Red Hat: 2013:1282-01: rtkit: Important Advisory
Summary
RealtimeKit is a D-Bus system service that changes the scheduling policy of
user processes/threads to SCHED_RR (that is, realtime scheduling mode) on
request. It is intended to be used as a secure mechanism to allow real-time
scheduling to be used by normal user processes.
It was found that RealtimeKit communicated with PolicyKit for authorization
using a D-Bus API that is vulnerable to a race condition. This could have
led to intended PolicyKit authorizations being bypassed. This update
modifies RealtimeKit to communicate with PolicyKit via a different API that
is not vulnerable to the race condition. (CVE-2013-4326)
All rtkit users are advised to upgrade to this updated package, which
contains a backported patch to correct this issue.
Summary
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258
References
https://www.redhat.com/security/data/cve/CVE-2013-4326.html https://access.redhat.com/security/updates/classification/#important
Package List
Red Hat Enterprise Linux Desktop (v. 6):
Source:
i386:
rtkit-0.5-2.el6_4.i686.rpm
rtkit-debuginfo-0.5-2.el6_4.i686.rpm
x86_64:
rtkit-0.5-2.el6_4.x86_64.rpm
rtkit-debuginfo-0.5-2.el6_4.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
x86_64:
rtkit-0.5-2.el6_4.x86_64.rpm
rtkit-debuginfo-0.5-2.el6_4.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
i386:
rtkit-0.5-2.el6_4.i686.rpm
rtkit-debuginfo-0.5-2.el6_4.i686.rpm
ppc64:
rtkit-0.5-2.el6_4.ppc64.rpm
rtkit-debuginfo-0.5-2.el6_4.ppc64.rpm
s390x:
rtkit-0.5-2.el6_4.s390x.rpm
rtkit-debuginfo-0.5-2.el6_4.s390x.rpm
x86_64:
rtkit-0.5-2.el6_4.x86_64.rpm
rtkit-debuginfo-0.5-2.el6_4.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
i386:
rtkit-0.5-2.el6_4.i686.rpm
rtkit-debuginfo-0.5-2.el6_4.i686.rpm
x86_64:
rtkit-0.5-2.el6_4.x86_64.rpm
rtkit-debuginfo-0.5-2.el6_4.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
Topic
An updated rtkit package that fixes one security issue is now available forRed Hat Enterprise Linux 6.The Red Hat Security Response Team has rated this update as havingimportant security impact. A Common Vulnerability Scoring System (CVSS)base score, which gives a detailed severity rating, is available from theCVE link in the References section.
Topic
Relevant Releases Architectures
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Bugs Fixed
1006677 - CVE-2013-4326 rtkit: insecure calling of polkit