CVE-2013-1061
https://notcve.org/view.php?id=CVE-2013-1061
dbus/SoftwarePropertiesDBus.py in Software Properties 0.92.17 before 0.92.17.3, 0.92.9 before 0.92.9.3, and 0.82.7 before 0.82.7.5 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288. dbus/SoftwarePropertiesDBus.py en Software Properties 0.92.17 anterior a 0.92.17.3, 0.92.9 anterior a la versión 0.92.9.3, y 0.82.7 anterior a 0.82.7.5 no utiliza adecuadamente D-Bus para la comunicación con una autoridad polkit, lo que permite a usuarios locales evadir restricciones de acceso intencionadas mediante el aprovechamiento de una condición de carrera a través de un proceso (1) setuid o (2) un proceso pkexec, un problema relacionado con CVE-2013-4288. • http://launchpadlibrarian.net/150156695/software-properties_0.92.17.2_0.92.17.3.diff.gz http://secunia.com/advisories/54909 http://www.ubuntu.com/usn/USN-1960-1 https://exchange.xforce.ibmcloud.com/vulnerabilities/87381 https://launchpad.net/ubuntu/+source/software-properties/0.82.7.5 https://launchpad.net/ubuntu/+source/software-properties/0.92.17.3 https://launchpad.net/ubuntu/+source/software-properties/0.92.9.3 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-5356
https://notcve.org/view.php?id=CVE-2012-5356
The apt-add-repository tool in Ubuntu Software Properties 0.75.x before 0.75.10.3, 0.80.x before 0.80.9.2, 0.81.x before 0.81.13.5, 0.82.x before 0.82.7.3, and 0.92.x before 0.92.8 does not properly check PPA GPG keys imported from a keyserver, which allows remote attackers to install arbitrary package repository GPG keys via a man-in-the-middle (MITM) attack. La herramienta apt-add-repository v0.75.x antes de v0.75.10.3, v0.80.x antes de v0.80.9.2, antes de v0.81.x antes de v0.81.13.5, v0.82.x antes de v0.82.7.3, y antes de v0.92.x antes de v0.92.8 no comprueba correctamente las llaves PPA GPG importadas desde el servidor de claves, lo que permite a atacantes remotos instalar llaves GPG arbitrarias de paquetes del repositorio mediante un ataque man-in-the-middle (MITM). • http://www.securityfocus.com/bid/55736 http://www.ubuntu.com/usn/USN-1588-1 https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1016643 https://exchange.xforce.ibmcloud.com/vulnerabilities/78990 • CWE-20: Improper Input Validation •