• Miloslav Trmač's avatar
    Fix CVE-2018-1116: Trusting client-supplied UID · bc7ffad5
    Miloslav Trmač authored
    As part of CVE-2013-4288, the D-Bus clients were allowed (and
    encouraged) to submit the UID of the subject of authorization checks
    to avoid races against UID changes (notably using executables
    set-UID to root).
    
    However, that also allowed any client to submit an arbitrary UID, and
    that could be used to bypass "can only ask about / affect the same UID"
    checks in CheckAuthorization / RegisterAuthenticationAgent /
    UnregisterAuthenticationAgent.  This allowed an attacker:
    
    - With CheckAuthorization, to cause the registered authentication
      agent in victim's session to pop up a dialog, or to determine whether
      the victim currently has a temporary authorization to perform an
      operation.
    
      (In principle, the attacker can also determine whether JavaScript
      rules allow the victim process to perform an operation; however,
      usually rules base their decisions on information determined from
      the supplied UID, so the attacker usually won't learn anything new.)
    
    - Wi...
    bc7ffad5
polkitbackendsessionmonitor-systemd.c 12.6 KB