CVE-2013-4324
published 2013-10-03CVE-2013-4324: spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to…
PriorityP417medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EPSS
0.38%
30.2th percentile
spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | spice-gtk | < spice-gtk 0.21-0nocelt1 (bookworm) | spice-gtk 0.21-0nocelt1 (bookworm) |
| redhat | enterprise_linux | — | — |
| spice-gtk_project | spice-gtk | — | — |
| spice-gtk_project | spice-gtk | >= 0 < 0.21-0nocelt1 | 0.21-0nocelt1 |
| spice-gtk_project | spice-gtk | >= 0 < 0.21-0nocelt1 | 0.21-0nocelt1 |
| spice-gtk_project | spice-gtk | >= 0 < 0.21-0nocelt1 | 0.21-0nocelt1 |
| spice-gtk_project | spice-gtk | >= 0 < 0.21-0nocelt1 | 0.21-0nocelt1 |
CVSS provenance
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv7.2HIGH
vendor_debian7.2LOW
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4qg9-qqgj-hw85: spice-gtk 0
ghsa_unreviewed·2022-05-14·CVSS 7.2
CVE-2013-4324 [HIGH] GHSA-4qg9-qqgj-hw85: spice-gtk 0
spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
OSV
CVE-2013-4324: spice-gtk 0
osv·2013-10-03·CVSS 7.2
CVE-2013-4324 [HIGH] CVE-2013-4324: spice-gtk 0
spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
Red Hat
spice-gtk: Insecure calling of polkit via polkit_unix_process_new()
vendor_redhat·2013-09-18·CVSS 7.2
CVE-2013-4324 [HIGH] spice-gtk: Insecure calling of polkit via polkit_unix_process_new()
spice-gtk: Insecure calling of polkit via polkit_unix_process_new()
spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
Package: spice-gtk (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2013-4324: spice-gtk - spice-gtk 0.14, and possibly other versions, invokes the polkit authority using ...
vendor_debian·2013·CVSS 7.2
CVE-2013-4324 [HIGH] CVE-2013-4324: spice-gtk - spice-gtk 0.14, and possibly other versions, invokes the polkit authority using ...
spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
Scope: local
bookworm: resolved (fixed in 0.21-0nocelt1)
bullseye: resolved (fixed in 0.21-0nocelt1)
forky: resolved (fixed in 0.21-0nocelt1)
sid: resolved (fixed in 0.21-0nocelt1)
trixie: resolved (fixed in 0.21-0nocelt1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-4324 spice-gtk: Insecure calling of polkit via polkit_unix_process_new() [fedora-all]
bugzilla·2013-09-18·CVSS 4.6
CVE-2013-4324 [MEDIUM] CVE-2013-4324 spice-gtk: Insecure calling of polkit via polkit_unix_process_new() [fedora-all]
CVE-2013-4324 spice-gtk: Insecure calling of polkit via polkit_unix_process_new() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please not
Bugzilla
CVE-2013-4324 spice-gtk: Insecure calling of polkit via polkit_unix_process_new()
bugzilla·2013-09-11·CVSS 7.2
CVE-2013-4324 [HIGH] CVE-2013-4324 spice-gtk: Insecure calling of polkit via polkit_unix_process_new()
CVE-2013-4324 spice-gtk: Insecure calling of polkit via polkit_unix_process_new()
Sebastian Krahmer reported a security issue was found in polkit (CVE-2013-4288 bz 1002375).
It was found that spice-gtk was vulnerable to this issue as well, since it communicated to polkit authority using the unsafe polkit_unix_process_new() interface. Consequently polkit has now deprecated the use of polkit_unix_process_new() and spice-gtk has been patched to use the safer (already existing) polkit_unix_process_new_for_owner() interface.
This issue has been assigned CVE-2013-4324.
Discussion:
Created attachment 796257
spice-gtk patch
---
This is now public:
http://www.openwall.com/lists/oss-security/2013/09/18/4
---
Created spice-gtk tracking bugs for this issue:
Affects: fedora-all [bug 1009540]
Bugzilla
CVE-2013-4288 polkit: unix-process subject for authorization is racy
bugzilla·2013-08-29·CVSS 7.2
CVE-2013-4288 [HIGH] CVE-2013-4288 polkit: unix-process subject for authorization is racy
CVE-2013-4288 polkit: unix-process subject for authorization is racy
Sebastian Krahmer reported a race condition in the polkit unix-process subject for authorization. It depended on the (PID, startup_time) pair to be passed to pokkit, which then used /proc/PID/status to find the UID the process belongs to. A local attacker could exploit this issue via a polkit enabled application, by starting a suid or pkexec process, changing the eud and/or uid at will. This could result in bypass polkit authorizations or even privilege escalation in some cases.
Discussion:
Created attachment 795472
polkit patch
---
Created attachment 795473
spice-gtk patch
Instead of using polkit_unix_process_new() which can be racy, spice-gtk is modified to use polkit_unix_process_new_for_owner()
---
Created att
http://lists.opensuse.org/opensuse-updates/2013-10/msg00031.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1273.htmlhttp://secunia.com/advisories/54947http://www.openwall.com/lists/oss-security/2013/09/18/6http://www.securityfocus.com/bid/62538http://lists.opensuse.org/opensuse-updates/2013-10/msg00031.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1273.htmlhttp://secunia.com/advisories/54947http://www.openwall.com/lists/oss-security/2013/09/18/6http://www.securityfocus.com/bid/62538
2013-10-03
Published