6.9

CVE-2014-5033

Exploit
KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DebianKde4libs Version-
CanonicalUbuntu Linux Version12.04 Update- Editionlts
CanonicalUbuntu Linux Version14.04 SwEditionlts
KdeKauth Version <= 5.0
KdeKdelibs Version <= 4.13.97
KdeKdelibs Version4.10.0
KdeKdelibs Version4.10.1
KdeKdelibs Version4.10.2
KdeKdelibs Version4.10.3
KdeKdelibs Version4.10.95
KdeKdelibs Version4.10.97
KdeKdelibs Version4.11.0
KdeKdelibs Version4.11.1
KdeKdelibs Version4.11.2
KdeKdelibs Version4.11.3
KdeKdelibs Version4.11.4
KdeKdelibs Version4.11.5
KdeKdelibs Version4.11.80
KdeKdelibs Version4.11.90
KdeKdelibs Version4.11.95
KdeKdelibs Version4.11.97
KdeKdelibs Version4.12.0
KdeKdelibs Version4.12.1
KdeKdelibs Version4.12.2
KdeKdelibs Version4.12.3
KdeKdelibs Version4.12.4
KdeKdelibs Version4.12.5
KdeKdelibs Version4.12.80
KdeKdelibs Version4.12.90
KdeKdelibs Version4.12.95
KdeKdelibs Version4.12.97
KdeKdelibs Version4.13.0
KdeKdelibs Version4.13.1
KdeKdelibs Version4.13.2
KdeKdelibs Version4.13.3
KdeKdelibs Version4.13.80
KdeKdelibs Version4.13.90
KdeKdelibs Version4.13.95
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.36% 0.275
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.9 3.4 10
AV:L/AC:M/Au:N/C:C/I:C/A:C
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

http://lists.opensuse.org/opensuse-updates/2014-08/msg00012.html
http://quickgit.kde.org/?p=kauth.git&a=commit&h=341b7d84b6d9c03cf56905cb277b47e11c81482a
http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=e4e7b53b71e2659adaf52691d4accc3594203b23
Patch
Exploit
http://rhn.redhat.com/errata/RHSA-2014-1359.html
http://secunia.com/advisories/60385
http://secunia.com/advisories/60633
http://secunia.com/advisories/60654
http://www.debian.org/security/2014/dsa-3004
http://www.kde.org/info/security/advisory-20140730-1.txt
Vendor Advisory
http://www.ubuntu.com/usn/USN-2304-1