Several packages needs to be fixed for this. If I understand it correctly, the change in polkit to fix this causes an API change, forcing other software using this part of the API to be adapted. More info: http://www.openwall.com/lists/oss-security/2013/09/18/6 which lists the following CVEs and affected packages: CVE-2013-4288 polkit: unix-process subject for authorization is racy CVE-2013-4311 libvirt: insecure calling of polkit via libgobject API CVE-2013-4324 spice-gtk: use of insecure polkit libgobject-1 API CVE-2013-4325 hplip: use of insecure polkit DBUS API CVE-2013-4326 rtkit: use of insecure polkit DBUS API CVE-2013-4327 systemd: use of insecure polkit DBUS API Some fixes have already hit LWN: polkit - http://lwn.net/Vulnerabilities/567524/ libvirt - http://lwn.net/Vulnerabilities/567522/ hplip - http://lwn.net/Vulnerabilities/567517/ rtkit - http://lwn.net/Vulnerabilities/567525/ systemd - http://lwn.net/Vulnerabilities/567528/ Reproducible: Steps to Reproduce:
CC: (none) => doktor5000, joequant, mageia, nicolas.lecureuilWhiteboard: (none) => MGA3TOO, MGA2TOO
I should also mention that a new spice-gtk version is out upstream (0.21) that we need to update Cauldron to. The freecode (formerly freshmeat) release announcement lists another polkit CVE that we fixed in 2011 (Bug 1298). I'm not sure if that's correct. http://freecode.com/projects/spice-gtk/releases/357869
spice-gtk - http://lwn.net/Vulnerabilities/567693/
OK, so Cauldron has been updated with new polkit and systemd already, and I've today submitted patched rtkit, hplip and libvirt and updated spice-gtk to 0.21. I've applied patches for everything listed above in MGA3 *except* libvirt. The patching process there will take some time and I'm not very familiar with the software. I would advise that we should update to 1.0.5.6 instead (this is what Fedora has done). I have prepared a 1.0.5.6 build (not actually built, but dropped upstream patches and confirmed everything applies - it fails to build under cauldron due to automake but I'm sure it would work with minimal changes under mga3). * polkit-0.107-6.1.mga3 * spice-gtk-0.15-3.1.mga3 * hplip-3.12.9-6.1.mga3 * rtkit-0.11-3.1.mga3 * systemd-195-22.1.mga3 I've not yet looked at MGA2.
Now looked at Mageia 2 - same deal as mga3 re libvirt, I would suggest we update to 0.9.12 and apply all patches on the v0.9.12-maint branch: http://libvirt.org/git/?p=libvirt.git;a=shortlog;h=refs/heads/v0.9.12-maint And to be fair re: mga3, we could use the v1.0.2-maint branch upstream for patches which may be safer than updating to 1.0.5.6 as suggested above. * polkit-0.104-4.2.mga2 * spice-gtk-0.9-1.2.mga2 * hplip-3.12.4-1.3.mga2 * rtkit-0.10-3.1.mga2 * systemd-44-13.1.mga2
And I've now updated mga2 & 3 libvirt: * libvirt-1.0.2-8.2.mga3 So this does indeed bump the libvirt version from 0.9.10 to 0.9.12 under mga2. But both mga2 and mga3 now have all patches from their respective upstream "-maint" branches applied. Sadly the mga2 is not currently building, but I will hopefully solve that soon.
OK, so I've now fixed the mga2 build, but it has some spec filelist issues which I cannot easily resolve without having an mga2 machine/chroot handy which i don't currently have. If someone could fix it easily that would be great, otherwise I'll take a look tomorrow.
Right, I studied the configure.ac this morning and noticed the missing buildreq that was causing problems on mga2 build and it's now ready. * libvirt-0.9.12-1.mga2 Keep in mind this is updated from 0.9.10 and also has several other bugfixes on top. From my perspective all the required patches are now applied and testing packages built.
