Descriptiondbus/ in Software Properties 0.92.17 before, 0.92.9 before, and 0.82.7 before does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
software-properties (PTS)buster0.96.20.2-2fixed
sid, trixie, bookworm0.99.30-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
software-propertiessourcesqueeze(not affected)


[wheezy] - software-properties <no-dsa> (Minor issue)
[squeeze] - software-properties <not-affected> (Vulnerable code not present)

Search for package or bug name: Reporting problems