CVE-2014-5033: Race Condition
First published: Tue Aug 19 2014(Updated: )
KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Debian Kde4libs | ||
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| KDE KAuth | <=5.0 | |
| KDE kdelibs | <=4.13.97 | |
| KDE kdelibs | =4.10.0 | |
| KDE kdelibs | =4.10.1 | |
| KDE kdelibs | =4.10.2 | |
| KDE kdelibs | =4.10.3 | |
| KDE kdelibs | =4.10.95 | |
| KDE kdelibs | =4.10.97 | |
| KDE kdelibs | =4.11.0 | |
| KDE kdelibs | =4.11.1 | |
| KDE kdelibs | =4.11.2 | |
| KDE kdelibs | =4.11.3 | |
| KDE kdelibs | =4.11.4 | |
| KDE kdelibs | =4.11.5 | |
| KDE kdelibs | =4.11.80 | |
| KDE kdelibs | =4.11.90 | |
| KDE kdelibs | =4.11.95 | |
| KDE kdelibs | =4.11.97 | |
| KDE kdelibs | =4.12.0 | |
| KDE kdelibs | =4.12.1 | |
| KDE kdelibs | =4.12.2 | |
| KDE kdelibs | =4.12.3 | |
| KDE kdelibs | =4.12.4 | |
| KDE kdelibs | =4.12.5 | |
| KDE kdelibs | =4.12.80 | |
| KDE kdelibs | =4.12.90 | |
| KDE kdelibs | =4.12.95 | |
| KDE kdelibs | =4.12.97 | |
| KDE kdelibs | =4.13.0 | |
| KDE kdelibs | =4.13.1 | |
| KDE kdelibs | =4.13.2 | |
| KDE kdelibs | =4.13.3 | |
| KDE kdelibs | =4.13.80 | |
| KDE kdelibs | =4.13.90 | |
| KDE kdelibs | =4.13.95 |
Remedy
http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=e4e7b53b71e2659adaf52691d4accc3594203b23
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00012.html
- http://quickgit.kde.org/?p=kauth.git&a=commit&h=341b7d84b6d9c03cf56905cb277b47e11c81482a
- http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=e4e7b53b71e2659adaf52691d4accc3594203b23
- http://rhn.redhat.com/errata/RHSA-2014-1359.html
- http://secunia.com/advisories/60385
- http://secunia.com/advisories/60633
- http://secunia.com/advisories/60654
- http://www.debian.org/security/2014/dsa-3004
- http://www.kde.org/info/security/advisory-20140730-1.txt
- http://www.ubuntu.com/usn/USN-2304-1
- collector/nvd-index
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/type
- agent/event
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/debian
- canonical/debian kde4libs
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- vendor/kde
- canonical/kde kauth
- version/kde kauth/5.0
- canonical/kde kdelibs
- version/kde kdelibs/4.13.97
- version/kde kdelibs/4.10.0
- version/kde kdelibs/4.10.1
- version/kde kdelibs/4.10.2
- version/kde kdelibs/4.10.3
- version/kde kdelibs/4.10.95
- version/kde kdelibs/4.10.97
- version/kde kdelibs/4.11.0
- version/kde kdelibs/4.11.1
- version/kde kdelibs/4.11.2
- version/kde kdelibs/4.11.3
- version/kde kdelibs/4.11.4
- version/kde kdelibs/4.11.5
- version/kde kdelibs/4.11.80
- version/kde kdelibs/4.11.90
- version/kde kdelibs/4.11.95
- version/kde kdelibs/4.11.97
- version/kde kdelibs/4.12.0
- version/kde kdelibs/4.12.1
- version/kde kdelibs/4.12.2
- version/kde kdelibs/4.12.3
- version/kde kdelibs/4.12.4
- version/kde kdelibs/4.12.5
- version/kde kdelibs/4.12.80
- version/kde kdelibs/4.12.90
- version/kde kdelibs/4.12.95
- version/kde kdelibs/4.12.97
- version/kde kdelibs/4.13.0
- version/kde kdelibs/4.13.1
- version/kde kdelibs/4.13.2
- version/kde kdelibs/4.13.3
- version/kde kdelibs/4.13.80
- version/kde kdelibs/4.13.90
- version/kde kdelibs/4.13.95