Thank you so much Colin for taking care of this! Assigning to QA, advisory to follow. Here's the packages list: ------------------------ polkit-0.104-4.2.mga2 polkit-desktop-policy-0.104-4.2.mga2 libpolkit1_0-0.104-4.2.mga2 libpolkit-gir1.0-0.104-4.2.mga2 libpolkit1-devel-0.104-4.2.mga2 libvirt0-0.9.12-1.mga2 libvirt-devel-0.9.12-1.mga2 libvirt-static-devel-0.9.12-1.mga2 python-libvirt-0.9.12-1.mga2 libvirt-utils-0.9.12-1.mga2 spice-gtk-0.9-1.2.mga2 libspice-client-glib2.0_1-0.9-1.2.mga2 libspice-client-glib-gir2.0-0.9-1.2.mga2 libspice-client-gtk3.0_1-0.9-1.2.mga2 libspice-client-gtk-gir3.0-0.9-1.2.mga2 libspice-controller0-0.9-1.2.mga2 libspice-gtk-devel-0.9-1.2.mga2 hplip-3.12.4-1.3.mga2 libhpip0-3.12.4-1.3.mga2 libhpip0-devel-3.12.4-1.3.mga2 libsane-hpaio1-3.12.4-1.3.mga2 hplip-model-data-3.12.4-1.3.mga2 hplip-gui-3.12.4-1.3.mga2 hplip-hpijs-3.12.4-1.3.mga2 hplip-hpijs-ppds-3.12.4-1.3.mga2 hplip-doc-3.12.4-1.3.mga2 rtkit-0.10-3.1.mga2 systemd-44-13.1.mga2 systemd-tools-44-13.1.mga2 systemd-units-44-13.1.mga2 systemd-sysvinit-44-13.1.mga2 libsystemd-daemon0-44-13.1.mga2 libsystemd-daemon0-devel-44-13.1.mga2 libsystemd-login0-44-13.1.mga2 libsystemd-login0-devel-44-13.1.mga2 libsystemd-journal0-44-13.1.mga2 libsystemd-journal0-devel-44-13.1.mga2 libsystemd-id1280-44-13.1.mga2 libsystemd-id1280-devel-44-13.1.mga2 polkit-0.107-6.1.mga3 polkit-desktop-policy-0.107-6.1.mga3 libpolkit1_0-0.107-6.1.mga3 libpolkit-gir1.0-0.107-6.1.mga3 libpolkit1-devel-0.107-6.1.mga3 libvirt0-1.0.2-8.2.mga3 libvirt-devel-1.0.2-8.2.mga3 python-libvirt-1.0.2-8.2.mga3 libvirt-utils-1.0.2-8.2.mga3 spice-gtk-0.15-3.1.mga3 libspice-client-glib2.0_8-0.15-3.1.mga3 libspice-client-glib-gir2.0-0.15-3.1.mga3 libspice-client-gtk2.0_4-0.15-3.1.mga3 libspice-client-gtk-gir2.0-0.15-3.1.mga3 libspice-client-gtk3.0_4-0.15-3.1.mga3 libspice-client-gtk-gir3.0-0.15-3.1.mga3 libspice-controller0-0.15-3.1.mga3 python-spice-client-gtk-0.15-3.1.mga3 libspice-gtk-devel-0.15-3.1.mga3 hplip-3.12.9-6.1.mga3 libhpip0-3.12.9-6.1.mga3 libhpip0-devel-3.12.9-6.1.mga3 libsane-hpaio1-3.12.9-6.1.mga3 hplip-model-data-3.12.9-6.1.mga3 hplip-gui-3.12.9-6.1.mga3 hplip-hpijs-3.12.9-6.1.mga3 hplip-hpijs-ppds-3.12.9-6.1.mga3 hplip-doc-3.12.9-6.1.mga3 rtkit-0.11-3.1.mga3 systemd-195-22.1.mga3 systemd-tools-195-22.1.mga3 systemd-units-195-22.1.mga3 python-systemd-195-22.1.mga3 systemd-devel-195-22.1.mga3 libsystemd-daemon0-195-22.1.mga3 libsystemd-login0-195-22.1.mga3 libsystemd-journal0-195-22.1.mga3 libsystemd-id128_0-195-22.1.mga3 libudev1-195-22.1.mga3 libudev-devel-195-22.1.mga3 libgudev1.0_0-195-22.1.mga3 libgudev-gir1.0-195-22.1.mga3 libgudev1.0-devel-195-22.1.mga3 from SRPMS: polkit-0.104-4.2.mga2.src.rpm libvirt-0.9.12-1.mga2.src.rpm spice-gtk-0.9-1.2.mga2.src.rpm hplip-3.12.4-1.3.mga2.src.rpm rtkit-0.10-3.1.mga2.src.rpm systemd-44-13.1.mga2.src.rpm polkit-0.107-6.1.mga3.src.rpm libvirt-1.0.2-8.2.mga3.src.rpm spice-gtk-0.15-3.1.mga3.src.rpm hplip-3.12.9-6.1.mga3.src.rpm rtkit-0.11-3.1.mga3.src.rpm systemd-195-22.1.mga3.src.rpm
