CVE-2014-5033

Published: 23 July 2014

KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."

Priority

Status

Package	Release	Status
kde4libs Launchpad, Ubuntu, Debian	lucid	Ignored (end of life)
	precise	Released (4:4.8.5-0ubuntu0.4)
	trusty	Released (4:4.13.2a-0ubuntu0.3)
	upstream	Needed
	Patches: upstream: http://quickgit.kde.org/?p=kdelibs.git&a=commit&h=e4e7b53b71e2659adaf52691d4accc3594203b23

References

https://ubuntu.com/security/notices/USN-2304-1
https://www.cve.org/CVERecord?id=CVE-2014-5033
NVD
Launchpad
Debian

Bugs

https://bugzilla.novell.com/show_bug.cgi?id=864716
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755814
https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1350019

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›