polkit-0.112 (CVE-2013-4288)

Michael Biebl mbiebl at gmail.com
Thu Sep 19 04:06:40 PDT 2013 

Hi Miloslav,

regarding CVE-2013-4288, do youd which versions of polkit are affected
by this issue?
Since the changelog talks about deprecating racy APIs, does that mean,
polkit clients need to be updated as well for the fix to be effective?
Given that, do you have a list of vulnerable/affected packages?

Thanks
Michael

2013/9/18 Miloslav Trmač <mitr at redhat.com>:
> Hello,
> polkit-0.112 is available at
> http://www.freedesktop.org/software/polkit/releases/polkit-0.112.tar.gz
> http://www.freedesktop.org/software/polkit/releases/polkit-0.112.tar.gz.sign
>
> --------------
> polkit 0.112
> --------------
>
> NOTE: This release is an important security update, see below.
>
> WARNING WARNING WARNING: This is a prerelease on the road to polkit
> 1.0. Public API might change and certain parts of the code still needs
> some security review. Use at your own risk.
>
> This is polkit 0.112.
>
> Highlights:
>  This release fixes CVE-2013-4288: Race condition with process subjects that do
>  not have securely determined uid.
>
>  pkcheck(1) now supports a new format for the --process argument; all
>  applications need to use the new format to avoid a race condition (or use
>  --system-bus-name to identify the process instead).
>
>  Similarly, applications using the API should always use
>  polkit_unix_process_new_for_owner().  polkit_unix_process_new() and
>  polkit_unix_process_new_full() are unsafe and have been deprecated.
>
>  Thanks to Sebastian Krahmer of the SUSE Security Team for reporting this issue.
>
> Build requirements
>
>  glib, gobject, gio    >= 2.30
>  mozjs185 or mozjs-17.0
>  gobject-introspection >= 0.6.2 (optional)
>  pam (optional)
>  ConsoleKit OR systemd
>
> Changes since polkit 0.111:
>
> Colin Walters (2):
>       polkitunixprocess: Deprecate racy APIs
>       pkcheck: Support --process=pid,start-time,uid syntax too
>
> Miloslav Trmač (1):
>       Post-release version bump to 0.112
>
> Tomas Bzatek (1):
>       Use GOnce for interface type registration
>
> Tomas Chvatal (2):
>       Add czech translation po file to distribution.
>       Update the czech once more with newest pot file.
>
> Thanks to our contributors.
>
> Colin Walters and Miloslav Trmač,
> September 18, 2013
> _______________________________________________
> polkit-devel mailing list
> polkit-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/polkit-devel



-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

More information about the polkit-devel mailing list