0001-CVE-XXX-XXXX-Bind-use-of-cookies-to-specific-uids.patch
@walters
Submitted by Colin Walters Assigned to David Zeuthen @david
Description
Created attachment 116273 0001-CVE-XXX-XXXX-Bind-use-of-cookies-to-specific-uids.patch
Note: CVE not assigned yet
http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html
The "cookie" value that Polkit hands out is global to all polkit
users. And when AuthenticationAgentResponse
is invoked, we
previously only received the cookie and target identity, and attempted
to find an agent from that.
The problem is that the current cookie is just an integer counter, and if it overflowed, it would be possible for an successful authorization in one session to trigger a response in another session.
One way to fix this would be to make the cookie unforgeable, but this
approach passes through the uid of the caller from the setuid binary,
ensuring that we only look up AuthenticationAgent
s that were created
by a matching uid.
Signed-off-by: Colin Walters walters@verbum.org
Attachment 116273, "0001-CVE-XXX-XXXX-Bind-use-of-cookies-to-specific-uids.patch":
0001-CVE-XXX-XXXX-Bind-use-of-cookies-to-specific-uids.patch