Bugzilla – Bug 935119
VUL-1: CVE-2015-4625: polkit: cookie generation wrapping with 32bit counter
Last modified: 2016-04-27 19:40:37 UTC
CVE-2015-4625 original posting: http://seclists.org/oss-sec/2015/q2/659 From: Colin Walters <walters () verbum org> Date: Mon, 08 Jun 2015 08:24:50 -0400 See: http://lists.freedesktop.org/archives/polkit-devel/2015-May/000419.html And because mailman breaks threading across months: http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html followup: Your message seems to be about various security analysis posted to a mailing-list thread with about 10 messages, accompanied by at least two bug reports: https://bugs.freedesktop.org/show_bug.cgi?id=90837 https://bugs.freedesktop.org/show_bug.cgi?id=90832 with a total of about 15 comments. In this situation, we're not sure that there's any practical way for us to distill that into a consensus statement of what the CVE or CVEs would be for. The original 2015-05-29 message seems to be about clients whereas the first 2015-06-03 message seems to be about users or uids. Is there any polkit documentation that suggests that two clients are allowed to interfere with each other as long as they have the same uid? (This is in the general case where at least one of the two clients is executing with substantial restrictions.) For purposes of CVE, we may be able to model this as a situation in which the (realistically exploitable) counter wraparound is a clear implementation error and can have a CVE ID, but the concept of uid matching is a design change that is essentially outside the scope of CVE. Would that be OK? cve assignment: http://seclists.org/oss-sec/2015/q2/736 https://bugs.freedesktop.org/show_bug.cgi?id=90837 https://bugs.freedesktop.org/show_bug.cgi?id=90832 This can have a single CVE ID, CVE-2015-4625. this approach passes through the uid of the caller from the setuid binary, ensuring that we only look up `AuthenticationAgent`s that were created by a matching uid. With only this change, the original report of "another process can generate 2^32 authentication sessions and just disconnect immediately. The counter gets incremented but the cookies never get removed from the list, until eventually counter wraps and a second cookie is minted." would still be considered an implementation error, but it could no longer be considered "exploitable" in the context of the current polkit security model. In other words, because the two concerns (90832 and 90837) are not independent vulnerabilities, there should not be two CVE IDs.
bugbot adjusting priority
the way PolicyKit0 works is entirely different, so this should not affect the SLE11 PolicyKit.
openSUSE-SU-2015:1734-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 933922,935119,939246,943816 CVE References: CVE-2015-3218,CVE-2015-3255,CVE-2015-3256,CVE-2015-4625 Sources used: openSUSE 13.2 (src): polkit-0.113-3.8.1 openSUSE 13.1 (src): polkit-0.113-9.1
SUSE-SU-2015:1838-1: An update that solves four vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 912889,933922,935119,939246,943816,950114 CVE References: CVE-2015-3218,CVE-2015-3255,CVE-2015-3256,CVE-2015-4625 Sources used: SUSE Linux Enterprise Workstation Extension 12 (src): polkit-0.113-4.1 SUSE Linux Enterprise Software Development Kit 12 (src): polkit-0.113-4.1 SUSE Linux Enterprise Server 12 (src): polkit-0.113-4.1 SUSE Linux Enterprise Desktop 12 (src): polkit-0.113-4.1
openSUSE-SU-2015:1927-1: An update that solves four vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 912889,933922,935119,939246,943816,950114 CVE References: CVE-2015-3218,CVE-2015-3255,CVE-2015-3256,CVE-2015-4625 Sources used: openSUSE Leap 42.1 (src): polkit-0.113-6.1
released