Mageia Bugzilla – Bug 6626
accountsservice new security issue CVE-2012-2737
Last modified: 2012-07-10 01:55:43 CEST
Ubuntu has issued an advisory on June 28:
Jani Välimaa has fixed Cauldron by updating to 0.6.22.
I have uploaded a patched package for Mageia 2.
Updated accountsservice packages fix security vulnerability:
Florian Weimer discovered that AccountsService incorrectly handled
privileges when copying certain files to the system cache directory. A
local attacker could exploit this issue to read arbitrary files,
bypassing intended permissions (CVE-2012-2737).
Updated packages in core/updates_testing:
The service was installed, but disabled on my i586 system.
I've enabled the service with
systemctl enable accounts-daemon.service
After rebooting, checking with
systemd-analyze blame|grep account
So other then adding just under a second to the boot time,
what is the service used for?
Any suggestions for testing procedure? I've looked, but haven't
had any luck.
Fedora has issued an advisory for this on June 30:
If you take a look at the package URL, there is a "How to Test" section there.
The linked bugs may or may not have something interesting as well.
Thanks, but we don't have the accountsdialog package.
In Gnome, Tools/System Tools/User Accounts works whether the service
is running or not.
It sounds like it's used by GDM and LightDM to get the list of users.
I guess you could make sure the users on your system get displayed properly.
Olav, is there some other way accountsservice is used in GNOME we could test?
Based on urpmq --whatrequires accountsservice, it looks like gdm
I've switched from kdm to gdm, and confirmed that even if I disable
the accounts-daemon.service, on a restart of the dm, it does get
re-enabled and started.
So, since gdm is the only package we have that requires the package,
and given that gdm is working with the update, I'm ok with
considering the test completed on my i586 system.
Testing complete x86_64 mga2
Checked with gdm. Stopped the service, logged out. gdm starts the service.
updated and did the same again.
No regressions noticed.
Please see comment 0 for advisory and srpm
Could sysadmin please push from core/updates_testing to core/updates
GDM indeed uses it (to determine the users IIRC). Think gnome-control-center also relies on it, though maybe it misses a dependency.