CVE-2014-5033

NameCVE-2014-5033
DescriptionKDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDLA-76-1, DSA-3004-1
NVD severitymedium (attack range: local)
Debian Bugs755814
Debian/oldstablepackage kde4libs is vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kde4libs (PTS)squeeze4:4.4.5-2+squeeze3vulnerable
squeeze (lts)4:4.4.5-2+squeeze4fixed
wheezy, wheezy (security)4:4.8.4-4+deb7u1fixed
jessie, sid4:4.14.2-5fixed

The information above is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kde4libssource(unstable)4:4.13.3-2medium755814
kde4libssourcesqueeze4:4.4.5-2+squeeze4mediumDLA-76-1
kde4libssourcewheezy4:4.8.4-4+deb7u1mediumDSA-3004-1

Notes

https://bugzilla.novell.com/show_bug.cgi?id=864716
http://quickgit.kde.org/?p=kdelibs.git&a=commit&h=e4e7b53b71e2659adaf52691d4accc3594203b23

Search for package or bug name: Reporting problems