CVE-2014-5033
medium
CVSS v3
—
CVSS v2
6.9
VIR risk
6.9
Description
KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — http://www.kde.org/info/security/advisory-20140730-1.txt
Vendor advisory: cve@mitre.org — http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=e4e7b53b71e2659adaf52691d4accc3594203b23
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| ubuntu | 12.04 | affected | |
| ubuntu | 14.04 | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| debian | kde4libs | - | |
| kde | kauth | {"endIncluding":"5.0"} | |
| kde | kdelibs | {"endIncluding":"4.13.97"} | |
| kde | kdelibs | 4.10.0 | |
| kde | kdelibs | 4.10.1 | |
| kde | kdelibs | 4.10.2 | |
| kde | kdelibs | 4.10.3 | |
| kde | kdelibs | 4.10.95 | |
| kde | kdelibs | 4.10.97 | |
| kde | kdelibs | 4.11.0 | |
| kde | kdelibs | 4.11.1 | |
| kde | kdelibs | 4.11.2 | |
| kde | kdelibs | 4.11.3 | |
| kde | kdelibs | 4.11.4 | |
| kde | kdelibs | 4.11.5 | |
| kde | kdelibs | 4.11.80 | |
| kde | kdelibs | 4.11.90 | |
| kde | kdelibs | 4.11.95 | |
| kde | kdelibs | 4.11.97 | |
| kde | kdelibs | 4.12.0 | |
| kde | kdelibs | 4.12.1 | |
| kde | kdelibs | 4.12.2 | |
| kde | kdelibs | 4.12.3 | |
| kde | kdelibs | 4.12.4 | |
| kde | kdelibs | 4.12.5 | |
| kde | kdelibs | 4.12.80 | |
| kde | kdelibs | 4.12.90 | |
| kde | kdelibs | 4.12.95 | |
| kde | kdelibs | 4.12.97 | |
| kde | kdelibs | 4.13.0 | |
| kde | kdelibs | 4.13.1 | |
| kde | kdelibs | 4.13.2 | |
| kde | kdelibs | 4.13.3 | |
| kde | kdelibs | 4.13.80 | |
| kde | kdelibs | 4.13.90 | |
| kde | kdelibs | 4.13.95 | |
References
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00012.html
- http://quickgit.kde.org/?p=kauth.git&a=commit&h=341b7d84b6d9c03cf56905cb277b47e11c81482a
- http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=e4e7b53b71e2659adaf52691d4accc3594203b23
- http://rhn.redhat.com/errata/RHSA-2014-1359.html
- http://secunia.com/advisories/60385
- http://secunia.com/advisories/60633
- http://secunia.com/advisories/60654
- http://www.debian.org/security/2014/dsa-3004
- http://www.kde.org/info/security/advisory-20140730-1.txt
- http://www.ubuntu.com/usn/USN-2304-1
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00012.html
- http://quickgit.kde.org/?p=kauth.git&a=commit&h=341b7d84b6d9c03cf56905cb277b47e11c81482a
- http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=e4e7b53b71e2659adaf52691d4accc3594203b23
- http://rhn.redhat.com/errata/RHSA-2014-1359.html
- http://secunia.com/advisories/60385
- http://secunia.com/advisories/60633
- http://secunia.com/advisories/60654
- http://www.debian.org/security/2014/dsa-3004
- http://www.kde.org/info/security/advisory-20140730-1.txt
- http://www.ubuntu.com/usn/USN-2304-1
CWEs
CWE-362
Verify integrity in audit chain (admin only). AS-IS.