Crash authentication_agent_new with invalid object path in RegisterAuthenticationAgent

Colin Walters walters at verbum.org
Sat May 30 06:36:36 PDT 2015


Hi Tavis,

On Fri, May 29, 2015, at 02:08 PM, Tavis Ormandy wrote:
> Hello, I've noticed polkitd dumps core if you set an invalid object
> path when calling RegisterAuthenticationAgent. It looks like this code
> doesn't check if error was set before dereferencing it:

Indeed, thanks for the report.  Can someone review this patch?

I suppose this'll need a CVE, as local, authenticated users can
can DoS polkitd.

I also updated your test program to properly handle errors,
new version attached.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch
Type: text/x-patch
Size: 4368 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/polkit-devel/attachments/20150530/95c48af9/attachment.bin>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: polkit-register-crash.c
URL: <http://lists.freedesktop.org/archives/polkit-devel/attachments/20150530/95c48af9/attachment.c>


More information about the polkit-devel mailing list