[Bug 864716] New: AUDIT-0: libKF5Auth4.x86_64: W: suse-dbus-unauthorized-service /etc/dbus-1/system.d/org.kde.kf5auth.conf
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c0 Summary: AUDIT-0: libKF5Auth4.x86_64: W: suse-dbus-unauthorized-service /etc/dbus-1/system.d/org.kde.kf5auth.conf Classification: openSUSE Product: openSUSE Factory Version: 13.2 Milestone 0 Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: hrvoje.senjan@gmail.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.91 Safari/537.36 SUSE/33.0.1750.91 Source can be found at KDE:Frameworks5/kauth. As with kinit package, code is just ported to Qt5/KF5. org.kde.kf5auth.conf was renamed from org.kde.auth.conf so it can be co-installed with kdelibs4 package(s) Thus - asking for whitelist =) Thanks! Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c1 --- Comment #1 from Sebastian Krahmer <krahmer@suse.com> 2014-03-10 13:30:20 UTC --- Just noticed that KAuth is using PolkitQt1::UnixProcessSubject subject(pid); which is polkit's deprecated way of checking authorizations: by pid. UnixProcess subjects shall not be used. I am not familar on how KAuth is used internally by KDE, but this doesnt look good. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c2 --- Comment #2 from Sebastian Krahmer <krahmer@suse.com> 2014-03-18 08:04:21 UTC --- Sent mail to some KDE developers and author of KAuth last week. No presonse so far; escalating. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c4 --- Comment #4 from Sebastian Krahmer <krahmer@suse.com> 2014-03-24 09:29:20 UTC --- sent to OSS-sec -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c5 Raymond Wooninck <tittiatcoke@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tittiatcoke@gmail.com --- Comment #5 from Raymond Wooninck <tittiatcoke@gmail.com> 2014-03-25 12:21:37 UTC --- Sebastian, as a comment from my side. You indicate that KAuth is using a deprecated method from polkit. However if I look at building the bindings, I can only find the following deprecated method: [ 104s] /home/abuild/rpmbuild/BUILD/polkit-qt-1-0.103.50/core/polkitqt1-subject.cpp:125:16: warning: 'PolkitSubject* polkit_unix_process_new(gint)' is deprecated (declared at /usr/include/polkit-1/polkit/polkitunixprocess.h:51): Use polkit_unix_process_new_for_owner instead [-Wdeprecated-declarations] [ 104s] setSubject(polkit_unix_process_new(pid)); Is this the one you are referring ? Otherwise it seems that Polkit didn't declare that particular way of checking authorizations as deprecated and would then be still a valid way. I don't think that KAuth is the issue here, but just the Qt-bindings around PolKit, which haven't been updated for the last two years. However checking a very recent PolKitQt-1 build against the polkit in factory, then the above is the only warning we receive about deprecated. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c6 Raymond Wooninck <tittiatcoke@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |krahmer@suse.com --- Comment #6 from Raymond Wooninck <tittiatcoke@gmail.com> 2014-03-25 12:55:59 UTC --- Sebastian, Can you confirm that the above issue is based on the following bugreport https://bugzilla.redhat.com/show_bug.cgi?id=1002375 ? This is the CVE-2013-4288 polkit: unix-process subject for authorization is racy ? At this moment I have a possible patch for it and also the author of the polkit-qt bindings is looking into this one. Thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c7 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|krahmer@suse.com | --- Comment #7 from Sebastian Krahmer <krahmer@suse.com> 2014-03-25 13:03:26 UTC --- Right. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c8 --- Comment #8 from Sebastian Krahmer <krahmer@suse.com> 2014-03-25 13:05:08 UTC --- I have no idea whether the QT binding or the KAuth needs to be fixed. But just passing the pid is definitely wrong. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c9 --- Comment #9 from Raymond Wooninck <tittiatcoke@gmail.com> 2014-03-25 13:12:00 UTC --- Sebastian, KAuth doesn't directly communicate with PolKit, but does this through the Qt bindings for PolKit. Therefore the bindings have to be adjusted as they perform the calls to PolKit. This is the proposed step, which should bring it up to the right level of PolKit: --- a/core/polkitqt1-subject.cpp +++ b/core/polkitqt1-subject.cpp @@ -122,13 +122,13 @@ Subject Subject::fromString(const QString &string) UnixProcessSubject::UnixProcessSubject(qint64 pid) : Subject() { - setSubject(polkit_unix_process_new(pid)); + setSubject(polkit_unix_process_new_for_owner(pid, 0, getuid ())); } UnixProcessSubject::UnixProcessSubject(qint64 pid, quint64 startTime) : Subject() { - setSubject(polkit_unix_process_new_full(pid, startTime)); + setSubject(polkit_unix_process_new_for_owner(pid, startTime, getuid ())); } UnixProcessSubject::UnixProcessSubject(PolkitUnixProcess *pkUnixProcess) However Martin Briza (from redhat and the author of the Qt bindings for polkit) is also looking at the issue at this moment. So, hopefully we get this sorted out today or latest tomorrow. As soon as Polkit-qt-1 is patched, I will create an update and submit it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c10 --- Comment #10 from Sebastian Krahmer <krahmer@suse.com> 2014-03-25 13:56:00 UTC --- If getuid() is what you want. If thats a DBUS activation as root, that grants everything. Is there something in KAuth that allows for credential passing? