It was reported that polkitd dumps core if you set an invalid object path when calling RegisterAuthenticationAgent. It allows local authenticated users to perform a denial of service attack. Original report: http://lists.freedesktop.org/archives/polkit-devel/2015-May/000420.html SUggested patch is available: http://lists.freedesktop.org/archives/polkit-devel/2015-May/000421.html
Created polkit tracking bugs for this issue: Affects: fedora-all [bug 1228739]
Commit fixing this: http://cgit.freedesktop.org/polkit/commit/src/polkitbackend/polkitbackendinteractiveauthority.c?id=48e646918efb2bf0b3b505747655726d7869f31c
It looks like this was introduced via http://cgit.freedesktop.org/polkit/commit/?id=6eeb077bc90c9c7783360a526b2f04645b1b0848 In authentication_agent_new(): > error = NULL; > agent->proxy = g_dbus_proxy_new_for_bus_sync ( > <snip>various params</snip> > &error); > if (agent->proxy == NULL) > { > g_warning ("Error constructing proxy for agent: %s", error->message); error can still be NULL after the call to g_dbus_proxy_new_for_bus_sync(). In that case we crash when trying to dereference error->message. The version in RHEL6 does not have this commit and is not affected. RHEL7 is affected.
polkit-0.113-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
polkit-0.113-4.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2015-3218