CVE-2014-5033: Race Condition
First published: Tue Aug 19 2014(Updated: )
KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Debian KDE4libs | ||
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| KDE KAuth | <=5.0 | |
| KDE kdelibs3 | <=4.13.97 | |
| KDE kdelibs3 | =4.10.0 | |
| KDE kdelibs3 | =4.10.1 | |
| KDE kdelibs3 | =4.10.2 | |
| KDE kdelibs3 | =4.10.3 | |
| KDE kdelibs3 | =4.10.95 | |
| KDE kdelibs3 | =4.10.97 | |
| KDE kdelibs3 | =4.11.0 | |
| KDE kdelibs3 | =4.11.1 | |
| KDE kdelibs3 | =4.11.2 | |
| KDE kdelibs3 | =4.11.3 | |
| KDE kdelibs3 | =4.11.4 | |
| KDE kdelibs3 | =4.11.5 | |
| KDE kdelibs3 | =4.11.80 | |
| KDE kdelibs3 | =4.11.90 | |
| KDE kdelibs3 | =4.11.95 | |
| KDE kdelibs3 | =4.11.97 | |
| KDE kdelibs3 | =4.12.0 | |
| KDE kdelibs3 | =4.12.1 | |
| KDE kdelibs3 | =4.12.2 | |
| KDE kdelibs3 | =4.12.3 | |
| KDE kdelibs3 | =4.12.4 | |
| KDE kdelibs3 | =4.12.5 | |
| KDE kdelibs3 | =4.12.80 | |
| KDE kdelibs3 | =4.12.90 | |
| KDE kdelibs3 | =4.12.95 | |
| KDE kdelibs3 | =4.12.97 | |
| KDE kdelibs3 | =4.13.0 | |
| KDE kdelibs3 | =4.13.1 | |
| KDE kdelibs3 | =4.13.2 | |
| KDE kdelibs3 | =4.13.3 | |
| KDE kdelibs3 | =4.13.80 | |
| KDE kdelibs3 | =4.13.90 | |
| KDE kdelibs3 | =4.13.95 |
Remedy
http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=e4e7b53b71e2659adaf52691d4accc3594203b23
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00012.html
- http://quickgit.kde.org/?p=kauth.git&a=commit&h=341b7d84b6d9c03cf56905cb277b47e11c81482a
- http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=e4e7b53b71e2659adaf52691d4accc3594203b23
- http://rhn.redhat.com/errata/RHSA-2014-1359.html
- http://secunia.com/advisories/60385
- http://secunia.com/advisories/60633
- http://secunia.com/advisories/60654
- http://www.debian.org/security/2014/dsa-3004
- http://www.kde.org/info/security/advisory-20140730-1.txt
- http://www.ubuntu.com/usn/USN-2304-1
Frequently Asked Questions
What is the severity of CVE-2014-5033?
CVE-2014-5033 is classified as a medium severity vulnerability that allows local users to bypass access restrictions.
How do I fix CVE-2014-5033?
To fix CVE-2014-5033, upgrade to KDE kdelibs version 4.14 or newer and KDE KAuth version 5.1 or newer.
What systems are affected by CVE-2014-5033?
CVE-2014-5033 affects various versions of KDE kdelibs prior to 4.14 and KAuth prior to 5.1, as well as specific versions of Debian and Ubuntu distributions.
What can attackers do with CVE-2014-5033?
Attackers can leverage CVE-2014-5033 to execute arbitrary code or perform unauthorized actions by exploiting a race condition.
Is CVE-2014-5033 still a risk today?
CVE-2014-5033 poses a risk on systems that have not been updated to fixed versions, as it affects older KDE libraries still in use.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- agent/severity
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/weakness
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/debian
- canonical/debian kde4libs
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/14.04
- vendor/kde
- canonical/kde kauth
- version/kde kauth/5.0
- canonical/kde kdelibs3
- version/kde kdelibs3/4.13.97
- version/kde kdelibs3/4.10.0
- version/kde kdelibs3/4.10.1
- version/kde kdelibs3/4.10.2
- version/kde kdelibs3/4.10.3
- version/kde kdelibs3/4.10.95
- version/kde kdelibs3/4.10.97
- version/kde kdelibs3/4.11.0
- version/kde kdelibs3/4.11.1
- version/kde kdelibs3/4.11.2
- version/kde kdelibs3/4.11.3
- version/kde kdelibs3/4.11.4
- version/kde kdelibs3/4.11.5
- version/kde kdelibs3/4.11.80
- version/kde kdelibs3/4.11.90
- version/kde kdelibs3/4.11.95
- version/kde kdelibs3/4.11.97
- version/kde kdelibs3/4.12.0
- version/kde kdelibs3/4.12.1
- version/kde kdelibs3/4.12.2
- version/kde kdelibs3/4.12.3
- version/kde kdelibs3/4.12.4
- version/kde kdelibs3/4.12.5
- version/kde kdelibs3/4.12.80
- version/kde kdelibs3/4.12.90
- version/kde kdelibs3/4.12.95
- version/kde kdelibs3/4.12.97
- version/kde kdelibs3/4.13.0
- version/kde kdelibs3/4.13.1
- version/kde kdelibs3/4.13.2
- version/kde kdelibs3/4.13.3
- version/kde kdelibs3/4.13.80
- version/kde kdelibs3/4.13.90
- version/kde kdelibs3/4.13.95