PT-2014-1805 · Kde+5 · Kdelibs+6

Publicado

2014-07-23

·

Atualizado

2014-10-29

·

CVE-2014-5033

CVSS v2.0

6.9

Média

VetorAV:L/AC:M/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions polkit-qt versions 0.103.0 kdelibs versions prior to 4.14 kauth versions prior to 5.1
Description The issue allows local users to bypass intended access restrictions, potentially leading to a violation of confidentiality, integrity, and availability of protected information. This can be exploited locally. The problem is related to a PolkitUnixProcess PolkitSubject race condition via a setuid process or pkexec process.
Recommendations For polkit-qt version 0.103.0, update to a newer version that contains a fix for this issue. For kdelibs versions prior to 4.14, update to version 4.14 or later. For kauth versions prior to 5.1, update to version 5.1 or later. As a temporary workaround, consider restricting access to the polkit authority to minimize the risk of exploitation.

Exploit

Correção

Race Condition

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-362

Identificadores relacionados

BDU:2015-04138
BDU:2015-06858
BDU:2015-06859
BDU:2015-06860
BDU:2015-06861
BDU:2015-09215
BDU:2015-09216
BDU:2015-09217
BDU:2015-09218
CESA-2014_1359
CVE-2014-5033
DLA-76-1
DSA-3004-1
MGASA-2014-0327
MGASA-2014-0432
RHSA-2014:1359
RHSA-2014_1359
USN-2304-1

Produtos afetados

Centos
Red Hat
Ubuntu
Kauth
Kdelibs
Pkexec
Polkit-Qt