Bug 38909 – policykit-1: Multiple issues (4.0)

Bug 38909 - policykit-1: Multiple issues (4.0)


Summary:	policykit-1: Multiple issues (4.0)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.0-3-errata
Assigned To:	Stefan Gohmann
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2015-07-13 12:27 CEST by Arvid Requate
Modified:	2015-09-02 12:57 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2015-07-13 12:27:52 CEST

* Local privilege escalation in polkit before 0.113 due to predictable
authentication session cookie values (CVE-2015-4625).

* Various memory corruption vulnerabilities in polkit before 0.113 in the
use of the JavaScript interpreter, possibly leading to local privilege
escalation (CVE-2015-3256).

* Memory corruption vulnerability in polkit before 0.113 in handling
duplicate action IDs, possibly leading to local privilege escalation
(CVE-2015-3255).

* Denial of service issue in polkit before 0.113 which allowed any local
user to crash polkitd (CVE-2015-3218).

Comment 1 Stefan Gohmann

2015-08-28 17:09:44 CEST

(In reply to Arvid Requate from comment #0)
> * Local privilege escalation in polkit before 0.113 due to predictable
> authentication session cookie values (CVE-2015-4625).

http://cgit.freedesktop.org/polkit/commit/?id=ea544ffc18405237ccd95d28d7f45afef49aca17
http://cgit.freedesktop.org/polkit/commit/?id=493aa5dc1d278ab9097110c1262f5229bbaf1766
http://cgit.freedesktop.org/polkit/commit/?id=fb5076b7c05d01a532d593a4079a29cf2d63a228

> * Various memory corruption vulnerabilities in polkit before 0.113 in the
> use of the JavaScript interpreter, possibly leading to local privilege
> escalation (CVE-2015-3256).

This is already fixed in the UCS 4.0 version.

> * Memory corruption vulnerability in polkit before 0.113 in handling
> duplicate action IDs, possibly leading to local privilege escalation
> (CVE-2015-3255).

http://cgit.freedesktop.org/polkit/commit/?id=9f5e0c731784003bd4d6fc75ab739ff8b2ea269f

> * Denial of service issue in polkit before 0.113 which allowed any local
> user to crash polkitd (CVE-2015-3218).

http://cgit.freedesktop.org/polkit/commit/?id=48e646918efb2bf0b3b505747655726d7869f31c

Comment 2 Stefan Gohmann

2015-08-28 22:33:31 CEST

The patches have been backported. I had some problems with gio-unix-2.0 includes since it is only for a temporary time, I've put it directly into Makefile: r15196

YAML: 2015-08-28-policykit-1.yaml

Comment 3 Stefan Gohmann

2015-08-29 19:40:11 CEST

My tests were successful.

Comment 4 Felix Botner

2015-09-01 14:56:49 CEST

* OK - patch CVE-2015-3218_2015-3255_2015-4625
* OK - built in errata4.0-3 with patch
* OK - 
  > > * Various memory corruption vulnerabilities in polkit before 0.113 in the
  > > use of the JavaScript interpreter, possibly leading to local privilege
  > > escalation (CVE-2015-3256).
  >
  > This is already fixed in the UCS 4.0 version.


* OK - polkitd works as expected (after restarting dbus!!)
* OK - YAML

Comment 5 Janek Walkenhorst

2015-09-02 12:57:49 CEST

<http://errata.univention.de/ucs/4.0/299.html>