accountsservice local file disclosure flaw (CVE-2012-2737)

[Vincent Danen <vdanen () redhat com>]

Good day, all.

A local file disclosure flaw was discovered by Florian Weimer of the Red
Hat Product Security Team in accountsservice.  From what I understand,
there are a few distros that use this due to newer GNOME.

The offending code was added here:

http://cgit.freedesktop.org/accountsservice/commit/?id=69b526a6cd4c078732068de2ba393cf9242a404b

A patch to correct the flaw is attached to our bugzilla bug and will be
committed upstream shortly.

https://bugzilla.redhat.com/show_bug.cgi?id=832532

The issue is described as follows:

Florian Weimer found a local file disclosure flaw in accountsservice, an
account management system using D-Bus for querying and manipulating user
accounts.  The implementation of the SetIconFile method of the
org.freedesktop.Accounts.User D-Bus interface can disclose arbitrary
files due to a race condition in user_change_icon_file_authorized_cb()
in /usr/libexec/accounts-daemon.  When this function calls
get_caller_uid(), it uses PolicyKit to obtain the UID of the requesting
process from /proc.  At the time the UID is fetched, it may not match
the original UID making the D-Bus request if the process has executed an
SUID binary.

It has been assigned the name CVE-2012-2737.

The distros mailing list was notified of this flaw on Monday (20120625)
and made public today (20120628).

--
Vincent Danen / Red Hat Security Response Team