polkit-0.113 released

Miloslav Trmač mitr at redhat.com
Thu Jul 2 10:45:22 PDT 2015

polkit-0.113 is now available at 

polkit 0.113 

NOTE: This release is an important security update, see below. 

WARNING WARNING WARNING: This is a prerelease on the road to polkit 
1.0. Public API might change and certain parts of the code still needs 
some security review. Use at your own risk. 

This is polkit 0.113. 

Fixes CVE-2015-4625, a local privilege escalation due to predictable 
authentication session cookie values. Thanks to Tavis Ormandy, Google Project 
Zero for reporting this issue. For the future, authentication agents are 
encouraged to use PolkitAgentSession instead of using the D-Bus agent response 
API directly. 

Fixes CVE-2015-3256, various memory corruption vulnerabilities in use of the 
JavaScript interpreter, possibly leading to local privilege escalation. 

Fixes CVE-2015-3255, a memory corruption vulnerability in handling duplicate 
action IDs, possibly leading to local privilege escalation. Thanks to 
Laurent Bigonville for reporting this issue. 

Fixes CVE-2015-3218, which allowed any local user to crash polkitd. Thanks to 
Tavis Ormandy, Google Project Zero, for reporting this issue. 

On systemd-213 and later, the “active” state is shared across all sessions of 
an user, instead of being tracked separately. 

(pkexec), when not given a program to execute, runs the users’ shell by 

Build requirements 

glib, gobject, gio >= 2.30 
mozjs185 or mozjs-17.0 
gobject-introspection >= 0.6.2 (optional) 
pam (optional) 
ConsoleKit OR systemd 

Changes since polkit 0.112: 

Colin Walters (17): 
PolkitSystemBusName: Add public API to retrieve Unix user 
examples/cancel: Fix to securely lookup subject 
sessionmonitor-systemd: Deduplicate code paths 
PolkitSystemBusName: Retrieve both pid and uid 
Port internals non-deprecated PolkitProcess API where possible 
Use G_GNUC_BEGIN_IGNORE_DEPRECATIONS to avoid warning spam 
pkexec: Work around systemd injecting broken XDG_RUNTIME_DIR 
pkexec: Support just plain "pkexec" to run shell 
.dir-locals: Style for Emacs - we don't use tabs 
authority: Avoid cookie wrapping by using u64 counter 
CVE-2015-3218: backend: Handle invalid object paths in RegisterAuthenticationAgent 
build: Start using git.mk 
Revert "authority: Avoid cookie wrapping by using u64 counter" 
authority: Add a helper method for checking whether an identity is root 
CVE-2015-4625: Use unpredictable cookie values, keep them secret 
CVE-2015-4625: Bind use of cookies to specific uids 
README: Note to send security reports via DBus's mechanism 

Kay Sievers (1): 
sessionmonitor-systemd: prepare for D-Bus "user bus" model 

Lukasz Skalski (1): 
polkitd: Fix problem with removing non-existent source 

Max A. Dednev (1): 
authority: Fix memory leak in EnumerateActions call results handler 

Miloslav Trmač (24): 
Post-release version bump to 0.113 
Don't discard error data returned by polkit_system_bus_name_get_user_sync 
Fix a memory leak 
Refuse duplicate --user arguments to pkexec 
Fix a possible NULL dereference. 
Remove a redundant assignment. 
Simplify forced error domain registration 
Fix a typo, s/Evaluting/Evaluating/g 
Fix duplicate GError use when "uid" is missing 
Fix a crash when two authentication requests are in flight. 
docs: Update for changes to uid binding/AuthenticationAgentResponse2 
Don't pass an uninitialized JS parameter 
Don't add extra NULL group to subject.groups 
Don't store unrooted jsvals on heap 
Fix a per-authorization memory leak 
Fix a memory leak when registering an authentication agent 
Wrap all JS usage within “requests” 
Register heap-based JSObject pointers to GC 
Prevent builds against SpiderMonkey with exact stack rooting 
Clear the JS operation callback before invoking JS in the callback 
Fix spurious timeout exceptions on GC 
Fix GHashTable usage. 
Fix use-after-free in polkitagentsession.c 

Philip Withnall (1): 
sessionmonitor-systemd: Use sd_uid_get_state() to check session activity 

Rui Matos (1): 
PolkitAgentSession: fix race between child and io watches 

Simon McVittie (1): 
Use libsystemd instead of older libsystemd-login if possible 

Ting-Wei Lan (1): 
build: Fix several issues on FreeBSD 

Xabier Rodriguez Calvar (1): 
Fixed compilation problem in the backend 

Thanks to our contributors. 

Colin Walters and Miloslav Trmač, 
July 2, 2015 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/polkit-devel/attachments/20150702/500bfe64/attachment.html>

More information about the polkit-devel mailing list