836937 – (CVE-2013-4325) VUL-0: CVE-2013-4325 hplip: use of insecure polkit DBUS API (polkit-process subject race condition)

Bug 836937 (CVE-2013-4325) - VUL-0: CVE-2013-4325 hplip: use of insecure polkit DBUS API (polkit-process subject race condition)

Summary: VUL-0: CVE-2013-4325 hplip: use of insecure polkit DBUS API (polkit-process s...

Status:	RESOLVED FIXED

Alias:	CVE-2013-4325

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Normal
Target Milestone:	---
Deadline:	2013-11-08
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp2:55891 CVSSv2...
Keywords:

Depends on:	CVE-2013-4288
Blocks:
	Show dependency tree / graph

Clone This Bug

Reported:	2013-08-27 08:42 UTC by Sebastian Krahmer
Modified:	2019-05-01 16:08 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
proposed patch, using systembus rather than pid (1.61 KB, patch) 2013-08-27 08:46 UTC, Sebastian Krahmer	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2013-08-27 08:42:17 UTC

+++ This bug was initially created as a clone of Bug #835827 +++

This is a place holder for the upcoming polkit pkcheck race fix
which is discussed with upstream.

Comment 1 Sebastian Krahmer 2013-08-27 08:45:53 UTC

Anyone could bypass the polkit check and install plugins/drivers.

Attaching proposed fix from upstream. No CRD yet. The issue
is EMBARGOED.

Comment 2 Sebastian Krahmer 2013-08-27 08:46:51 UTC

Created attachment 554414 [details]
proposed patch, using systembus rather than pid

.

Comment 3 Sebastian Krahmer 2013-09-09 07:37:36 UTC

CVE-2013-4288

Comment 4 Sebastian Krahmer 2013-09-09 07:37:48 UTC

CRD Sept 11th

Comment 7 Sebastian Krahmer 2013-09-11 06:28:37 UTC

New CRD coming and new CVE:

CVE-2013-4325 hplip: use of insecure polkit DBUS API

please hold submission until new CRD is confirmed.

Comment 8 Sebastian Krahmer 2013-09-11 14:37:09 UTC

New CRD: Sept 18th.

Comment 11 Johannes Meixner 2013-10-22 10:21:29 UTC

I didn't find documentation how to do it for a product
that is currently in RC phase (i.e. openSUSE 13.1).

I did the following:
-----------------------------------------------------------------------------
$ osc branch openSUSE:13.1 hplip

[added fix-CVE-2013-4325.diff]

$ osc submitrequest -m \
 'HPLIP security fix for bnc#836937 CVE-2013-4325 for openSUSE 13.1' \
 home:jsmeix:branches:openSUSE:13.1 hplip openSUSE:13.1 hplip
Server returned an error: HTTP Error 403: Forbidden
The target project openSUSE:13.1 is not accepting requests because:
 Please submit to openSUSE:Factory or openSUSE:13.1:Update

$ osc submitrequest -m \
 'HPLIP security fix for bnc#836937 CVE-2013-4325 for openSUSE 13.1' \
 home:jsmeix:branches:openSUSE:13.1 hplip openSUSE:13.1:Update hplip
WARNING:
WARNING: Project does not accept submit request, request to open
 a NEW maintenance incident instead
WARNING:
created request id Request: #204271

  maintenance_incident: home:jsmeix:branches:openSUSE:13.1/hplip ->
  openSUSE:Maintenance (release in openSUSE:13.1:Update)

Message:
HPLIP security fix for bnc#836937 CVE-2013-4325 for openSUSE 13.1

State:   new        2013-10-22T10:14:40 jsmeix
Comment: <no comment>
-----------------------------------------------------------------------------

Comment 12 Bernhard Wiedemann 2013-10-22 11:00:15 UTC

This is an autogenerated message for OBS integration:
This bug (836937) was mentioned in
https://build.opensuse.org/request/show/204271 13.1 / hplip

Comment 13 Johannes Meixner 2013-10-22 14:10:53 UTC

Submitted also a fix for openSUSE 12.3:
------------------------------------------------------------------------------
$ osc submitrequest -m \
 'HPLIP security fix for bnc#836937 CVE-2013-4325 for openSUSE 12.3' \
  home:jsmeix:branches:openSUSE:12.3:Update hplip openSUSE:12.3:Update hplip
WARNING:
WARNING: Project does not accept submit request, request to open a NEW maintenance incident instead
WARNING:
created request id Request: #204312

  maintenance_incident: home:jsmeix:branches:openSUSE:12.3:Update/hplip ->
  openSUSE:Maintenance (release in openSUSE:12.3:Update)

Message:
HPLIP security fix for bnc#836937 CVE-2013-4325 for openSUSE 12.3

State:   new        2013-10-22T14:03:46 jsmeix
Comment: <no comment>
------------------------------------------------------------------------------

Comment 14 Bernhard Wiedemann 2013-10-22 15:00:22 UTC

This is an autogenerated message for OBS integration:
This bug (836937) was mentioned in
https://build.opensuse.org/request/show/204312 12.3 / hplip