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c11 Hrvoje Senjan <hrvoje.senjan@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hrvoje.senjan@gmail.com --- Comment #11 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-03-25 13:59:54 UTC --- please just note that we do not have polkit-qt-1 enabled for Qt5. there is upstream support for it in a branch, but the libs, pc files, etc, are not renamed. until rename is done, it will not be submitted in the distribution, and also KAuth is basically ineffective. if this is a major issue - then it would be more important to adjust polkit-qt-1 and kdelibs(4). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c12 --- Comment #12 from Raymond Wooninck <tittiatcoke@gmail.com> 2014-03-25 15:05:31 UTC --- @Sebastian, As far as I know getuid() gives me the user of the current process. The call to PolkitQt1::UnixProcessSubject subject(pid) comes from within KAuth where KAuth tries to validate if the user/process is authorized to perform that action and return that value back to the calling program. So I am not sure how this would fit in a DBUS activation as root ? This would mean that the program is running under root and then KAuth will indicate that the user is authorized. I just followed the same approach as that Red Hat did for the spicy-gtk library, so I guess that I am missing the point. Or I am a little bit too naive. @Hrvoje. This issue came up when asking for a security review for smb4k, where Sebastian mentioned that KDE upstream is not following up on security issues. That is where I picked this up and tried to come up with an acceptable solution. The patch was reviewed (https://git.reviewboard.kde.org/r/117056/) and I got a Ship It! for it so that it gets fixed for KDE4 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c13 --- Comment #13 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-03-25 21:33:09 UTC --- Created an attachment (id=583670) --> (http://bugzilla.novell.com/attachment.cgi?id=583670) poor man's patch Sebastian, could you review this one? Raymond correctly pointed out that KAuth uses polkit-qt as a backend, so i don't think that we need to change function names in KAuth/kdelibs -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c14 --- Comment #14 from Sebastian Krahmer <krahmer@suse.com> 2014-03-26 07:05:42 UTC --- Thanks for your efforts. I dont think using uid is the right way for the framework to check authorizations. Consider org.kde.fontinst.service DBUS service, that is activated on behalf of users request as a root service. It will therefore run with uid 0, even if triggered by user. For now it is just using the pid of user requesting the service. Thats racy and the thing we want to fix. Your patch proposal also integrates the uid, but I fear thats the uid of the currently running process (root == 0). From the small patch I cannot see where the uid is coming from. If that would be the uid of the requesting user, that would be fine (although not perfect if suid helpers request DBUS services). The preferred way is to use system-bus-name polkit authorization. polkit-qt bindings seem to offer SystemBusNameSubject class already, so is it possible to use that in KAuth rather than UnixProcess subjects? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c15 --- Comment #15 from Raymond Wooninck <tittiatcoke@gmail.com> 2014-03-26 08:46:51 UTC --- Sebastian, uid comes from the following routine: qint64 UnixProcessSubject::uid() const { return polkit_unix_user_get_uid((PolkitUnixUser *) subject()); } At this moment KDE is undergoing a heavy transformation into the KDE Frameworks and maybe we can get the changes for KAuth done there. However this will not resolve the KDE4 stuff. Therefore we are trying to make just small changes in order to make things work. And lets be fair, this has been working for the last years without major concerns until you discovered the racy condition. So we are trying to accommodate this and using the new method to resolve the racy condition. I don't see this rewrite for KAuth happening for KDE4 and my assumption is that openSUSE stands alone in this and as openSUSE doesn't deliver any developer resources to KDE, I guess we have to wait until it becomes an issue within Fedora/Red Hat. So in my opinion we have the following choices: 1) We leave things as it is and accept the racy condition for KDE 2) We adjust polkit-qt-1 to move away from the deprecated method and using the new one that prevents the racy condition, but is still PID based. 3) Neither of the above is accepted, which would mean that KDE is a security risk and it is then up to the security team to decide whether or not KDE should be removed from Factory. Maybe black and white, but these are the choices I see at the moment for KDE4 in openSUSE. I will test Hrvoje's patch today to see if this one works as expected and then I will submit it for review to KDE Upstream. And this is the best that I can do at the moment. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c16 --- Comment #16 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-03-26 09:18:26 UTC --- (In reply to comment #14) First, just to say that this is a patch for polkit-qt-1, based and slightly extended on Raymond's.
Thats racy and the thing we want to fix. Your patch proposal also integrates the uid, but I fear thats the uid of the currently running process (root == 0). From the small patch I cannot see where the uid is coming from. If that would be the uid of the requesting user, that would be fine (although not perfect if suid helpers request DBUS services). In reality, we have no SUID helpers in KDE - except for the kdeinit's OOM killer ;-) UID is the one of the requesting user - i've tested the patch, and from user perspective, things still operate as before - e.g. for killing other users processes in KSysGuard i need to enter root pass, also for changing clock, etc.
