Mailinglist Archive: opensuse-bugs (5295 mails)

< Previous Next >
[Bug 849739] New: AUDIT-0: kwalletmanager: Security Review requested due to suse-dbus-unauthorized-service, polkit-untracked-privilege and polkit-cant-acquire-privilege
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Sun, 10 Nov 2013 01:50:08 +0000
  • Message-id: <bug-849739-21960@http.bugzilla.novell.com/>

https://bugzilla.novell.com/show_bug.cgi?id=849739

https://bugzilla.novell.com/show_bug.cgi?id=849739#c0


Summary: AUDIT-0: kwalletmanager: Security Review requested due
to suse-dbus-unauthorized-service,
polkit-untracked-privilege and
polkit-cant-acquire-privilege
Classification: openSUSE
Product: openSUSE Factory
Version: 13.2 Milestone 0
Platform: Other
OS/Version: Other
Status: NEW
Severity: Major
Priority: P5 - None
Component: Security
AssignedTo: security-team@xxxxxxx
ReportedBy: hrvoje.senjan@xxxxxxxxx
QAContact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---


User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/31.0.1650.48 Safari/537.36 SUSE/31.0.1650.48

Due to changes in kwalletmanager for KDE's 4.12 release, we're requesting
whitelisting the following:

kwalletmanager.i586: E: suse-dbus-unauthorized-service (Badness: 100)
/usr/share/dbus-1/system-services/org.kde.kcontrol.kcmkwallet.service
kwalletmanager.i586: E: suse-dbus-unauthorized-service (Badness: 100)
/etc/dbus-1/system.d/org.kde.kcontrol.kcmkwallet.conf
The package installs a DBUS system service file. If the package is intended
for inclusion in any SUSE product please open a bug report to request review
of the service by the security team.

kwalletmanager.i586: E: polkit-unauthorized-privilege (Badness: 100)
org.kde.kcontrol.kcmkwallet.save (??:no:auth_self_keep)
The package allows unprivileged users to carry out privileged operations
without authentication. This could cause security problems if not done
carefully. If the package is intended for inclusion in any SUSE product please
open a bug report to request review of the package by the security team

kwalletmanager.i586: I: polkit-cant-acquire-privilege
org.kde.kcontrol.kcmkwallet.save (??:no:auth_self_keep)
Usability can be improved by allowing users to acquire privileges via
authentication. Use e.g. 'auth_admin' instead of 'no' and make sure to define
'allow_any'. This is an issue only if the privilege is not listed in /etc
/polkit-default-privs.*



Changes are introduced with this commit:
http://quickgit.kde.org/?p=kwallet.git&a=commit&h=717f925b77f13c54e92ecd81ea92487f933a1915

Reproducible: Always

--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >