CVE-2014-5033
Description
KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Ubuntu Affected 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 14.04 | Affected | โ |
| 12.04 | Affected | โ |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| debian | kde4libs | - | |
| kde | kauth | {"endIncluding":"5.0"} | |
| kde | kdelibs | {"endIncluding":"4.13.97"} | |
| kde | kdelibs | 4.10.0 | |
| kde | kdelibs | 4.10.1 | |
| kde | kdelibs | 4.10.2 | |
| kde | kdelibs | 4.10.3 | |
| kde | kdelibs | 4.10.95 | |
| kde | kdelibs | 4.10.97 | |
| kde | kdelibs | 4.11.0 | |
| kde | kdelibs | 4.11.1 | |
| kde | kdelibs | 4.11.2 | |
| kde | kdelibs | 4.11.3 | |
| kde | kdelibs | 4.11.4 | |
| kde | kdelibs | 4.11.5 | |
| kde | kdelibs | 4.11.80 | |
| kde | kdelibs | 4.11.90 | |
| kde | kdelibs | 4.11.95 | |
| kde | kdelibs | 4.11.97 | |
| kde | kdelibs | 4.12.0 | |
| kde | kdelibs | 4.12.1 | |
| kde | kdelibs | 4.12.2 | |
| kde | kdelibs | 4.12.3 | |
| kde | kdelibs | 4.12.4 | |
| kde | kdelibs | 4.12.5 | |
| kde | kdelibs | 4.12.80 | |
| kde | kdelibs | 4.12.90 | |
| kde | kdelibs | 4.12.95 | |
| kde | kdelibs | 4.12.97 | |
| kde | kdelibs | 4.13.0 | |
| kde | kdelibs | 4.13.1 | |
| kde | kdelibs | 4.13.2 | |
| kde | kdelibs | 4.13.3 | |
| kde | kdelibs | 4.13.80 | |
| kde | kdelibs | 4.13.90 | |
| kde | kdelibs | 4.13.95 | |
References
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00012.html
- http://quickgit.kde.org/?p=kauth.git&a=commit&h=341b7d84b6d9c03cf56905cb277b47e11c81482a
- http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=e4e7b53b71e2659adaf52691d4accc3594203b23
- http://rhn.redhat.com/errata/RHSA-2014-1359.html
- http://secunia.com/advisories/60385
- http://secunia.com/advisories/60633
- http://secunia.com/advisories/60654
- http://www.debian.org/security/2014/dsa-3004
- http://www.kde.org/info/security/advisory-20140730-1.txt
- http://www.ubuntu.com/usn/USN-2304-1
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00012.html
- http://quickgit.kde.org/?p=kauth.git&a=commit&h=341b7d84b6d9c03cf56905cb277b47e11c81482a
- http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=e4e7b53b71e2659adaf52691d4accc3594203b23
- http://rhn.redhat.com/errata/RHSA-2014-1359.html
- http://secunia.com/advisories/60385
- http://secunia.com/advisories/60633
- http://secunia.com/advisories/60654
- http://www.debian.org/security/2014/dsa-3004
- http://www.kde.org/info/security/advisory-20140730-1.txt
- http://www.ubuntu.com/usn/USN-2304-1
CWEs
CWE-362
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.