oss-sec mailing list archives
CVE request: privilege escalation in sectool
From: Vincent Danen <vdanen () redhat com>
Date: Tue, 3 Apr 2012 16:54:44 -0600
Colin Guthrie reported that sectool would elevate user privileges when it was installed on a system, due to an incorrect DBus file (specifically org.fedoraproject.sectool.mechanism.conf). This could allow a user with no additional privileges to elevate theirs (for instance to restart a service they would not normally have permission to restart). Further details are in the bug, and a patch is available: https://bugzilla.redhat.com/show_bug.cgi?id=809437 http://pkgs.fedoraproject.org/gitweb/?p=sectool.git;a=blob;f=sectool-0.9.5-dbus.patch;h=aedb3ef7f7e5ab22d5438bfb7eee63489ccf3244;hb=4859832281f0e08c6fbe48fc252c4199a0e9e322 Since this was reported and committed publicly, I'm requesting a CVE in case one has already been assigned. Thanks. --Vincent Danen / Red Hat Security Response Team
Current thread:
- CVE request: privilege escalation in sectool Vincent Danen (Apr 03)
- Re: CVE request: privilege escalation in sectool Kurt Seifried (Apr 03)