SB2013120503 - Race condition in polkit (Alpine package)
Published: December 5, 2013
Security Bulletin ID
SB2013120503
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Race condition (CVE-ID: CVE-2013-4288)
The vulnerability allows a local non-authenticated attacker to execute arbitrary code.
Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkexec process before the authorization check is performed, related to (1) the polkit_unix_process_new API function, (2) the dbus API, or (3) the --process (unix-process) option for authorization to pkcheck.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=556afbac4b873006dafd16e6f0635b28f7cc1164
- https://git.alpinelinux.org/aports/commit/?id=ec563f54fcb69061dbbeb7ac0d4bc08455148f90
- https://git.alpinelinux.org/aports/commit/?id=d2bfb22c8e8f67ad7d8d02704f35ec4d2a19f9b9
- https://git.alpinelinux.org/aports/commit/?id=5ae83ccf3e1cc61b24f9e5f130462386aaf840cb
- https://git.alpinelinux.org/aports/commit/?id=6fe5385eb32b42ebe7440f307380873153658bc0
- https://git.alpinelinux.org/aports/commit/?id=a215f1937c91916b1b5162e49e996708eb456e67
- https://git.alpinelinux.org/aports/commit/?id=39904e42477722d27b1a55bfe61a438f398e5bd2
- https://git.alpinelinux.org/aports/commit/?id=6856c318fc7bade88d2c9dab3c2cf1f0464d344d
- https://git.alpinelinux.org/aports/commit/?id=b792bfcdc98dcc58a2483292fbe28ff04a19f7b4
- https://git.alpinelinux.org/aports/commit/?id=368db46ca0855b16fd56371a1dd0b3c829b61d6a
- https://git.alpinelinux.org/aports/commit/?id=43de28a5532fe55c0b52196fd78c8a43b8694f82