The preferred way is to use system-bus-name polkit authorization. polkit-qt bindings seem to offer SystemBusNameSubject class already, so is it possible to use that in KAuth rather than UnixProcess subjects? As Raymond pointed out, our chances for chaning the internals are more for the KAuth framework/polkiq-qt-1 based on Qt5, rather than in kdelibs4/Qt4 world...
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c17 Raymond Wooninck <tittiatcoke@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Security |Apache --- Comment #17 from Raymond Wooninck <tittiatcoke@gmail.com> 2014-03-26 09:28:07 UTC --- I also tested the patch locally and have the same result as Hrvoje. The same behavior (requesting authorization for killing processes, change system clock, etc) as before the patch is there. So from that perspective, I believe we have the right one and resolved the issue with the racy condition. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c18 --- Comment #18 from Sebastian Krahmer <krahmer@suse.com> 2014-03-26 10:34:10 UTC --- @Raymond, I see that uid comes via return polkit_unix_user_get_uid((PolkitUnixUser *) subject()); my question is how is it constructed into the subject at the first place, as it was originally a process subject and I doubt the uid will magically appear by just type-casting it to a PolkitUnixUser *. If thats taken from the unix socket credentials - thats OK. If thats filled in by polkit libs itself since it reads /proc/$pid/status when no uid is explicitely given on construction, then its a NULL patch and we should not waste time making updates for it. :) (Serious, I am not deep enough into KDE and QT to see immediately which of both is the case, but I fear its the later.) I wonder whether just using SystemBusNameSubject would be so intrusive? I am sorry for playing the bad cop here but I am not yet convinced that the patch makes sense. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c19 --- Comment #19 from Raymond Wooninck <tittiatcoke@gmail.com> 2014-03-26 14:21:28 UTC --- @Sebastian, Unfortunately I am not a developer and I just manage to resolve some bug fixing, etc. So I am the wrong person to indicate that using SystemBusNameSubject is intrusive. It could mean that a part of KAuth has to be rewritten and the question is if there are resources available to do so as that almost everybody is working on getting KDE Frameworks 5 going. Do you have examples on how to use SystemBusNameSubject ?? Calls seem to be pretty similar to the UnixProcess one, but I am not sure what kind of parameter it requires. Can I make this equal to the name of the application that is requesting the authorization or does this needs to be a specific value ? e.g. Application has to register itself first on the SystemBus and then this name has to be used ? It would be great if you could assist me in this part and maybe together we can manage to rewrite KAuth. Thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c20 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High --- Comment #20 from Sebastian Krahmer <krahmer@suse.com> 2014-03-31 08:20:45 UTC --- The ideal case would be to ask the maintainer/author of KAuth, because he should know best. Unfortunally security@kde is unresponsive, and so is the KAuth author. :/ Maybe we can go ahead and getting help from polkit upstream. Using SystemBusNameSubject requires to pass the sender (from dbus, not the PID) as an argument. I dont know where we can get that from in KAuth. The callerID thats inside KAuth is also just the PID as a byte-array. Seems like the whole KAuth is just based on the PID. Maybe thats hard to backport it for existing installs, but at least upcoming KDE should include a KAuth thats using SystemBusNameSubject. Thanks for your help. I will try harder to allocate ressources to get that fixed in upcoming KDE versions. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c21 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wstephenson@suse.de --- Comment #21 from Sebastian Krahmer <krahmer@suse.com> 2014-03-31 08:25:13 UTC --- Adding Will to Cc, maybe he has insight into hows it possible in KDE to pass DBUS sender along into KAuth so it can be used for authenticating requests. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c22 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dmueller@suse.com --- Comment #22 from Sebastian Krahmer <krahmer@suse.com> 2014-03-31 09:03:39 UTC --- Adding Dirk as well. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c23 --- Comment #23 from Raymond Wooninck <tittiatcoke@gmail.com> 2014-03-31 09:10:07 UTC --- @Sebastian, Doesn't the openSUSE team within SuSE have their own KDE developer (Antonio Larrosa) ? As far as I know when Will left the openSUSE team, a new developer was hired specifically to cover the KDE area. I guess he would be the right person from within SuSE. Raymond -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c24 --- Comment #24 from Sebastian Krahmer <krahmer@suse.com> 2014-04-01 08:14:54 UTC --- Added Antonio, maybe he can help. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c25 Hrvoje Senjan <hrvoje.senjan@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Apache |Security --- Comment #25 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-07-14 18:11:03 UTC --- Sebastian, can we revisit the status of this? Missing DBus configuration is now starting to create some real problems with KF5 based desktop. The deprecated polkit method in polkit-qt5 bindings has been updated to polkit_unix_process_new_for_owner. Wrt SystemBusName, i have talked with de-facto maintainer of KDE's auth/polkit components, and he said that he didn't understand why would that be better than current solution. You can reach him at mbriza [at] redhat.com. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c26 --- Comment #26 from Sebastian Krahmer <krahmer@suse.com> 2014-07-15 07:07:29 UTC --- We just disabled KAuth for SLE12 due to the unpatched hole, see bnc#873135 The usage of polkit_unix_process_new_for_owner() is new to me, as the KDE folks was not responding to various mails from us during the past half year. It depends on where they get the uid from, passing it to polkit_unix_process_new_for_owner(). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
