CVE-2014-5033

Publication date 23 July 2014

Last updated 24 July 2024

Ubuntu priority

KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."

Status

Show unmaintained releases

Package	Ubuntu Release	Status
kde4libs	14.04 LTS trusty	Fixed 4:4.13.2a-0ubuntu0.3
	12.04 LTS precise	Fixed 4:4.8.5-0ubuntu0.4
	10.04 LTS lucid	Ignored end of life

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
kde4libs	Upstream: http://quickgit.kde.org/?p=kdelibs.git&a=commit&h=e4e7b53b71e2659adaf52691d4accc3594203b23

References

Related Ubuntu Security Notices (USN)

USN-2304-1
KDE-Libs vulnerability
31 July 2014

Other references

https://www.cve.org/CVERecord?id=CVE-2014-5033