Submitted by Colin Walters
Assigned to David Zeuthen
Created attachment 116273 0001-CVE-XXX-XXXX-Bind-use-of-cookies-to-specific-uids.patch
Note: CVE not assigned yet
The "cookie" value that Polkit hands out is global to all polkit
users. And when
AuthenticationAgentResponse is invoked, we
previously only received the cookie and target identity, and attempted
to find an agent from that.
The problem is that the current cookie is just an integer counter, and if it overflowed, it would be possible for an successful authorization in one session to trigger a response in another session.
One way to fix this would be to make the cookie unforgeable, but this
approach passes through the uid of the caller from the setuid binary,
ensuring that we only look up
AuthenticationAgents that were created
by a matching uid.
Signed-off-by: Colin Walters email@example.com
Attachment 116273, "0001-CVE-XXX-XXXX-Bind-use-of-cookies-to-specific-uids.patch":