We just disabled KAuth for SLE12 due to the unpatched hole, see bnc#873135
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c27 --- Comment #27 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-07-15 08:26:51 UTC --- (In reply to comment #26) the report is not public -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c28 Raymond Wooninck <tittiatcoke@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P2 - High |P0 - Crit Sit Status|NEW |NEEDINFO InfoProvider| |security-team@suse.de Severity|Major |Critical --- Comment #28 from Raymond Wooninck <tittiatcoke@gmail.com> 2014-07-15 14:15:21 UTC --- @Sebastian, It seems that this one is really becoming a blocker for delivering KDE for openSUSE. Crippling KDE with disabling KAuth is not the right approach as that would cause certain functionality to stop working or even break KDE itself. If this is the risk that SuSE want to take with SLE12, then this is up to the SLE maintainers. However I will not accept crippling KDE in such a way for openSUSE. So I guess that the Security team now really has to take the decision that they can accept something, that is accepted by all other distributions or that they want to continue the very strict policy (remember the words of Linus Torvald about the openSUSE security setups) and block this. In the latter, I will send delete requests for KDE to openSUSE:Factory and will blog that openSUSE has dropped official support for KDE in their distribution. We will then deliver KDE through other repositories on OBS for those users that still want to use KDE on openSUSE. In my opinion we have been discussing this issue already too long and a decision needs to be taken now as that we see that functionality is starting to fail. It would be a shame to see KDE disappear from the openSUSE distribution. Raymond -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c29 --- Comment #29 from Luca Beltrame <lbeltrame@kde.org> 2014-07-15 14:43:17 UTC ---
s the KDE folks was not responding to various mails from us
security@ko is not the right place to ask these questions. Either contact Martin Briza (see previous message from Hrvoje) or mail the Frameworks mailing list (kde-frameworks-devel@kde.org). These are the best places to contact upstream. Nevertheless, this should not block KAuth from entering Factory. Not having this breaks several components needed for a basic desktop experience, including power management. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c30 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P0 - Crit Sit |P2 - High Status|NEEDINFO |NEW CC| |meissner@suse.com InfoProvider|security-team@suse.de | Severity|Critical |Major --- Comment #30 from Marcus Meissner <meissner@suse.com> 2014-07-16 07:06:25 UTC --- P0 is reserved. reduce sev/prio -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c31 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |alarrosa@suse.com --- Comment #31 from Marcus Meissner <meissner@suse.com> 2014-07-16 07:09:38 UTC --- Antonio? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c32 --- Comment #32 from Sebastian Krahmer <krahmer@suse.com> 2014-07-16 07:46:25 UTC --- I already contacted Martin Briza yesterday and I am looking into the patches that were mentioned for qt5. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c33 --- Comment #33 from Sebastian Krahmer <krahmer@suse.com> 2014-07-16 08:15:58 UTC --- I just looked at the provided diffs and the same problem remains. Using -1 as uid brings nothing, as it again looksup the UID via /proc, which we want to avoid in the first place. The problem in KAuth is that due to the layers there is no way to determine who actually is trying to authenticate the polkit action. The dbus sender is not available that should be used for this. And getuid() might be misleading because its already running as root due to DBUS activation on behalf of the user we want to authenticate. I am sorry that the issue is stuck. We were not just contacting security@kde, but also several developers and it was entirely silent. So its not to blame us. If I get an override from management to include the KAuth thats actually not authenticating anything, I'll happily do that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c34 --- Comment #34 from Luca Beltrame <lbeltrame@kde.org> 2014-07-16 09:13:02 UTC --- In KAuth, the action autentication is IIRC done by the helper KAuth is calling, not KAuth itself. For a breakdown of how KAuth works, which may lead to an understanding of the issue: https://techbase.kde.org/Development/Tutorials/KAuth/KAuth_Basics As I said, KAuth is community-maintaned (no single maintainer). That's why I mentioned kde-frameworks-devel. Contacting individual developers is likely to be inefficient on this regard. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c35 --- Comment #35 from Luca Beltrame <lbeltrame@kde.org> 2014-07-16 09:15:45 UTC --- I correct my statement, KAuth is the one elevating privileges. (see the link and the "writing helpers" section) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c36 --- Comment #36 from Luca Beltrame <lbeltrame@kde.org> 2014-07-16 09:21:27 UTC --- Did you also try contacting Dario Freddi? Although he's not much involved in KDE nowadays, he's the original developer of this system. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c37 --- Comment #37 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-07-16 11:03:05 UTC --- (In reply to comment #33)
The problem in KAuth is that due to the layers there is no way to determine who actually is trying to authenticate the polkit action. The dbus sender is not available that should be used for this. And getuid() might be misleading because its already running as root due to DBUS activation on behalf of the user we want to authenticate.
