A NULL-pointer dereference flaw was discovered in polkitd. A malicious, local user could exploit this flaw to crash polkitd.
It was reported that polkitd dumps core if you set an invalid object
path when calling RegisterAuthenticationAgent.
It allows local authenticated users to perform a denial of service attack.
Original report: http://lists.freedesktop.org/archives/polkit-devel/2015-May/000420.html
SUggested patch is available: http://lists.freedesktop.org/archives/polkit-devel/2015-May/000421.html
Created polkit tracking bugs for this issue:
Affects: fedora-all [bug 1228739]
Commit fixing this:
It looks like this was introduced via http://cgit.freedesktop.org/polkit/commit/?id=6eeb077bc90c9c7783360a526b2f04645b1b0848
> error = NULL;
> agent->proxy = g_dbus_proxy_new_for_bus_sync (
> <snip>various params</snip>
> if (agent->proxy == NULL)
> g_warning ("Error constructing proxy for agent: %s", error->message);
error can still be NULL after the call to g_dbus_proxy_new_for_bus_sync(). In that case we crash when trying to dereference error->message.
The version in RHEL6 does not have this commit and is not affected. RHEL7 is affected.
polkit-0.113-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
polkit-0.113-4.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.