Version: Cauldron => 3Assignee: bugsquad => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Note that there are two other CVEs that we're fixing in libvirt, so I'll make a new bug for that one and not include it in this update. Advisory: ======================== Updated polkit packages fix security vulnerability: A race condition was found in the way the PolicyKit pkcheck utility checked process authorization when the process was specified by its process ID via the --process option. A local user could use this flaw to bypass intended PolicyKit authorizations and escalate their privileges (CVE-2013-4288). Note: Applications that invoke pkcheck with the --process option need to be modified to use the pid,pid-start-time,uid argument for that option, to allow pkcheck to check process authorization correctly. Because of the change in the PolicyKit API, the spice-gtk (CVE-2013-4324), hplip (CVE-2013-4325), rtkit (CVE-2013-4326), and systemd (CVE-2013-4327) packages have been updated to use a different API that is not affected by this PolicyKit vulnerability. The libvirt package will also be updated for the same reason, but this update will come in a separate advisory. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4288 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4324 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4325 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4326 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4327 https://rhn.redhat.com/errata/RHSA-2013-1270.html https://rhn.redhat.com/errata/RHSA-2013-1273.html https://rhn.redhat.com/errata/RHSA-2013-1274.html http://www.ubuntu.com/usn/usn-1959-1/ http://www.ubuntu.com/usn/usn-1961-1/ ======================== Updated packages in core/updates_testing: ======================== polkit-0.104-4.2.mga2 polkit-desktop-policy-0.104-4.2.mga2 libpolkit1_0-0.104-4.2.mga2 libpolkit-gir1.0-0.104-4.2.mga2 libpolkit1-devel-0.104-4.2.mga2 spice-gtk-0.9-1.2.mga2 libspice-client-glib2.0_1-0.9-1.2.mga2 libspice-client-glib-gir2.0-0.9-1.2.mga2 libspice-client-gtk3.0_1-0.9-1.2.mga2 libspice-client-gtk-gir3.0-0.9-1.2.mga2 libspice-controller0-0.9-1.2.mga2 libspice-gtk-devel-0.9-1.2.mga2 hplip-3.12.4-1.3.mga2 libhpip0-3.12.4-1.3.mga2 libhpip0-devel-3.12.4-1.3.mga2 libsane-hpaio1-3.12.4-1.3.mga2 hplip-model-data-3.12.4-1.3.mga2 hplip-gui-3.12.4-1.3.mga2 hplip-hpijs-3.12.4-1.3.mga2 hplip-hpijs-ppds-3.12.4-1.3.mga2 