If the (potential) vulnerability is in case of SUID helpers, we can have this case closed. As i wrote somewhere above, Qt, since 5.3, aborts action if the Q*Application is SUID. Applications can explicitly override this, but i am happy to add a patch to our Qt5 packages that would also disallow even that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c38 Bruno Friedmann <bruno@ioda-net.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bruno@ioda-net.ch --- Comment #38 from Bruno Friedmann <bruno@ioda-net.ch> 2014-07-16 12:06:11 UTC --- Adding myself as board watcher. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c39 --- Comment #39 from Ismail Donmez <idonmez@suse.com> 2014-07-16 12:19:13 UTC --- To clear the confusion here. This is not about suid helpers. This is a possible root hole using KAuth. So a rogue app using KAuth could gain root privileges and this is due the way PID checking is done, which found to be racy. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c40 --- Comment #40 from Sebastian Krahmer <krahmer@suse.com> 2014-07-16 13:29:16 UTC --- If Dario is drf@, I mailed him about it on April 7th, Ccing to 2 other ppl. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c41 --- Comment #41 from Sebastian Krahmer <krahmer@suse.com> 2014-07-16 13:33:16 UTC --- Two examples of vulnerable KDE services are: /usr/share/dbus-1/system-services/org.kde.fontinst.service or /usr/share/dbus-1/system-services/org.kde.kcontrol.kcmclock.service which can be DBUs-activated by users to run as root and which use KAuth to check whether this user would be allowed to do that action. This check can by bypassed since process-subject, as used by KAuth, is racy. Please refer to CVE-2013-4288 and the followups CVE-2013-4311, CVE-2013-4324, CVE-2013-4325, CVE-2013-4326 and CVE-2013-4327 which all fix exactly the same issue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c42 --- Comment #42 from Luca Beltrame <lbeltrame@kde.org> 2014-07-16 13:35:15 UTC --- Please write to kde-frameworks-devel@kde.org then, so that the issue may reach people able to handle this. KAuth has no official maintainer, meaning that the responsibility of handling it is shared among all the people working on the KDE Frameworks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c43 --- Comment #43 from Luca Beltrame <lbeltrame@kde.org> 2014-07-16 13:38:05 UTC --- Also, does one know how other distros such as Debian and Red Hat handled this? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c44 --- Comment #44 from Sebastian Krahmer <krahmer@suse.com> 2014-07-16 14:01:36 UTC --- I am tired of reaching-out to the KDE folks again and again explaining the issue the 42nd time to them. Can you do the short path of telling them about this bug#, as you seem to be member of the KDE team anyway? This issue has been reported to other distros via the OSS-sec list but did not found major ack. Thats probably b/c of a missing PoC. In such cases nobody sees the severity because its 'theoretical'. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c45 --- Comment #45 from Raymond Wooninck <tittiatcoke@gmail.com> 2014-07-16 14:09:53 UTC --- @sebastian, @Ismail, Are we trying to make openSUSE into SLE here ?? Or are we trying to make the most secure distribution that nobody is able to use anymore due to all kind of security enhancements. Remember that in the eyes of many people SUSE already has the label of being the distribution that is kinda paranoid about security. Remember the flames by Linus Torvald ??? It seems also that this discussion is going around and around as that Sebastian is coming up again with the racy stuff in KAuth, despite that Martin Briza already indicated that this was resolved by moving to the the new polkit methods that were actually even coming sebastian, so if those are still racy then I don't know anymore but to believe we are on a witch hunt to get KDE kicked out from SLE and openSUSE. Other distributions like Fedora, etc do not seem to have any issues with the current situation as that they are using the code as it is being delivered from KDE upstream. At this moment, I really feel like just sending out the message to the whole world indicating that openSUSE will no longer deliver KDE due to the enhanced security setup and that the KAuth methodology doesn'f it in there. Raymond -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c46 --- Comment #46 from Luca Beltrame <lbeltrame@kde.org> 2014-07-16 14:17:13 UTC --- Issue raised on kde-frameworks-devel: http://lists.kde.org/?l=kde-frameworks-devel&m=140552012224337&w=2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c47 --- Comment #47 from Sebastian Krahmer <krahmer@suse.com> 2014-07-16 14:39:19 UTC --- Raymond, I am sorry you have such bad feelings against our sec-team but we are just trying to get a real solution to this problem. We wont add placebo-security fixes just so that everybody feels happy and honestly I dont mind what Linus or other distros would think about it. Due to KAuth layered lasagne-software, this is not just a one-line fix. I hope recent posting will accelerate this. If you are in Berlin one day I'll invite you to a beer to forget about all the hassle. Its not that we dont honor or respect your work but we want to get the KDE stuff sorted before its checked in. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c48 --- Comment #48 from Luca Beltrame <lbeltrame@kde.org> 2014-07-16 14:46:29 UTC --- I'm going through this on IRC, at least someone is looking at the code. I'll keep you posted. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c49 --- Comment #49 from Luca Beltrame <lbeltrame@kde.org> 2014-07-16 14:47:55 UTC --- And @Sebastian: the design of KAuth may not be the best, but as a Framework it supports also OSX and (perhaps in the future) Windows, so some abstraction is necessary (this of course doesn't mean it has no flaws). This is not a criticism, but helps in putthing things in context. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c50 --- Comment #50 from Luca Beltrame <lbeltrame@kde.org> 2014-07-16 15:53:10 UTC --- Currently testing patches that use SystemBusNameSubject. Will report back once finished. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c51 --- Comment #51 from Luca Beltrame <lbeltrame@kde.org> 2014-07-16 15:59:40 UTC --- Created an attachment (id=598877) --> (http://bugzilla.novell.com/attachment.cgi?id=598877) Patch to KAuth Patch by Martin Sandsmark from KDE. Is this what is needed? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c52 Ismail Donmez <idonmez@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- InfoProvider|alarrosa@suse.com |krahmer@suse.com --- Comment #52 from Ismail Donmez <idonmez@suse.com> 2014-07-16 18:09:59 UTC --- (In reply to comment #51)
Created an attachment (id=598877) --> (http://bugzilla.novell.com/attachment.cgi?id=598877) [details] Patch to KAuth
Patch by Martin Sandsmark from KDE. Is this what is needed?
