Comment 1 Stefan Behte (RETIRED) 2010-04-11 14:02:35 UTC

CVE-2010-0750 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0750):
  pkexec.c in pkexec in libpolkit in PolicyKit 0.96 allows local users
  to determine the existence of arbitrary files via the argument.

Comment 2 Daniel Gryniewicz (RETIRED) 2010-04-11 14:13:50 UTC

pkexec is part of sys-auth/polkit, not sys-auth/policykit (I know, it's confusing, even to me; I had to look when the patch failed to apply).

Comment 3 Stefan Behte (RETIRED) 2010-04-11 14:23:03 UTC

You're trying to confuse the security team! ;)

So does the patch apply? If so, we can close this [noglsa].

Comment 4 Daniel Gryniewicz (RETIRED) 2010-04-11 14:28:03 UTC

Sorry, I'm not trying to confuse anyone... I don't maintain polkit, I maintain policykit, so this should presumably be re-assigned to nirbheek.

Comment 5 Stefan Behte (RETIRED) 2010-04-11 14:34:33 UTC

That was just a (silly) joke. ;)
Thanks for pointing it out, reassigning...

Comment 6 Stefan Behte (RETIRED) 2010-04-11 14:39:32 UTC

Sorry for todays bugspam everyone. ;)

Comment 7 Nirbheek Chauhan (RETIRED) 2010-07-07 17:03:35 UTC

I co-maintain with freedesktop-bugs.

Also, seeing that this is a minor security problem, do you folks want a new revision with this patch? Or would you prefer to wait for a release?

Comment 8 Sean Amoss (RETIRED) 2012-03-27 23:10:40 UTC

Re-rating as A4: at the time this bug was opened, ~4 was correct but then 0.96-r1 was stabilized and vulnerable. First fixed and stable version appears to be 0.101-r1.

Added to existing GLSA request.

Comment 9 GLSAMaker/CVETool Bot 2012-04-17 23:44:32 UTC

This issue was resolved and addressed in
 GLSA 201204-06 at http://security.gentoo.org/glsa/glsa-201204-06.xml
by GLSA coordinator Sean Amoss (ackle).