Fedora has issued an advisory on May 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/I67VJR2IU7J7Z6U4O6XWOSSIJXN4STGG/ The security bug fixed in that update is this one: https://bugzilla.redhat.com/show_bug.cgi?id=1276639 Mageia 5 may also be affected.
Patch to fix it: https://bugzilla.suse.com/show_bug.cgi?id=951830#c4 Mageia 5 is affected. 3.2.1 in Cauldron already has the fix.
Version: Cauldron => 5
Advisory: ======================== Updated cinnamon-settings-daemon packages fix security vulnerability: It was found that csd-datetime-setting SetDate DBUS function does not check the polkit authorization for the caller, Unlike SetTime. References: https://bugzilla.redhat.com/show_bug.cgi?id=1276639 https://bugzilla.suse.com/show_bug.cgi?id=951830 ======================== Updated packages in core/updates_testing: ======================== cinnamon-settings-daemon-2.4.3-2.1.mga5 cinnamon-settings-daemon-devel-2.4.3-2.1.mga5 from cinnamon-settings-daemon-2.4.3-2.1.mga5.src.rpm
Assignee: joequant => qa-bugs
$ uname -a Linux localhost.localdomain 4.4.74-desktop-1.mga5 #1 SMP Mon Jun 26 08:33:18 UTC 2017 i686 i686 i686 GNU/Linux The following 4 packages are going to be installed: - cinnamon-settings-daemon-2.4.3-2.1.mga5.i586 - cinnamon-settings-daemon-devel-2.4.3-2.1.mga5.i586 - libdbus-devel-1.8.20-1.mga5.i586 - libdbus-glib-0.102-4.mga5.i586 1.4MB of additional disk space will be used. 1.3MB of packages will be retrieved. Is it ok to continue? Clicked on date/time on menu as well as going into mageia center. This entity uses internet protocol and everything functioned as designed.
CC: (none) => brtians1Whiteboard: (none) => mga5-32-ok
Testing MGA5 64-bit Updated the package to: cinnamon-settings-daemon-2.4.3-2.1.mga5 Have also a host of libdbus pkgs; are they relevant? lib64dbus-glib1_2-0.102-4.mga5 lib64dbus1_3-1.8.20-1.mga5 lib64dbusglib-gir1.0-1.42.0-3.mga5 lib64dbusmenu-qt2-0.9.2-5.mga5 Using Cinnamon desktop, tried the date/time application from both the systray icon (clicking the time, then 'configure date/time' button) and menu-Tools-Date/Time. Then clicking the 'unlock' button of the display popped up a dialogue for root password. I thought this is what was meant (now) to happen. OTOH if this is not a valid test, please can somebody advise how to do better. My system does *not* get its time from the Internet, just the hardware clock.
CC: (none) => lewyssmith
OKing for 64-bit. Validating, advisory uploaded.
Whiteboard: mga5-32-ok => mga5-32-ok advisory MGA5-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0218.html
Status: NEW => RESOLVEDResolution: (none) => FIXED