Ubuntu
kde4libs package

CVE-2014-5033: kauth authentication bypass

Bug #1350019 reported by Felix Geyer on 2014-07-29

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	kde4libs (Ubuntu)	Fix Released	Undecided	Unassigned
	Precise	Fix Released	Undecided	Duchene
	Trusty	Fix Released	Undecided	Unassigned
	Utopic	Fix Released	Undecided	Unassigned

Bug Description

In kauth:
Using the PID for authentication is prone to a PID reuse race condition, and a security issue.

https://bugzilla.novell.com/show_bug.cgi?id=864716
http://quickgit.kde.org/?p=kdelibs.git&a=commit&h=e4e7b53b71e2659adaf52691d4accc3594203b23

CVE References

2014-5033

Revision history for this message

Felix Geyer (debfx) wrote on 2014-07-29:

#1

I'll work on preparing debdiffs.

Revision history for this message

Felix Geyer (debfx) wrote on 2014-07-30:

#2

4:4.13.95 already includes the fix.

Changed in kde4libs (Ubuntu Utopic):
status:	New → Fix Released

Revision history for this message

Felix Geyer (debfx) wrote on 2014-07-30:

#3

precise debdiff Edit (3.2 KiB, text/plain)

Revision history for this message

Felix Geyer (debfx) wrote on 2014-07-30:

#4

trusty debdiff Edit (3.1 KiB, text/plain)

Revision history for this message

Felix Geyer (debfx) wrote on 2014-07-30:

#5

I have verified that polkit authentication (changing login manager settings in system settings) still works with the patch.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2014-07-30:

#6

ACK on the debdiffs. Building now, thanks!

Changed in kde4libs (Ubuntu Precise):
status:	New → In Progress
Changed in kde4libs (Ubuntu Trusty):
status:	New → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-07-31:

#7

This bug was fixed in the package kde4libs - 4:4.8.5-0ubuntu0.4

---------------
kde4libs (4:4.8.5-0ubuntu0.4) precise-security; urgency=medium

  * SECURITY UPDATE: kauth authentication bypass (LP: #1350019)
    - debian/patches/CVE-2014-5033.patch: use dbus system bus name instead
      of PID for authentication. Cherry-picked from upstream.
    - CVE-2014-5033
-- Felix Geyer <email address hidden> Wed, 30 Jul 2014 18:55:20 +0200

Changed in kde4libs (Ubuntu Precise):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-07-31:

#8

This bug was fixed in the package kde4libs - 4:4.13.2a-0ubuntu0.3

---------------
kde4libs (4:4.13.2a-0ubuntu0.3) trusty-security; urgency=medium

  * SECURITY UPDATE: kauth authentication bypass (LP: #1350019)
    - debian/patches/CVE-2014-5033.patch: use dbus system bus name instead
      of PID for authentication. Cherry-picked from upstream.
    - CVE-2014-5033
-- Felix Geyer <email address hidden> Tue, 29 Jul 2014 22:35:14 +0200

Changed in kde4libs (Ubuntu Trusty):
status:	In Progress → Fix Released

Duchene (denis16ch) on 2014-08-12

Changed in kde4libs (Ubuntu Precise):
assignee:	nobody → Duchene (denis16ch)

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.