Bug 1233808 (CVE-2015-4625)

Summary: CVE-2015-4625 polkit: potential information disclosure vulnerability due to cookie counter wrapping
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: carnil, jrusnack, mitr, sisharma
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-09 06:04:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1233810    
Bug Blocks: 1233809    

Description Vasyl Kaigorodov 2015-06-19 13:34:41 UTC 
Following issue was reported in https://bugs.freedesktop.org/show_bug.cgi?id=90837 :
"""
The "cookie" value that Polkit hands out is global to all polkit
users.  And when `AuthenticationAgentResponse` is invoked, we
previously only received the cookie and target identity, and attempted
to find an agent from that.

The problem is that the current cookie is just an integer
counter, and if it overflowed, it would be possible for
an successful authorization in one session to trigger a response
in another session.
"""

Upstream fixes:
http://cgit.freedesktop.org/polkit/commit/?id=493aa5dc1d278ab9097110c1262f5229bbaf1766
http://cgit.freedesktop.org/polkit/commit/?id=fb5076b7c05d01a532d593a4079a29cf2d63a228

This CVE also covers the issue reported in https://bugs.freedesktop.org/show_bug.cgi?id=90832 , see http://openwall.com/lists/oss-security/2015/06/16/21
Comment 1 Vasyl Kaigorodov 2015-06-19 13:35:44 UTC 
Created polkit tracking bugs for this issue:

Affects: fedora-all [bug 1233810]
Comment 3 Fedora Update System 2015-07-13 19:08:54 UTC 
polkit-0.113-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2015-07-21 08:23:38 UTC 
polkit-0.113-4.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.