FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML ID Description

VuXML ID	Description
36a35d83-c560-11eb-84ab-e0d55e2a8bf9	polkit -- local privilege escalation using polkit_system_bus_name_get_creds_sync Cedric Buissart reports: The function `polkit_system_bus_name_get_creds_sync` is used to get the uid and pid of the process requesting the action. It does this by sending the unique bus name of the requesting process, which is typically something like ":1.96", to `dbus-daemon`. These unique names are assigned and managed by `dbus-daemon` and cannot be forged, so this is a good way to check the privileges of the requesting process. The vulnerability happens when the requesting process disconnects from `dbus-daemon` just before the call to `polkit_system_bus_name_get_creds_sync` starts. In this scenario, the unique bus name is no longer valid, so `dbus-daemon` sends back an error reply. This error case is handled in `polkit_system_bus_name_get_creds_sync` by setting the value of the `error` parameter, but it still returns `TRUE`, rather than `FALSE`. This behavior means that all callers of `polkit_system_bus_name_get_creds_sync` need to carefully check whether an error was set. If the calling function forgets to check for errors then it will think that the uid of the requesting process is 0 (because the `AsyncGetBusNameCredsData` struct is zero initialized). In other words, it will think that the action was requested by a root process, and will therefore allow it. Discovery 2021-06-03 Entry 2021-06-04 polkit lt 0.119 CVE-2021-3560 https://seclists.org/oss-sec/2021/q2/180 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3560 https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13a

36a35d83-c560-11eb-84ab-e0d55e2a8bf9

polkit -- local privilege escalation using polkit_system_bus_name_get_creds_sync

Cedric Buissart reports:

The function polkit_system_bus_name_get_creds_sync is used to get the uid and pid of the process requesting the action. It does this by sending the unique bus name of the requesting process, which is typically something like ":1.96", to dbus-daemon. These unique names are assigned and managed by dbus-daemon and cannot be forged, so this is a good way to check the privileges of the requesting process.

The vulnerability happens when the requesting process disconnects from dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync starts. In this scenario, the unique bus name is no longer valid, so dbus-daemon sends back an error reply. This error case is handled in polkit_system_bus_name_get_creds_sync by setting the value of the error parameter, but it still returns TRUE, rather than FALSE. This behavior means that all callers of polkit_system_bus_name_get_creds_sync need to carefully check whether an error was set. If the calling function forgets to check for errors then it will think that the uid of the requesting process is 0 (because the AsyncGetBusNameCredsData struct is zero initialized). In other words, it will think that the action was requested by a root process, and will therefore allow it.

Discovery 2021-06-03
Entry 2021-06-04
polkit

lt 0.119

CVE-2021-3560
https://seclists.org/oss-sec/2021/q2/180
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3560
https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13a