Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 Apr 2012 16:54:44 -0600
From: Vincent Danen <vdanen@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: privilege escalation in sectool

Colin Guthrie reported that sectool would elevate user privileges when
it was installed on a system, due to an incorrect DBus file
(specifically org.fedoraproject.sectool.mechanism.conf).  This could
allow a user with no additional privileges to elevate theirs (for
instance to restart a service they would not normally have permission to
restart).

Further details are in the bug, and a patch is available:

https://bugzilla.redhat.com/show_bug.cgi?id=809437
http://pkgs.fedoraproject.org/gitweb/?p=sectool.git;a=blob;f=sectool-0.9.5-dbus.patch;h=aedb3ef7f7e5ab22d5438bfb7eee63489ccf3244;hb=4859832281f0e08c6fbe48fc252c4199a0e9e322

Since this was reported and committed publicly, I'm requesting a CVE in
case one has already been assigned.

Thanks.

-- 
Vincent Danen / Red Hat Security Response Team 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