It was reported that polkitd dumps core if you set an invalid object
path when calling RegisterAuthenticationAgent.
It allows local authenticated users to perform a denial of service attack.
Original report: http://lists.freedesktop.org/archives/polkit-devel/2015-May/000420.html
SUggested patch is available: http://lists.freedesktop.org/archives/polkit-devel/2015-May/000421.html
Created polkit tracking bugs for this issue:
Affects: fedora-all [bug 1228739]
Commit fixing this:
It looks like this was introduced via http://cgit.freedesktop.org/polkit/commit/?id=6eeb077bc90c9c7783360a526b2f04645b1b0848
> error = NULL;
> agent->proxy = g_dbus_proxy_new_for_bus_sync (
> <snip>various params</snip>
> if (agent->proxy == NULL)
> g_warning ("Error constructing proxy for agent: %s", error->message);
error can still be NULL after the call to g_dbus_proxy_new_for_bus_sync(). In that case we crash when trying to dereference error->message.
The version in RHEL6 does not have this commit and is not affected. RHEL7 is affected.
polkit-0.113-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
polkit-0.113-4.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.