REDHAT-BUG-878102
Version-Release number of selected component (if applicable): e.g. mate-settings-daemon-1.5.3-1.fc8 mate-settings-daemon's datetime mechanism provides a D-Bus method to set the timezone, which is guarded by polkit's action org.mate.settingsdaemon.datetimemechanism.settimezone; this has the default policy "auth_self_keep", which allows any local user to perform the operation with only knowing their own password. This seems not to be currently exposed in the mate UI, but it is available through manual D-Bus calls, e.g. > dbus-send --system --print-reply --type=method_call --dest=org.mate.SettingsDaemon.DateTimeMechanism / org.mate.SettingsDaemon.DateTimeMechanism.SetTimezone string:/usr/share/zoneinfo/Cuba Because the time zone setting is a global resource, it should be restricted to system administrators (== root or users in the "wheel" group), by having a policy auth_admin_*. That's also what the other timezone setting mechanisms (in systemd and control-center) do.
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-878102?
The severity of REDHAT-BUG-878102 is classified as moderate due to potential unauthorized timezone changes.
How do I fix REDHAT-BUG-878102?
To fix REDHAT-BUG-878102, update to the latest version of mate-settings-daemon where the vulnerability has been patched.
What are the potential impacts of REDHAT-BUG-878102?
The potential impacts of REDHAT-BUG-878102 include unauthorized modification of timezone settings, affecting time-related operations.
Which versions of mate-settings-daemon are affected by REDHAT-BUG-878102?
Versions of mate-settings-daemon prior to the patch addressing REDHAT-BUG-878102 are affected.
Is there a workaround for REDHAT-BUG-878102 before applying the fix?
A workaround for REDHAT-BUG-878102 involves adjusting the policykit settings to limit access to the set timezone method.