hplip-doc-3.12.4-1.3.mga2 rtkit-0.10-3.1.mga2 systemd-44-13.1.mga2 systemd-tools-44-13.1.mga2 systemd-units-44-13.1.mga2 systemd-sysvinit-44-13.1.mga2 libsystemd-daemon0-44-13.1.mga2 libsystemd-daemon0-devel-44-13.1.mga2 libsystemd-login0-44-13.1.mga2 libsystemd-login0-devel-44-13.1.mga2 libsystemd-journal0-44-13.1.mga2 libsystemd-journal0-devel-44-13.1.mga2 libsystemd-id1280-44-13.1.mga2 libsystemd-id1280-devel-44-13.1.mga2 polkit-0.107-6.1.mga3 polkit-desktop-policy-0.107-6.1.mga3 libpolkit1_0-0.107-6.1.mga3 libpolkit-gir1.0-0.107-6.1.mga3 libpolkit1-devel-0.107-6.1.mga3 spice-gtk-0.15-3.1.mga3 libspice-client-glib2.0_8-0.15-3.1.mga3 libspice-client-glib-gir2.0-0.15-3.1.mga3 libspice-client-gtk2.0_4-0.15-3.1.mga3 libspice-client-gtk-gir2.0-0.15-3.1.mga3 libspice-client-gtk3.0_4-0.15-3.1.mga3 libspice-client-gtk-gir3.0-0.15-3.1.mga3 libspice-controller0-0.15-3.1.mga3 python-spice-client-gtk-0.15-3.1.mga3 libspice-gtk-devel-0.15-3.1.mga3 hplip-3.12.9-6.1.mga3 libhpip0-3.12.9-6.1.mga3 libhpip0-devel-3.12.9-6.1.mga3 libsane-hpaio1-3.12.9-6.1.mga3 hplip-model-data-3.12.9-6.1.mga3 hplip-gui-3.12.9-6.1.mga3 hplip-hpijs-3.12.9-6.1.mga3 hplip-hpijs-ppds-3.12.9-6.1.mga3 hplip-doc-3.12.9-6.1.mga3 rtkit-0.11-3.1.mga3 systemd-195-22.1.mga3 systemd-tools-195-22.1.mga3 systemd-units-195-22.1.mga3 python-systemd-195-22.1.mga3 systemd-devel-195-22.1.mga3 libsystemd-daemon0-195-22.1.mga3 libsystemd-login0-195-22.1.mga3 libsystemd-journal0-195-22.1.mga3 libsystemd-id128_0-195-22.1.mga3 libudev1-195-22.1.mga3 libudev-devel-195-22.1.mga3 libgudev1.0_0-195-22.1.mga3 libgudev-gir1.0-195-22.1.mga3 libgudev1.0-devel-195-22.1.mga3 from SRPMS: polkit-0.104-4.2.mga2.src.rpm spice-gtk-0.9-1.2.mga2.src.rpm hplip-3.12.4-1.3.mga2.src.rpm rtkit-0.10-3.1.mga2.src.rpm systemd-44-13.1.mga2.src.rpm polkit-0.107-6.1.mga3.src.rpm spice-gtk-0.15-3.1.mga3.src.rpm hplip-3.12.9-6.1.mga3.src.rpm rtkit-0.11-3.1.mga3.src.rpm systemd-195-22.1.mga3.src.rpm
Blocks: (none) => 11274
Severity: normal => major
No PoC so just test generally that services are started as normal, login/out is ok, filesystems can be mounted, shutdown/reboot still work, gparted asks to start as root etc. libvirt and spice can be tested with virt-manager. spice was updated not so long ago. See bug 10987 comment 6 and 7 for testing. hplip usually gets an email to dev asking for testers. I'll add some people who have the hardware, from last update when we know all the rest is ok..
Whiteboard: MGA2TOO => MGA2TOO has_procedure
Temporarily adding /^glibc/ to /etc/urpmi/skip.list allows you to use MageiaUpdate to select packages without installing glibc yet. As we don't have a bug for it, it may not be ready to install. Remember to remove it again afterwards.
