Bug 20900 - cinnamon-settings-daemon new security issue in csd-datetime
Summary: cinnamon-settings-daemon new security issue in csd-datetime
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga5-32-ok advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-05-20 22:17 CEST by David Walser
Modified: 2017-07-26 00:08 CEST (History)
3 users (show)

See Also:
Source RPM: cinnamon-settings-daemon-3.2.1-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-05-20 22:17:33 CEST 
Fedora has issued an advisory on May 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/I67VJR2IU7J7Z6U4O6XWOSSIJXN4STGG/

The security bug fixed in that update is this one:
https://bugzilla.redhat.com/show_bug.cgi?id=1276639

Mageia 5 may also be affected.
Comment 1 David Walser 2017-06-05 01:31:15 CEST 
Patch to fix it:
https://bugzilla.suse.com/show_bug.cgi?id=951830#c4

Mageia 5 is affected.

3.2.1 in Cauldron already has the fix.

Version: Cauldron => 5

Comment 2 David Walser 2017-07-09 01:08:01 CEST 
Advisory:
========================

Updated cinnamon-settings-daemon packages fix security vulnerability:

It was found that csd-datetime-setting SetDate DBUS function does not check the
polkit authorization for the caller, Unlike SetTime.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1276639
https://bugzilla.suse.com/show_bug.cgi?id=951830
========================

Updated packages in core/updates_testing:
========================
cinnamon-settings-daemon-2.4.3-2.1.mga5
cinnamon-settings-daemon-devel-2.4.3-2.1.mga5

from cinnamon-settings-daemon-2.4.3-2.1.mga5.src.rpm

Assignee: joequant => qa-bugs

Comment 3 Brian Rockwell 2017-07-23 04:26:34 CEST 
$ uname -a
Linux localhost.localdomain 4.4.74-desktop-1.mga5 #1 SMP Mon Jun 26 08:33:18 UTC 2017 i686 i686 i686 GNU/Linux

The following 4 packages are going to be installed:

- cinnamon-settings-daemon-2.4.3-2.1.mga5.i586
- cinnamon-settings-daemon-devel-2.4.3-2.1.mga5.i586
- libdbus-devel-1.8.20-1.mga5.i586
- libdbus-glib-0.102-4.mga5.i586

1.4MB of additional disk space will be used.

1.3MB of packages will be retrieved.

Is it ok to continue?


Clicked on date/time on menu as well as going into mageia center.  This entity uses internet protocol and everything functioned as designed.

CC: (none) => brtians1
Whiteboard: (none) => mga5-32-ok

Comment 4 Lewis Smith 2017-07-23 08:20:14 CEST 
Testing MGA5 64-bit

Updated the package to: cinnamon-settings-daemon-2.4.3-2.1.mga5
Have also a host of libdbus pkgs; are they relevant?
 lib64dbus-glib1_2-0.102-4.mga5
 lib64dbus1_3-1.8.20-1.mga5
 lib64dbusglib-gir1.0-1.42.0-3.mga5
 lib64dbusmenu-qt2-0.9.2-5.mga5

Using Cinnamon desktop, tried the date/time application from both the systray icon (clicking the time, then 'configure date/time' button) and menu-Tools-Date/Time. Then clicking the 'unlock' button of the display popped up a dialogue for root password. I thought this is what was meant (now) to happen.

OTOH if this is not a valid test, please can somebody advise how to do better. My system does *not* get its time from the Internet, just the hardware clock.

CC: (none) => lewyssmith

Comment 5 Lewis Smith 2017-07-25 09:27:48 CEST 
OKing for 64-bit. Validating, advisory uploaded.

Whiteboard: mga5-32-ok => mga5-32-ok advisory MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-07-26 00:08:05 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0218.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.