[Bug 864716] AUDIT-0: libKF5Auth4.x86_64: W: suse-dbus-unauthorized-service /etc/dbus-1/system.d/org.kde.kf5auth.conf

16 Jul 2014


      https://bugzilla.novell.com/show_bug.cgi?id=864716
https://bugzilla.novell.com/show_bug.cgi?id=864716#c41
--- Comment #41 from Sebastian Krahmer krahmer@suse.com 2014-07-16 13:33:16 UTC ---
Two examples of vulnerable KDE services are:
/usr/share/dbus-1/system-services/org.kde.fontinst.service or
 /usr/share/dbus-1/system-services/org.kde.kcontrol.kcmclock.service
which can be DBUs-activated by users to run as root and which use KAuth
to check whether this user would be allowed to do that action.
This check can by bypassed since process-subject, as used by KAuth, is
racy. Please refer to
CVE-2013-4288 and the followups CVE-2013-4311, CVE-2013-4324, CVE-2013-4325,
CVE-2013-4326 and CVE-2013-4327 which all fix exactly the same issue.
-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[Bug 864716] AUDIT-0: libKF5Auth4.x86_64: W: suse-dbus-unauthorized-service /etc/dbus-1/system.d/org.kde.kf5auth.conf