Patch looks right but I am not an expert. NEEDINFO for Sebastian. Also could you please test the patched kdelibs and make sure systemsettings->clock still works as expected? Thanks a lot! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c53 --- Comment #53 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-07-16 18:32:05 UTC --- The patch works with KAuth. (iow consumers do correctly authenticate, execute actions, etc) I am not a fan of patching kdelibs4 though, unless *really* necessary -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c54 --- Comment #54 from Luca Beltrame <lbeltrame@kde.org> 2014-07-16 18:48:08 UTC --- I rebased the patch on kdelibs as well (the previous one was for KDE Frameworks 5). We'll be testing it while awaiting Sebastian's assessment. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c55 Hrvoje Senjan <hrvoje.senjan@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #598877|0 |1 is obsolete| | --- Comment #55 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-07-17 05:44:37 UTC --- Created an attachment (id=598930) --> (http://bugzilla.novell.com/attachment.cgi?id=598930) Patch to KAuth v.2 Updated patch, was one more place with PID usage -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c56 --- Comment #56 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-07-17 05:45:56 UTC --- Created an attachment (id=598931) --> (http://bugzilla.novell.com/attachment.cgi?id=598931) kdelibs4 patch Patch for kdelibs4 (just a line/dir replace, otherwise is the same) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c57 --- Comment #57 from Luca Beltrame <lbeltrame@kde.org> 2014-07-17 08:16:46 UTC --- @Ismail: From a functional point of view, the patch works in both the KF5 and the kdelibs 4.x versions (tested: backlight helper for PM init, ksysguard process helper, date and time helper). All that's left to know if it addresses the security concerns. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c58 --- Comment #58 from Ismail Donmez <idonmez@suse.com> 2014-07-17 08:24:47 UTC --- (In reply to comment #57)
@Ismail: From a functional point of view, the patch works in both the KF5 and the kdelibs 4.x versions (tested: backlight helper for PM init, ksysguard process helper, date and time helper).
Thanks a lot for handling this. A crippled KDE means a black eye for openSUSE and SLE, for which we never wanted to cripple it in the first place.
All that's left to know if it addresses the security concerns.
As soon as Sebastian approves we can proceed. I'll handle the SLE side obviously. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c59 --- Comment #59 from Marcus Meissner <meissner@suse.com> 2014-07-17 15:27:23 UTC --- Sebastian is not present on Thursday and Friday. I am not so familar with kauth/polkit. Not sure if it is correct, we match the system busname (?) and not client identifiers? Luca, did you also do negative checks? like testing that stuff corrctly gets forbidden or admin dialog popups? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c60 --- Comment #60 from Luca Beltrame <lbeltrame@kde.org> 2014-07-17 15:33:48 UTC --- I tried: - non-interactive helpers (backlight, where no password is requested) - interactive helpers (ksysguard + clock): in this case the authorization dialog pops up and requests the root password. Canceling or inserting the wrong password does not execute the action (as expected). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c61 --- Comment #61 from Luca Beltrame <lbeltrame@kde.org> 2014-07-17 15:36:26 UTC --- @Marcus http://www.freedesktop.org/software/polkit/docs/latest/PolkitSystemBusName.h... Basically it uses DBus, to my understanding, to get the process instead of using the PID, which is open to race conditions (the objection raised by Sebastian). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c62 --- Comment #62 from Luca Beltrame <lbeltrame@kde.org> 2014-07-17 15:41:36 UTC --- I made a further negative test with multiple wrong passwords: as expected, the actions refuse to be executed and errors are displayed (I also checked that the action - increase clock time by 1 min - was not actually done). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c63 --- Comment #63 from Marcus Meissner <meissner@suse.com> 2014-07-17 16:14:20 UTC --- Thanks for doing this! I think we are probably good for approval and I will do that. Sebastian might have comments when he is back on Monday. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c64 --- Comment #64 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-07-17 16:46:23 UTC --- (In reply to comment #59)
Sebastian is not present on Thursday and Friday.
