Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 551316 (CVE-2015-3218)

Summary: <sys-auth/polkit-0.112-r3: crash authentication_agent_new with invalid object path in RegisterAuthenticationAgent (CVE-2015-3218)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: freedesktop-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1228738
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-06-05 15:28:03 UTC 
From ${URL} :

It was reported that polkitd dumps core if you set an invalid object
path when calling RegisterAuthenticationAgent.
It allows local authenticated users to perform a denial of service attack.
Original report: http://lists.freedesktop.org/archives/polkit-devel/2015-May/000420.html
SUggested patch is available: http://lists.freedesktop.org/archives/polkit-devel/2015-May/000421.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jason Zaman gentoo-dev 2015-06-06 08:55:39 UTC 
+*polkit-0.112-r3 (06 Jun 2015)
+
+  06 Jun 2015; Jason Zaman <perfinion@gentoo.org> +files/polkit-0.112-0001-backe
+  nd-Handle-invalid-object-paths-in-RegisterAuthe.patch,
+  +polkit-0.112-r3.ebuild:
+  fix bug 551316 CVE-2015-3218: crash authentication_agent_new with invalid
+  object path in RegisterAuthenticationAgent

We'll need to stabilize polkit-0.112-r3.ebuild. the arm64 keyword is only on 0.110, so we'll probably need a keywordreq to update that one too.
Comment 3 Pacho Ramos gentoo-dev 2015-07-04 13:28:24 UTC 
CCing arches for now for this revision. 0.113 was also bumped but we would prefer to give it a few days for receiving some testing (maybe 1 week or so)
Comment 4 Agostino Sarubbo gentoo-dev 2015-07-05 18:01:31 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-07-05 18:01:45 UTC 
x86 stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-05 20:35:58 UTC 
arm stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-07-07 04:29:46 UTC 
Stable for HPPA PPC64.
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2015-07-14 16:18:25 UTC 
Stable on alpha.
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-17 13:17:38 UTC 
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-07-23 09:02:27 UTC 
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-07-23 09:37:56 UTC 
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2015-08-10 13:52:58 UTC 
Maintainer(s), Thank you for you for cleanup.
GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 13 Manuel RĂ¼ger (RETIRED) gentoo-dev 2015-08-27 18:29:44 UTC 
Removed vulnerable versions.
Comment 14 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-09-08 06:33:59 UTC 
GLSA Vote: No