Comment 15 Johannes Meixner 2013-10-23 12:26:49 UTC

Submitted also a fix for openSUSE 12.2:
------------------------------------------------------------------------------
$ osc submitrequest -m \
 'HPLIP security fix for bnc#836937 CVE-2013-4325 for openSUSE 12.2' \
home:jsmeix:branches:openSUSE:12.2:Update hplip openSUSE:12.2:Update hplip
WARNING:
WARNING: Project does not accept submit request, request to open a NEW maintenance incident instead
WARNING:
created request id Request: #204429

  maintenance_incident: home:jsmeix:branches:openSUSE:12.2:Update/hplip ->
  openSUSE:Maintenance (release in openSUSE:12.2:Update)

Message:
HPLIP security fix for bnc#836937 CVE-2013-4325 for openSUSE 12.2

State:   new        2013-10-23T12:25:55 jsmeix
Comment: <no comment>
------------------------------------------------------------------------------

Comment 16 Johannes Meixner 2013-10-23 12:29:48 UTC

According to
--------------------------------------------
$ osc maintained hplip
openSUSE:12.2:Update/hplip
openSUSE:12.3:Update/hplip
--------------------------------------------
the issue is now fixed for all maintained openSUSE versions
plus the upcomming openSUSE 13.1.

Comment 17 Bernhard Wiedemann 2013-10-23 13:00:29 UTC

This is an autogenerated message for OBS integration:
This bug (836937) was mentioned in
https://build.opensuse.org/request/show/204429 12.2 / hplip

Comment 21 Johannes Meixner 2013-10-23 14:40:21 UTC

My fix for openSUSE 12.2 is broken!
For now do not release it.
I am correcting it...

Comment 22 Johannes Meixner 2013-10-23 14:47:47 UTC

I cannot revoke request 204429 because it is already accepted.
I submitted request 204439 with the fixed fix for openSUSE 12.2.

Comment 23 Bernhard Wiedemann 2013-10-23 15:00:24 UTC

This is an autogenerated message for OBS integration:
This bug (836937) was mentioned in
https://build.opensuse.org/request/show/204439 12.2 / hplip

Comment 33 Swamp Workflow Management 2013-10-31 15:04:57 UTC

openSUSE-SU-2013:1617-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 835827,836937
CVE References: CVE-2013-4288,CVE-2013-4325
Sources used:
openSUSE 12.3 (src):    hplip-3.12.11-2.5.1
openSUSE 12.2 (src):    hplip-3.12.4-3.6.1

Comment 34 Swamp Workflow Management 2013-11-01 08:04:34 UTC

openSUSE-SU-2013:1620-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 835827,836937
CVE References: CVE-2013-4288,CVE-2013-4325
Sources used:
openSUSE 11.4 (src):    hplip-3.11.5-1.15.1

Comment 35 Marcus Meissner 2013-11-21 14:11:10 UTC

assuming fixed, and sle requiring no fix currently.

Comment 36 systemd maintainers 2013-11-26 10:02:58 UTC

Fixed

Comment 37 Sebastian Krahmer 2013-11-26 10:09:36 UTC

update not yet finished

Comment 38 Dr. Werner Fink 2013-11-26 10:14:15 UTC

(In reply to comment #37)

Please make my bug list free!  That is do not block bugs for the assignee systemd-maintainers.  I'd like to be able to reduce number of open bugs to have a better view on the relevant bugs

Comment 39 Sebastian Krahmer 2013-11-26 10:39:16 UTC

I cleaned up the dependencies. Thats better?

We need to keep this bug open for trackin, in particular there
seems to be some issues in hplip which we want to fix along.

Comment 40 Dr. Werner Fink 2013-11-26 10:44:56 UTC

(In reply to comment #39)
Indeed the systemd bug #836932 remains closed, thanks a lot

Comment 43 Swamp Workflow Management 2014-02-03 16:53:51 UTC

Update released for: hplip, hplip-debuginfo, hplip-debugsource, hplip-hpijs
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)

Comment 44 Swamp Workflow Management 2014-02-03 20:04:41 UTC

SUSE-SU-2014:0188-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 808355,835827,836937,852368
CVE References: CVE-2013-0200,CVE-2013-4325,CVE-2013-6402
Sources used:
SUSE Linux Enterprise Server 11 SP2 for VMware (src):    hplip-3.11.10-0.6.11.1
SUSE Linux Enterprise Server 11 SP2 (src):    hplip-3.11.10-0.6.11.1
SUSE Linux Enterprise Desktop 11 SP2 (src):    hplip-3.11.10-0.6.11.1

Comment 45 Swamp Workflow Management 2014-02-06 20:04:50 UTC

SUSE-SU-2014:0188-2: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 808355,835827,836937,852368
CVE References: CVE-2013-0200,CVE-2013-4325,CVE-2013-6402
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    hplip-3.11.10-0.6.11.1
SUSE Linux Enterprise Server 11 SP3 (src):    hplip-3.11.10-0.6.11.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    hplip-3.11.10-0.6.11.1

Comment 46 Marcus Meissner 2014-02-13 15:27:54 UTC

sle10 not affected I suspect ... so done