I am not so familar with kauth/polkit.
Not sure if it is correct, we match the system busname (?) and not client identifiers?
Luca, did you also do negative checks? like testing that stuff corrctly gets forbidden or admin dialog popups?
In case of successful authentication, one now gets e.g.: polkitd[22395]: 06:46:24.368: Operator of unix-session:59 successfully authenticated as unix-user:root to gain ONE-SHOT authorization for action org.kde.ksysguard.processlisthelper.sendsignal for system-bus-name::1.3728 [/usr/bin/systemmonitor] (owned by unix-user:hrvoje) in case of failure: polkitd[22395]: Operator of unix-session:59 FAILED to authenticate to gain authorization for action org.kde.ksysguard.processlisthelper.sendsignal for system-bus-name::1.3885 [/usr/bin/systemmonitor] (owned by unix-user:hrvoje) So this indeed looks like the procedure that was asked for ;-) (In reply to comment #63)
I think we are probably good for approval and I will do that Many thanks for resolving this! (also to others involved!)
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c65 --- Comment #65 from Bernhard Wiedemann <bwiedemann@suse.com> 2014-07-17 19:00:58 CEST --- This is an autogenerated message for OBS integration: This bug (864716) was mentioned in https://build.opensuse.org/request/show/241367 Factory / rpmlint -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c66 --- Comment #66 from Bernhard Wiedemann <bwiedemann@suse.com> 2014-07-18 11:01:11 CEST --- This is an autogenerated message for OBS integration: This bug (864716) was mentioned in https://build.opensuse.org/request/show/241428 Factory / kauth -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c67 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|krahmer@suse.com | --- Comment #67 from Sebastian Krahmer <krahmer@suse.com> 2014-07-21 07:55:53 UTC --- Ok, this one looks much better! I am not KDE expert but the patch looks as this subject indeed is the race-free object bound to the DBUS originator of the request. Ismail, can we revert recent SLE12 FAKE patch to be substituted by this? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c68 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |idonmez@suse.com --- Comment #68 from Sebastian Krahmer <krahmer@suse.com> 2014-07-21 07:57:01 UTC --- I hope the patch covers all necessary subject-based code in Kauth. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c69 --- Comment #69 from Luca Beltrame <lbeltrame@kde.org> 2014-07-21 08:05:27 UTC --- This patch went through code review upstream (which prompted the generation of the v2 patch) as well, along with some direct (on IRC) discussion with the person who wrote the initial version. Sebastian, if you do not have further objections let us know: I'll tell upstream to merge this in stable and development branches (so that everyone benefits from this security review). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c70 --- Comment #70 from Sebastian Krahmer <krahmer@suse.com> 2014-07-21 08:19:07 UTC --- I just requested a CVE and Cc'ed oss-sec so other distributors can also benefit from our hard work. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c71 Ismail Donmez <idonmez@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|idonmez@suse.com | --- Comment #71 from Ismail Donmez <idonmez@suse.com> 2014-07-21 09:15:19 UTC --- SLE part was checked in last Friday. Thanks for all those involved! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c72 --- Comment #72 from Luca Beltrame <lbeltrame@kde.org> 2014-07-21 21:34:30 UTC --- FYI, the patch has been merged upstream for both 4.13, 4.14 and KF5. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c73 Hrvoje Senjan <hrvoje.senjan@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #73 from Hrvoje Senjan <hrvoje.senjan@gmail.com> 2014-07-21 21:57:55 UTC --- (In reply to comment #72)
FYI, the patch has been merged upstream for both 4.13, 4.14 and KF5.
