Wednesday, September 18, 2013

[USN-1953-1] polkit vulnerability

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJSOcFJAAoJEGVp2FWnRL6Tm/AP/i6mD5rAiETxyW7DiOxO8ir9
gxbtM/GVXGJpjfjCGP8OFKnOFSSkwFHbCrbnAbnc4+jXp5Vo2kOP7Noi1/KQ7FQv
VhSj0N45bABEmXsLOiSJFSgtwFkdUSDBAgb6aiv9sDdWVxzdZkwHaKo1MmG+u4HM
G/fvU4pS6Qy3yy6pBF8Y9yLmOGUJjGsETSw8ZYiIO9CC8Eg2nMQ/ElEsvl9HycI1
zANg0YFMk7G3uU8qgegpighCsvX4I414rOJRPBODj05rrdtPi90rq4IHv9S9PaqG
IN9avXd951nfB79Tkdq4Vrr4MkvaRP7rA2fN5Eb5rYf/OR/ounPNi5StgTPTnx0K
Zvh0/yn6LKo1CqsNPQ7Ks7ggR8mDGtDf3LdSHb+xSdj7a3y2ryrfeOTZk8Kb9YX8
Nj/ehnRJNOnMkhHqzJpHWp/JT9aIY6cQ06V+Hg9LvgCj+9X6j9eo3/UXZdS5LRev
LmW4LmJT41sVnmfkhLDu8WdU36Qcmm6lps7F38od6mD9YWzdZ/cw5s7uU2K1EvPa
DlBmUS+5UWm30JThtnJHsW0Gz/j6Hk19FSUaJnIU+JStM1KlG3n4hPaNocjsOJHV
d7rXR+t6dSJpFztEYz8mlsFTF79KsP009dvOjkUK23VcvX3y4+AAn3BFHkO0Nkt+
UmMA6+2lL3jRywDj+QHu
=/omV
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1953-1
September 18, 2013

policykit-1 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS

Summary:

polkit could be tricked into giving out improper authorization.

Software Description:
- policykit-1: framework for managing administrative policies and privileges

Details:

It was discovered that polkit didn't allow applications to use the pkcheck
tool in a way which prevented a race condition in the UID lookup. A local
attacker could use this flaw to possibly escalate privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 13.04:
policykit-1 0.105-1ubuntu1.1

Ubuntu 12.10:
policykit-1 0.104-2ubuntu1.1

Ubuntu 12.04 LTS:
policykit-1 0.104-1ubuntu1.1

Ubuntu 10.04 LTS:
policykit-1 0.96-2ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1953-1
CVE-2013-4288

Package Information:
https://launchpad.net/ubuntu/+source/policykit-1/0.105-1ubuntu1.1
https://launchpad.net/ubuntu/+source/policykit-1/0.104-2ubuntu1.1
https://launchpad.net/ubuntu/+source/policykit-1/0.104-1ubuntu1.1
https://launchpad.net/ubuntu/+source/policykit-1/0.96-2ubuntu0.2

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)