mga2
libspice-client-glib2.0_1-0.9-1.2.mga2
libspice-client-glib-gir2.0-0.9-1.2.mga2
libspice-client-gtk3.0_1-0.9-1.2.mga2
libspice-client-gtk-gir3.0-0.9-1.2.mga2
libspice-controller0-0.9-1.2.mga2
libspice-gtk-devel-0.9-1.2.mga2
hplip-3.12.4-1.3.mga2
libhpip0-3.12.4-1.3.mga2
libhpip0-devel-3.12.4-1.3.mga2
libsane-hpaio1-3.12.4-1.3.mga2
hplip-model-data-3.12.4-1.3.mga2
hplip-gui-3.12.4-1.3.mga2
hplip-hpijs-3.12.4-1.3.mga2
hplip-hpijs-ppds-3.12.4-1.3.mga2
hplip-doc-3.12.4-1.3.mga2
rtkit-0.10-3.1.mga2
systemd-44-13.1.mga2
systemd-tools-44-13.1.mga2
systemd-units-44-13.1.mga2
systemd-sysvinit-44-13.1.mga2
libsystemd-daemon0-44-13.1.mga2
libsystemd-daemon0-devel-44-13.1.mga2
libsystemd-login0-44-13.1.mga2
libsystemd-login0-devel-44-13.1.mga2
libsystemd-journal0-44-13.1.mga2
libsystemd-journal0-devel-44-13.1.mga2
libsystemd-id1280-44-13.1.mga2
libsystemd-id1280-devel-44-13.1.mga2
polkit-0.107-6.1.mga3
polkit-desktop-policy-0.107-6.1.mga3
libpolkit1_0-0.107-6.1.mga3
libpolkit-gir1.0-0.107-6.1.mga3
libpolkit1-devel-0.107-6.1.mga3
spice-gtk-0.15-3.1.mga3
libspice-client-glib2.0_8-0.15-3.1.mga3
libspice-client-glib-gir2.0-0.15-3.1.mga3
libspice-client-gtk2.0_4-0.15-3.1.mga3
libspice-client-gtk-gir2.0-0.15-3.1.mga3
libspice-client-gtk3.0_4-0.15-3.1.mga3
libspice-client-gtk-gir3.0-0.15-3.1.mga3
libspice-controller0-0.15-3.1.mga3
python-spice-client-gtk-0.15-3.1.mga3
libspice-gtk-devel-0.15-3.1.mga3
hplip-3.12.9-6.1.mga3
libhpip0-3.12.9-6.1.mga3
libhpip0-devel-3.12.9-6.1.mga3
libsane-hpaio1-3.12.9-6.1.mga3
hplip-model-data-3.12.9-6.1.mga3
hplip-gui-3.12.9-6.1.mga3
hplip-hpijs-3.12.9-6.1.mga3
hplip-hpijs-ppds-3.12.9-6.1.mga3
hplip-doc-3.12.9-6.1.mga3
rtkit-0.11-3.1.mga3
systemd-195-22.1.mga3
systemd-tools-195-22.1.mga3
systemd-units-195-22.1.mga3
python-systemd-195-22.1.mga3
systemd-devel-195-22.1.mga3
libsystemd-daemon0-195-22.1.mga3
libsystemd-login0-195-22.1.mga3
libsystemd-journal0-195-22.1.mga3
libsystemd-id128_0-195-22.1.mga3
libudev1-195-22.1.mga3
libudev-devel-195-22.1.mga3
libgudev1.0_0-195-22.1.mga3
libgudev-gir1.0-195-22.1.mga3
libgudev1.0-devel-195-22.1.mga3

from SRPMS:
polkit-0.104-4.2.mga2.src.rpm
spice-gtk-0.9-1.2.mga2.src.rpm
hplip-3.12.4-1.3.mga2.src.rpm
rtkit-0.10-3.1.mga2.src.rpm
systemd-44-13.1.mga2.src.rpm
polkit-0.107-6.1.mga3.src.rpm
spice-gtk-0.15-3.1.mga3.src.rpm
hplip-3.12.9-6.1.mga3.src.rpm
rtkit-0.11-3.1.mga3.src.rpm
systemd-195-22.1.mga3.src.rpm
Comment 10 claire robinson 2013-09-25 08:38:41 CEST
No PoC so just test generally that services are started as normal, login/out is ok, filesystems can be mounted, shutdown/reboot still work, gparted asks to start as root etc.

libvirt and spice can be tested with virt-manager. spice was updated not so long ago. See bug 10987 comment 6 and 7 for testing.

hplip usually gets an email to dev asking for testers. I'll add some people who have the hardware, from last update when we know all the rest is ok..
Comment 11 claire robinson 2013-09-25 08:46:26 CEST
Temporarily adding /^glibc/ to /etc/urpmi/skip.list allows you to use MageiaUpdate to select packages without installing glibc yet. As we don't have a bug for it, it may not be ready to install.

