A CVE was allocated for a polkit-related security issue in KAuth: http://openwall.com/lists/oss-security/2014/07/23/4 The Novell bug linked there has lots more information about the issue. In the 72'nd comment, it was stated that patches have been merged upstream for KF5's kauth and kdelibs4 in 4.13 and 4.14, so Cauldron should be fixed the next time those packages are updated. For Mageia 3 and Mageia 4, the patch will need to be added (it is attached in the 56'th comment in the Novell bug). Reproducible: Steps to Reproduce:
CC: (none) => balcaen.john, mageiaWhiteboard: (none) => MGA3TOO
Depends on: (none) => 13826
KDE reference: http://www.kde.org/info/security/advisory-20140730-1.txt Cauldron: kdelibs fixed with kdelibs4-4.13.95-1.mga5 Mageia 3: fixed in kdelibs4-4.10.5-1.2.mga3 pushed in updates_testing update request in bug #13826
URL: (none) => http://www.kde.org/info/security/advisory-20140730-1.txt
Depends on: (none) => 13221
Ubuntu has issued an advisory for this today (July 31): http://www.ubuntu.com/usn/usn-2304-1/
URL: http://www.kde.org/info/security/advisory-20140730-1.txt => http://lwn.net/Vulnerabilities/607289/
This also affects polkit-qt-1 (Mageia 3, 4, and Cauldron) and polkit-qt5 (Cauldron). Fedora has issued an advisory for this on August 21: https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137844.html
Summary: kdelibs4 new security issue CVE-2014-5033 => kdelibs4/polkit-qt-1/polkit-qt5 new security issue CVE-2014-5033Source RPM: kdelibs4-4.11.4-1.mga4.src.rpm => kdelibs4-4.11.4-1.mga4.src.rpm, polkit-qt-1-0.112.0-3.mga5.src.rpm, polkit-qt5-0.112.0-2.mga5.src.rpm
(In reply to David Walser from comment #3) > This also affects polkit-qt-1 (Mageia 3, 4, and Cauldron) and polkit-qt5 > (Cauldron). Cauldron already uses polkit-qt-1 0.112.0 used by Fedora in their update, so it doesn't seem affected. > > Fedora has issued an advisory for this on August 21: > https://lists.fedoraproject.org/pipermail/package-announce/2014-September/ > 137844.html I'm not sure that we absolutly need to update polkit-qt-1 to 0.112.0 for mga3 and mga4 now that we have updated kdelibs4 to use system-bus-name instead of pid based auth. Fedora doesn't seem to have updated kdelibs in this way like us or OpenSuse. I can easily update polkit-qt-1 to 0.112.0 in mga4. It's more complicated for mga3, because polkit-qt-1 0.112.0 requires CMake 2.8.11 or higher, and mga3 has only CMake 2.8.10.2.
Hardware: i586 => AllSource RPM: kdelibs4-4.11.4-1.mga4.src.rpm, polkit-qt-1-0.112.0-3.mga5.src.rpm, polkit-qt5-0.112.0-2.mga5.src.rpm => kdelibs4-4.11.4-1.mga4.src.rpm, polkit-qt-1-0.103.0
Summary: kdelibs4/polkit-qt-1/polkit-qt5 new security issue CVE-2014-5033 => kdelibs4/polkit-qt-1 new security issue CVE-2014-5033
Fixed in KDE 4.12.5
Status: NEW => RESOLVEDResolution: (none) => FIXED