pkexec information disclosure vulnerability
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
PolicyKit |
Fix Released
|
Medium
|
|||
policykit-1 (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
Intrepid |
Invalid
|
Undecided
|
Unassigned | ||
Jaunty |
Invalid
|
Undecided
|
Unassigned | ||
Karmic |
Won't Fix
|
Low
|
Unassigned | ||
Lucid |
Fix Released
|
Low
|
Unassigned |
Bug Description
Binary package hint: policykit-1
pkexec is vulnerable to a minor information disclosure vulnerability that allows an attacker to verify whether or not arbitrary files exist, violating directory permissions. I reproduced the issue on my Karmic installation as follows:
$ mkdir secret
$ sudo chown root:root secret
$ sudo chmod 400 secret
$ sudo touch secret/hidden
$ pkexec /home/drosenbe/
(password prompt)
$ pkexec /home/drosenbe/
Error getting information about /home/drosenbe/
I've attached a simple patch that resolves the issue by using access() to check whether or not the user has permission to verify the existence of the file before calling stat() on it.
CVE References
visibility: | private → public |
Changed in policykit-1 (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Low |
tags: | added: patch |
tags: |
added: patch-accepted-upstream removed: patch |
Changed in policykit-1 (Ubuntu Karmic): | |
status: | New → Confirmed |
Changed in policykit-1 (Ubuntu Lucid): | |
milestone: | none → ubuntu-10.04 |
Changed in policykit-1 (Ubuntu Intrepid): | |
status: | New → Confirmed |
Changed in policykit-1 (Ubuntu Hardy): | |
status: | New → Confirmed |
Changed in policykit-1 (Ubuntu Jaunty): | |
status: | New → Confirmed |
Changed in policykit: | |
importance: | Undecided → Unknown |
status: | New → Unknown |
Changed in policykit-1 (Ubuntu Karmic): | |
importance: | Undecided → Low |
Changed in policykit: | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
Changed in policykit: | |
importance: | Medium → Unknown |
Changed in policykit: | |
importance: | Unknown → Medium |
Come to think of it, please ignore that patch. A determined attacker could exploit the race condition between the access() and stat() calls. I'll revisit this and produce a better patch within the next couple of days.