Remember to remove it again afterwards.
Comment 12 claire robinson 2013-09-25 08:49:43 CEST
Packages listed in alphabetical order.

hplip-3.12.4-1.3.mga2
hplip-doc-3.12.4-1.3.mga2
hplip-gui-3.12.4-1.3.mga2
hplip-hpijs-3.12.4-1.3.mga2
hplip-hpijs-ppds-3.12.4-1.3.mga2
hplip-model-data-3.12.4-1.3.mga2
libhpip0-3.12.4-1.3.mga2
libhpip0-devel-3.12.4-1.3.mga2
libpolkit-gir1.0-0.104-4.2.mga2
libpolkit1-devel-0.104-4.2.mga2
libpolkit1_0-0.104-4.2.mga2
libsane-hpaio1-3.12.4-1.3.mga2
libspice-client-glib-gir2.0-0.9-1.2.mga2
libspice-client-glib2.0_1-0.9-1.2.mga2
libspice-client-gtk-gir3.0-0.9-1.2.mga2
libspice-client-gtk3.0_1-0.9-1.2.mga2
libspice-controller0-0.9-1.2.mga2
libspice-gtk-devel-0.9-1.2.mga2
libsystemd-daemon0-44-13.1.mga2
libsystemd-daemon0-devel-44-13.1.mga2
libsystemd-id1280-44-13.1.mga2
libsystemd-id1280-devel-44-13.1.mga2
libsystemd-journal0-44-13.1.mga2
libsystemd-journal0-devel-44-13.1.mga2
libsystemd-login0-44-13.1.mga2
libsystemd-login0-devel-44-13.1.mga2
polkit-0.104-4.2.mga2
polkit-desktop-policy-0.104-4.2.mga2
rtkit-0.10-3.1.mga2
spice-gtk-0.9-1.2.mga2
systemd-44-13.1.mga2
systemd-sysvinit-44-13.1.mga2
systemd-tools-44-13.1.mga2
systemd-units-44-13.1.mga2


hplip-3.12.9-6.1.mga3
hplip-doc-3.12.9-6.1.mga3
hplip-gui-3.12.9-6.1.mga3
hplip-hpijs-3.12.9-6.1.mga3
hplip-hpijs-ppds-3.12.9-6.1.mga3
hplip-model-data-3.12.9-6.1.mga3
libgudev-gir1.0-195-22.1.mga3
libgudev1.0-devel-195-22.1.mga3
libgudev1.0_0-195-22.1.mga3
libhpip0-3.12.9-6.1.mga3
libhpip0-devel-3.12.9-6.1.mga3
libpolkit-gir1.0-0.107-6.1.mga3
libpolkit1-devel-0.107-6.1.mga3
libpolkit1_0-0.107-6.1.mga3
libsane-hpaio1-3.12.9-6.1.mga3
libspice-client-glib-gir2.0-0.15-3.1.mga3
libspice-client-glib2.0_8-0.15-3.1.mga3
libspice-client-gtk-gir2.0-0.15-3.1.mga3
libspice-client-gtk-gir3.0-0.15-3.1.mga3
libspice-client-gtk2.0_4-0.15-3.1.mga3
libspice-client-gtk3.0_4-0.15-3.1.mga3
libspice-controller0-0.15-3.1.mga3
libspice-gtk-devel-0.15-3.1.mga3
libsystemd-daemon0-195-22.1.mga3
libsystemd-id128_0-195-22.1.mga3
libsystemd-journal0-195-22.1.mga3
libsystemd-login0-195-22.1.mga3
libudev-devel-195-22.1.mga3
libudev1-195-22.1.mga3
polkit-0.107-6.1.mga3
polkit-desktop-policy-0.107-6.1.mga3
python-spice-client-gtk-0.15-3.1.mga3
python-systemd-195-22.1.mga3
rtkit-0.11-3.1.mga3
spice-gtk-0.15-3.1.mga3
systemd-195-22.1.mga3
systemd-devel-195-22.1.mga3
systemd-tools-195-22.1.mga3
systemd-units-195-22.1.mga3
Comment 13 claire robinson 2013-09-25 10:18:59 CEST
Testing mga3 64

Systemd & polkit seem fine. Testing libvirt (bug 11274) and spice momentarily.
Comment 14 claire robinson 2013-09-25 12:41:54 CEST
Tested spice with libvirtd as in comment 10.

Testing complete mga3 64 apart from hplip
Comment 15 Bill Wilkinson 2013-09-26 02:39:58 CEST
Tested Mga3-32

Login/out/reboot OK
Services start OK
mounted fat32 usb stick OK

printed a document on laserjet 6l, scanned with scanjet 5p, all OK.

should be OK if spice and libvirt work, will leave that for others.
Comment 16 Bill Wilkinson 2013-09-26 03:27:37 CEST
tested mga2-32 as above.  All OK including hplip.

Will leave spice and libvirt for someone else as disk space is at a premium on my 32 bit machine.
Comment 17 claire robinson 2013-09-26 09:38:22 CEST
testing complete mga2 64 apart from hplip
Comment 18 Stephen Butler 2013-09-26 10:32:26 CEST
testing with both hplip and polkit was done test successfully.
mga3-32
Comment 19 Oden Eriksson 2013-09-27 09:30:37 CEST
polkit PoC: http://www.openwall.com/lists/oss-security/2013/09/18/4
Comment 20 claire robinson 2013-09-27 15:01:08 CEST
Testing complete mga3 32
Comment 21 Dave Hodgins 2013-09-30 20:55:32 CEST
Advisory committed to svn.

Someone from the sysadmin team please push 11260.adv to updates.
Comment 22 Thomas Backlund 2013-10-05 20:02:18 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0293.html

Note You need to log in before you can comment on or make changes to this bug.