Bug 1228738 – CVE-2015-3218 polkit: crash authentication_agent_new with invalid object path in RegisterAuthenticationAgent

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1228738 - (CVE-2015-3218) CVE-2015-3218 polkit: crash authentication_agent_new with invalid object path in RegisterAuthenticationAgent

Summary:	CVE-2015-3218 polkit: crash authentication_agent_new with invalid object path...

Status:	NEW

Aliases:	CVE-2015-3218

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20150529,reported=2...
Keywords:	Reopened, Security

Depends On:	1228739
Blocks:	1228745
	Show dependency tree / graph

Reported:	2015-06-05 10:50 EDT by Vasyl Kaigorodov
Modified:	2015-10-27 06:24 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A NULL-pointer dereference flaw was discovered in polkitd. A malicious, local user could exploit this flaw to crash polkitd.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-06-19 13:11:03 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Vasyl Kaigorodov 2015-06-05 10:50:11 EDT

It was reported that polkitd dumps core if you set an invalid object
path when calling RegisterAuthenticationAgent.
It allows local authenticated users to perform a denial of service attack.
Original report: http://lists.freedesktop.org/archives/polkit-devel/2015-May/000420.html
SUggested patch is available: http://lists.freedesktop.org/archives/polkit-devel/2015-May/000421.html

Comment 1 Vasyl Kaigorodov 2015-06-05 10:50:47 EDT

Created polkit tracking bugs for this issue:

Affects: fedora-all [bug 1228739]

Comment 2 Stefan Cornelius 2015-06-19 11:09:49 EDT

Commit fixing this:
http://cgit.freedesktop.org/polkit/commit/src/polkitbackend/polkitbackendinteractiveauthority.c?id=48e646918efb2bf0b3b505747655726d7869f31c

Comment 3 Stefan Cornelius 2015-06-19 13:11:03 EDT

It looks like this was introduced via http://cgit.freedesktop.org/polkit/commit/?id=6eeb077bc90c9c7783360a526b2f04645b1b0848

In authentication_agent_new():
>  error = NULL;
>  agent->proxy = g_dbus_proxy_new_for_bus_sync (
>                                       <snip>various params</snip>
>                                                &error);
>  if (agent->proxy == NULL)
>    {
>      g_warning ("Error constructing proxy for agent: %s", error->message);

error can still be NULL after the call to g_dbus_proxy_new_for_bus_sync(). In that case we crash when trying to dereference error->message.

The version in RHEL6 does not have this commit and is not affected. RHEL7 is affected.

Statement:

This issue did not affect the versions of polkit as shipped with Red Hat Enterprise Linux 6. This issue affects the versions of polkit as shipped with Red Hat Enterprise Linux 7. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 5 Fedora Update System 2015-07-13 15:08:52 EDT

polkit-0.113-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2015-07-21 04:23:36 EDT

polkit-0.113-4.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.