Bugzilla – Bug 836931
VUL-1: CVE-2013-4311: libvirtd: polkit-process subject race condition
Last modified: 2021-04-23 14:12:47 UTC
+++ This bug was initially created as a clone of Bug #835827 +++ This is a place holder for the upcoming polkit pkcheck race fix which is discussed with upstream.
VUL-1 should suffice
bugbot adjusting priority
EMBARGOED, CRD will follow
CVE-2013-4288
CRD Sept 11th
The patch comes from polkit upstream: http://people.freedesktop.org/~walters/secret/38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b/ There was a mail on libvirt-security list today which follows in next comment.
Created attachment 556677 [details] 0001-git-master-Also-store-user-group-ID-values-in-virIdentity.patch
Created attachment 556678 [details] 0001-rhel6-Include-process-start-time-when-doing-polkit-checks.patch
Created attachment 556679 [details] 0002-git-master-Ensure-system-identity-includes-process-start-time.patch
Created attachment 556680 [details] 0002-rhel6-Add-support-for-using-3-arg-pkcheck-syntax-for-proce.patch
Created attachment 556681 [details] 0003-git-master-Add-support-for-using-3-arg-pkcheck-syntax-for-proce.patch
Thats all the patches we got from libvirt-security list.
I just see that they also include the libvirt patches in the git. Good.
new CRD coming and new CVE: CVE-2013-4311 libvirt: insecure calling of polkit via libgobject API
New CRD: Sept 18th. Updated patches will be pushed to git from comment#7
I think this only affects openSUSE 12.2, 12.3, and Factory/13.1, where we use the newer PolicyKit with libvirt. In SLE 11, libvirt integrates with the old "polkit0", which doesn't use pkcheck.
Sigh... Several hours of wasted time backporting the fix to 12.2 and testing it. Anyhow, it is done now for all affected products: openSUSE12.2, SR#201960 openSUSE12.3, SR#201961 openSUSE13.1/Factory, SR#201962 I'm done here, reassigning to security team.
This is an autogenerated message for OBS integration: This bug (836931) was mentioned in https://build.opensuse.org/request/show/201960 12.2 / libvirt https://build.opensuse.org/request/show/201961 12.3 / libvirt https://build.opensuse.org/request/show/201962 Factory / libvirt
openSUSE-SU-2013:1549-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 836931,838638 CVE References: CVE-2013-4296,CVE-2013-4311 Sources used: openSUSE 12.2 (src): libvirt-0.9.11.9-1.13.1
openSUSE-SU-2013:1550-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 810611,820888,836931,837999,838638 CVE References: CVE-2013-4296,CVE-2013-4311,CVE-2013-5651 Sources used: openSUSE 12.3 (src): libvirt-1.0.2-1.10.1
Update released for: libvirt, libvirt-client, libvirt-client-32bit, libvirt-client-x86, libvirt-debuginfo, libvirt-debugsource, libvirt-devel, libvirt-devel-32bit, libvirt-doc, libvirt-lock-sanlock, libvirt-python Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
fixed