once we get CVE, i'll start maintenance sr's for 12.3 and 13.1. this one can be closed now though -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c75 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|AUDIT-0: |VUL-0: CVE-2014-5033: |libKF5Auth4.x86_64: W: |libKF5Auth4.x86_64: W: |suse-dbus-unauthorized-serv |suse-dbus-unauthorized-serv |ice |ice |/etc/dbus-1/system.d/org.kd |/etc/dbus-1/system.d/org.kd |e.kf5auth.conf |e.kf5auth.conf Alias| |CVE-2014-5033 --- Comment #75 from Sebastian Krahmer <krahmer@suse.com> 2014-07-23 07:53:10 UTC --- CVE-2014-5033 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c76 --- Comment #76 from Bernhard Wiedemann <bwiedemann@suse.com> 2014-07-26 01:00:36 CEST --- This is an autogenerated message for OBS integration: This bug (864716) was mentioned in https://build.opensuse.org/request/show/242441 13.1 / kdelibs4-apidocs+kdelibs4+kdebase4-workspace -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |obs:running:2928:moderate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=864716 https://bugzilla.novell.com/show_bug.cgi?id=864716#c77 --- Comment #77 from Swamp Workflow Management <swamp@suse.de> 2014-08-11 08:09:35 UTC --- openSUSE-SU-2014:0981-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 819437,864716 CVE References: CVE-2014-5033 Sources used: openSUSE 13.1 (src): kdebase4-workspace-4.11.11-115.3, kdelibs4-4.11.5-484.1, kdelibs4-apidocs-4.11.5-484.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=864716 Peter B <auxsvr@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |auxsvr@gmail.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=864716 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:2928:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=864716 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| | | |CVSSv2:NVD:CVE-2013-4288:7. | |2:(AV:L/AC:L/Au:N/C:C/I:C/A | |:C) | |CVSSv2:NVD:CVE-2013-4311:4. | |6:(AV:L/AC:L/Au:N/C:P/I:P/A | |:P) | |CVSSv2:NVD:CVE-2014-5033:6. | |9:(AV:L/AC:M/Au:N/C:C/I:C/A | |:C) | |CVSSv2:RedHat:CVE-2013-4288 | |:6.9:(AV:L/AC:M/Au:N/C:C/I: | |C/A:C) | |CVSSv2:RedHat:CVE-2013-4311 | |:6.9:(AV:L/AC:M/Au:N/C:C/I: | |C/A:C) | |CVSSv2:RedHat:CVE-2014-5033 | |:6.9:(AV:L/AC:M/Au:N/C:C/I: | |C/A:C) | |CVSSv2:SUSE:CVE-2013-4288:6 | |.9:(AV:L/AC:M/Au:N/C:C/I:C/ | |A:C) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=864716 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| | |CVSSv2:NVD:CVE-2013-4288:7. |CVSSv2:NVD:CVE-2013-4327:4. |2:(AV:L/AC:L/Au:N/C:C/I:C/A |6:(AV:L/AC:L/Au:N/C:P/I:P/A |:C) |:P) |CVSSv2:NVD:CVE-2013-4311:4. |CVSSv2:RedHat:CVE-2013-4327 |6:(AV:L/AC:L/Au:N/C:P/I:P/A |:6.9:(AV:L/AC:M/Au:N/C:C/I: |:P) |C/A:C) |CVSSv2:NVD:CVE-2014-5033:6. | |9:(AV:L/AC:M/Au:N/C:C/I:C/A | |:C) | |CVSSv2:RedHat:CVE-2013-4288 | |:6.9:(AV:L/AC:M/Au:N/C:C/I: | |C/A:C) | |CVSSv2:RedHat:CVE-2013-4311 | |:6.9:(AV:L/AC:M/Au:N/C:C/I: | |C/A:C) | |CVSSv2:RedHat:CVE-2014-5033 | |:6.9:(AV:L/AC:M/Au:N/C:C/I: | |C/A:C) | |CVSSv2:SUSE:CVE-2013-4288:6 | |.9:(AV:L/AC:M/Au:N/C:C/I:C/ | |A:C) | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=864716 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| | |CVSSv2:NVD:CVE-2013-4327:4. |CVSSv2:NVD:CVE-2013-4325:6. |6:(AV:L/AC:L/Au:N/C:P/I:P/A |9:(AV:L/AC:M/Au:N/C:C/I:C/A |:P) |:C) |CVSSv2:RedHat:CVE-2013-4327 |CVSSv2:NVD:CVE-2013-6402:2. |:6.9:(AV:L/AC:M/Au:N/C:C/I: |1:(AV:L/AC:L/Au:N/C:N/I:P/A |C/A:C) |:N) | |CVSSv2:RedHat:CVE-2013-4325 | |:6.9:(AV:L/AC:M/Au:N/C:C/I: | |C/A:C) | |CVSSv2:RedHat:CVE-2013-6402 | |:1.9:(AV:L/AC:M/Au:N/C:N/I: | |P/A:N) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=864716 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| | |CVSSv2:NVD:CVE-2013-4325:6. |CVSSv2:NVD:CVE-2013-4326:4. |9:(AV:L/AC:M/Au:N/C:C/I:C/A |6:(AV:L/AC:L/Au:N/C:P/I:P/A |:C) |:P) |CVSSv2:NVD:CVE-2013-6402:2. |CVSSv2:RedHat:CVE-2013-4326 |1:(AV:L/AC:L/Au:N/C:N/I:P/A |:6.9:(AV:L/AC:M/Au:N/C:C/I: |:N) |C/A:C) |CVSSv2:RedHat:CVE-2013-4325 | |:6.9:(AV:L/AC:M/Au:N/C:C/I: | |C/A:C) | |CVSSv2:RedHat:CVE-2013-6402 | |:1.9:(AV:L/AC:M/Au:N/C:N/I: | |P/A:N) | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=864716 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| | |CVSSv2:NVD:CVE-2013-4326:4. |CVSSv2:NVD:CVE-2013-4324:4. |6:(AV:L/AC:L/Au:N/C:P/I:P/A |6:(AV:L/AC:L/Au:N/C:P/I:P/A |:P) |:P) |CVSSv2:RedHat:CVE-2013-4326 |CVSSv2:RedHat:CVE-2013-4324 |:6.9:(AV:L/AC:M/Au:N/C:C/I: |:6.9:(AV:L/AC:M/Au:N/C:C/I: |C/A:C) |C/A:C) -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com