mitr at redhat.com
Thu Jul 2 10:45:22 PDT 2015
polkit-0.113 is now available at
NOTE: This release is an important security update, see below.
WARNING WARNING WARNING: This is a prerelease on the road to polkit
1.0. Public API might change and certain parts of the code still needs
some security review. Use at your own risk.
This is polkit 0.113.
Fixes CVE-2015-4625, a local privilege escalation due to predictable
authentication session cookie values. Thanks to Tavis Ormandy, Google Project
Zero for reporting this issue. For the future, authentication agents are
encouraged to use PolkitAgentSession instead of using the D-Bus agent response
Fixes CVE-2015-3256, various memory corruption vulnerabilities in use of the
Fixes CVE-2015-3255, a memory corruption vulnerability in handling duplicate
action IDs, possibly leading to local privilege escalation. Thanks to
Laurent Bigonville for reporting this issue.
Fixes CVE-2015-3218, which allowed any local user to crash polkitd. Thanks to
Tavis Ormandy, Google Project Zero, for reporting this issue.
On systemd-213 and later, the “active” state is shared across all sessions of
an user, instead of being tracked separately.
(pkexec), when not given a program to execute, runs the users’ shell by
glib, gobject, gio >= 2.30
mozjs185 or mozjs-17.0
gobject-introspection >= 0.6.2 (optional)
ConsoleKit OR systemd
Changes since polkit 0.112:
Colin Walters (17):
PolkitSystemBusName: Add public API to retrieve Unix user
examples/cancel: Fix to securely lookup subject
sessionmonitor-systemd: Deduplicate code paths
PolkitSystemBusName: Retrieve both pid and uid
Port internals non-deprecated PolkitProcess API where possible
Use G_GNUC_BEGIN_IGNORE_DEPRECATIONS to avoid warning spam
pkexec: Work around systemd injecting broken XDG_RUNTIME_DIR
pkexec: Support just plain "pkexec" to run shell
.dir-locals: Style for Emacs - we don't use tabs
authority: Avoid cookie wrapping by using u64 counter
CVE-2015-3218: backend: Handle invalid object paths in RegisterAuthenticationAgent
build: Start using git.mk
Revert "authority: Avoid cookie wrapping by using u64 counter"
authority: Add a helper method for checking whether an identity is root
CVE-2015-4625: Use unpredictable cookie values, keep them secret
README: Note to send security reports via DBus's mechanism
Kay Sievers (1):
sessionmonitor-systemd: prepare for D-Bus "user bus" model
Lukasz Skalski (1):
polkitd: Fix problem with removing non-existent source
Max A. Dednev (1):
authority: Fix memory leak in EnumerateActions call results handler
Miloslav Trmač (24):
Post-release version bump to 0.113
Don't discard error data returned by polkit_system_bus_name_get_user_sync
Fix a memory leak
Refuse duplicate --user arguments to pkexec
Fix a possible NULL dereference.
Remove a redundant assignment.
Simplify forced error domain registration
Fix a typo, s/Evaluting/Evaluating/g
Fix duplicate GError use when "uid" is missing
Fix a crash when two authentication requests are in flight.
docs: Update for changes to uid binding/AuthenticationAgentResponse2
Don't pass an uninitialized JS parameter
Don't add extra NULL group to subject.groups
Don't store unrooted jsvals on heap
Fix a per-authorization memory leak
Fix a memory leak when registering an authentication agent
Wrap all JS usage within “requests”
Register heap-based JSObject pointers to GC
Prevent builds against SpiderMonkey with exact stack rooting
Clear the JS operation callback before invoking JS in the callback
Fix spurious timeout exceptions on GC
Fix GHashTable usage.
Fix use-after-free in polkitagentsession.c
Philip Withnall (1):
sessionmonitor-systemd: Use sd_uid_get_state() to check session activity
Rui Matos (1):
PolkitAgentSession: fix race between child and io watches
Simon McVittie (1):
Use libsystemd instead of older libsystemd-login if possible
Ting-Wei Lan (1):
build: Fix several issues on FreeBSD
Xabier Rodriguez Calvar (1):
Fixed compilation problem in the backend
Thanks to our contributors.
Colin Walters and Miloslav Trmač,
July 2, 2015
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the polkit-devel