Packages listed in alphabetical order. hplip-3.12.4-1.3.mga2 hplip-doc-3.12.4-1.3.mga2 hplip-gui-3.12.4-1.3.mga2 hplip-hpijs-3.12.4-1.3.mga2 hplip-hpijs-ppds-3.12.4-1.3.mga2 hplip-model-data-3.12.4-1.3.mga2 libhpip0-3.12.4-1.3.mga2 libhpip0-devel-3.12.4-1.3.mga2 libpolkit-gir1.0-0.104-4.2.mga2 libpolkit1-devel-0.104-4.2.mga2 libpolkit1_0-0.104-4.2.mga2 libsane-hpaio1-3.12.4-1.3.mga2 libspice-client-glib-gir2.0-0.9-1.2.mga2 libspice-client-glib2.0_1-0.9-1.2.mga2 libspice-client-gtk-gir3.0-0.9-1.2.mga2 libspice-client-gtk3.0_1-0.9-1.2.mga2 libspice-controller0-0.9-1.2.mga2 libspice-gtk-devel-0.9-1.2.mga2 libsystemd-daemon0-44-13.1.mga2 libsystemd-daemon0-devel-44-13.1.mga2 libsystemd-id1280-44-13.1.mga2 libsystemd-id1280-devel-44-13.1.mga2 libsystemd-journal0-44-13.1.mga2 libsystemd-journal0-devel-44-13.1.mga2 libsystemd-login0-44-13.1.mga2 libsystemd-login0-devel-44-13.1.mga2 polkit-0.104-4.2.mga2 polkit-desktop-policy-0.104-4.2.mga2 rtkit-0.10-3.1.mga2 spice-gtk-0.9-1.2.mga2 systemd-44-13.1.mga2 systemd-sysvinit-44-13.1.mga2 systemd-tools-44-13.1.mga2 systemd-units-44-13.1.mga2 hplip-3.12.9-6.1.mga3 hplip-doc-3.12.9-6.1.mga3 hplip-gui-3.12.9-6.1.mga3 hplip-hpijs-3.12.9-6.1.mga3 hplip-hpijs-ppds-3.12.9-6.1.mga3 hplip-model-data-3.12.9-6.1.mga3 libgudev-gir1.0-195-22.1.mga3 libgudev1.0-devel-195-22.1.mga3 libgudev1.0_0-195-22.1.mga3 libhpip0-3.12.9-6.1.mga3 libhpip0-devel-3.12.9-6.1.mga3 libpolkit-gir1.0-0.107-6.1.mga3 libpolkit1-devel-0.107-6.1.mga3 libpolkit1_0-0.107-6.1.mga3 libsane-hpaio1-3.12.9-6.1.mga3 libspice-client-glib-gir2.0-0.15-3.1.mga3 libspice-client-glib2.0_8-0.15-3.1.mga3 libspice-client-gtk-gir2.0-0.15-3.1.mga3 libspice-client-gtk-gir3.0-0.15-3.1.mga3 libspice-client-gtk2.0_4-0.15-3.1.mga3 libspice-client-gtk3.0_4-0.15-3.1.mga3 libspice-controller0-0.15-3.1.mga3 libspice-gtk-devel-0.15-3.1.mga3 libsystemd-daemon0-195-22.1.mga3 libsystemd-id128_0-195-22.1.mga3 libsystemd-journal0-195-22.1.mga3 libsystemd-login0-195-22.1.mga3 libudev-devel-195-22.1.mga3 libudev1-195-22.1.mga3 polkit-0.107-6.1.mga3 polkit-desktop-policy-0.107-6.1.mga3 python-spice-client-gtk-0.15-3.1.mga3 python-systemd-195-22.1.mga3 rtkit-0.11-3.1.mga3 spice-gtk-0.15-3.1.mga3 systemd-195-22.1.mga3 systemd-devel-195-22.1.mga3 systemd-tools-195-22.1.mga3 systemd-units-195-22.1.mga3
Testing mga3 64 Systemd & polkit seem fine. Testing libvirt (bug 11274) and spice momentarily.
Tested spice with libvirtd as in comment 10. Testing complete mga3 64 apart from hplip
Tested Mga3-32 Login/out/reboot OK Services start OK mounted fat32 usb stick OK printed a document on laserjet 6l, scanned with scanjet 5p, all OK. should be OK if spice and libvirt work, will leave that for others.
CC: (none) => wrw105
tested mga2-32 as above. All OK including hplip. Will leave spice and libvirt for someone else as disk space is at a premium on my 32 bit machine.
testing complete mga2 64 apart from hplip
testing with both hplip and polkit was done test successfully. mga3-32
CC: (none) => swbutler38
polkit PoC: http://www.openwall.com/lists/oss-security/2013/09/18/4
CC: (none) => oe
Testing complete mga3 32
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-64-ok
Advisory committed to svn. Someone from the sysadmin team please push 11260.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-64-ok => MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-64-ok mga2-32-okCC: (none) => davidwhodgins, sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0293.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED