Local Access Bypass Vulnerability in KDE kdelibs and kauth Products
CVE-2014-5033

Currently unrated

Key Information:

Vendor: Debian
Status: Kde4libs; Ubuntu Linux
Vendor: CVE Published:; 19 August 2014

Summary

KDE's kdelibs prior to version 4.14 and kauth before version 5.1 contain a vulnerability where proper D-Bus communication with a polkit authority is not enforced. This flaw creates a race condition involving PolkitUnixProcess PolkitSubject, permitting local users to potentially bypass intended access controls. The issue can be exploited via a setuid process or a pkexec command, which may allow malicious actors to exploit system privileges incorrectly.

References

http://secunia.com/advisories/60385

third-party-advisoryx_refsource_SECUNIA

http://rhn.redhat.com/errata/RHSA-2014-1359.html

vendor-advisoryx_refsource_REDHAT

http://www.debian.org/security/2014/dsa-3004

vendor-advisoryx_refsource_DEBIAN

Timeline

Vulnerability published
Aug 19, 2014
Vulnerability Reserved
Jul 22, 2014