Summary: | <sys-auth/polkit-0.101-r1: Minor information disclosure (CVE-2010-0750) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tomás Touceda (RETIRED) <chiiph> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | freedesktop-bugs, nirbheek |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://bugs.freedesktop.org/show_bug.cgi?id=26982 | ||
Whiteboard: | A4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tomás Touceda (RETIRED)
![]() CVE-2010-0750 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0750): pkexec.c in pkexec in libpolkit in PolicyKit 0.96 allows local users to determine the existence of arbitrary files via the argument. pkexec is part of sys-auth/polkit, not sys-auth/policykit (I know, it's confusing, even to me; I had to look when the patch failed to apply). You're trying to confuse the security team! ;) So does the patch apply? If so, we can close this [noglsa]. Sorry, I'm not trying to confuse anyone... I don't maintain polkit, I maintain policykit, so this should presumably be re-assigned to nirbheek. That was just a (silly) joke. ;) Thanks for pointing it out, reassigning... Sorry for todays bugspam everyone. ;) I co-maintain with freedesktop-bugs. Also, seeing that this is a minor security problem, do you folks want a new revision with this patch? Or would you prefer to wait for a release? Re-rating as A4: at the time this bug was opened, ~4 was correct but then 0.96-r1 was stabilized and vulnerable. First fixed and stable version appears to be 0.101-r1. Added to existing GLSA request. This issue was resolved and addressed in GLSA 201204-06 at http://security.gentoo.org/glsa/glsa-201204-06.xml by GLSA coordinator Sean Amoss (ackle). |