polkit, Spice-Gtk, systemd, HPLIP, libvirt: Privilege escalation — GLSA 201406-27

A race condition in polkit could allow a local attacker to gain escalated privileges.

Affected packages

net-print/hplip on all architectures
Affected versions < 3.14.1
Unaffected versions >= 3.14.1
net-misc/spice-gtk on all architectures
Affected versions < 0.21
Unaffected versions >= 0.21
sys-apps/systemd on all architectures
Affected versions < 204-r1
Unaffected versions >= 204-r1
app-emulation/libvirt on all architectures
Affected versions < 1.1.2-r3
Unaffected versions >= 1.1.2-r3
sys-auth/polkit on all architectures
Affected versions < 0.112
Unaffected versions >= 0.112

Background

polkit is a toolkit for managing policies relating to unprivileged processes communicating with privileged processes.

Description

polkit has a race condition which potentially allows a process to change its UID/EUID via suid or pkexec before authentication is completed.

Impact

A local attacker could start a suid or pkexec process through a polkit-enabled application, which could result in privilege escalation or bypass of polkit restrictions.

Workaround

There is no known workaround at this time.

Resolution

All polkit users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-auth/polkit-0.112"
 

All HPLIP users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-print/hplip-3.14.1"
 

All Spice-Gtk users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-misc/spice-gtk-0.21"
 

All systemd users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-apps/systemd-204-r1"
 

All libvirt users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-emulation/libvirt-1.1.2-r3"
 

References

Release date
June 26, 2014

Latest revision
June 26, 2014: 1

Severity
high

Exploitable
local

Bugzilla entries