[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20151028104218.GA14987@suse.de>
Date: Wed, 28 Oct 2015 11:42:18 +0100
From: Sebastian Krahmer <krahmer@...e.com>
To: oss-security@...ts.openwall.com
Cc: clement.lefebvre@...uxmint.com
Subject: csd-datetime forgets to authorize users
Hi
The csd-datetime-setting SetDate DBUS function apparently forgets
to check the polkit authorization for the caller. Unlike SetTime.
At least I couldnt find any restriction that its not callable by
users.
Bug and patch proposal is here:
https://bugzilla.suse.com/show_bug.cgi?id=951830
I am not big fan of calling binaries from inside DBUS functions, but
seems to be state of the art in desktop programming and doesnt
look exploitable. Yet, w/o authorization you may run into vulnerabilities
like the sudo time-ticket stuff.
csd seems to be fork of gnome-settings-daemon but to my knowledge
they dont offer a set_date(), at least in the version I looked at.
So this issue seems to be introduced by csd itself.
If upstream (cc) confirms, can someone please assign a CVE?
Sebastian
--
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@...e.com - SuSE Security Team
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
