Bug 6626 - accountsservice new security issue CVE-2012-2737
: accountsservice new security issue CVE-2012-2737
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: http://lwn.net/Vulnerabilities/504292/
: mga2-32-OK mga2-64-OK
: validated_update
  Show dependency treegraph
Reported: 2012-06-29 19:58 CEST by David Walser
Modified: 2012-07-10 01:55 CEST (History)
4 users (show)

See Also:
Source RPM: accountsservice-0.6.14-2.mga2.src.rpm
Status comment:


Description David Walser 2012-06-29 19:58:17 CEST
Ubuntu has issued an advisory on June 28:

Jani Välimaa has fixed Cauldron by updating to 0.6.22.

I have uploaded a patched package for Mageia 2.


Updated accountsservice packages fix security vulnerability:

Florian Weimer discovered that AccountsService incorrectly handled
privileges when copying certain files to the system cache directory. A
local attacker could exploit this issue to read arbitrary files,
bypassing intended permissions (CVE-2012-2737).


Updated packages in core/updates_testing:

from accountsservice-0.6.14-2.1.mga2.src.rpm
Comment 1 Dave Hodgins 2012-07-05 04:26:22 CEST
The service was installed, but disabled on my i586 system.

I've enabled the service with
systemctl enable accounts-daemon.service

After rebooting, checking with
systemd-analyze blame|grep account
   924ms accounts-daemon.service

So other then adding just under a second to the boot time,
what is the service used for?

Any suggestions for testing procedure?  I've looked, but haven't
had any luck.
Comment 2 David Walser 2012-07-05 04:40:14 CEST
Fedora has issued an advisory for this on June 30:

If you take a look at the package URL, there is a "How to Test" section there.

The linked bugs may or may not have something interesting as well.
Comment 3 Dave Hodgins 2012-07-05 04:55:45 CEST
Thanks, but we don't have the accountsdialog package.

In Gnome, Tools/System Tools/User Accounts works whether the service
is running or not.
Comment 4 David Walser 2012-07-05 05:05:01 CEST
It sounds like it's used by GDM and LightDM to get the list of users.

I guess you could make sure the users on your system get displayed properly.
Comment 5 David Walser 2012-07-05 05:05:49 CEST
Olav, is there some other way accountsservice is used in GNOME we could test?
Comment 6 Dave Hodgins 2012-07-05 05:14:02 CEST
Based on urpmq --whatrequires accountsservice, it looks like gdm
uses it.

I've switched from kdm to gdm, and confirmed that even if I disable
the accounts-daemon.service, on a restart of the dm, it does get
re-enabled and started.

So, since gdm is the only package we have that requires the package,
and given that gdm is working with the update, I'm ok with
considering the test completed on my i586 system.
Comment 7 claire robinson 2012-07-05 17:34:29 CEST
Testing complete x86_64 mga2

Checked with gdm. Stopped the service, logged out. gdm starts the service.
updated and did the same again.

No regressions noticed.


Please see comment 0 for advisory and srpm

Could sysadmin please push from core/updates_testing to core/updates

Comment 8 Olav Vitters 2012-07-06 10:08:06 CEST
GDM indeed uses it (to determine the users IIRC). Think gnome-control-center also relies on it, though maybe it misses a dependency.
Comment 9 Thomas Backlund 2012-07-10 01:55:43 CEST
Update pushed:

Note You need to log in before you can comment on or make changes to this bug.