CVE-2014-5033

NameCVE-2014-5033
DescriptionKDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-76-1, DSA-3004-1
Debian Bugs755814

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kde4libs (PTS)jessie, jessie (lts)4:4.14.2-5+deb8u3fixed
stretch (lts), stretch4:4.14.26-2+deb9u1fixed
buster4:4.14.38-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kde4libssourcesqueeze4:4.4.5-2+squeeze4DLA-76-1
kde4libssourcewheezy4:4.8.4-4+deb7u1DSA-3004-1
kde4libssource(unstable)4:4.13.3-2755814

Notes

https://bugzilla.suse.com/show_bug.cgi?id=864716
http://quickgit.kde.org/?p=kdelibs.git&a=commit&h=e4e7b53b71e2659adaf52691d4accc3594203b23

Search for package or bug name: Reporting problems