Following issue was reported in https://bugs.freedesktop.org/show_bug.cgi?id=90837 :
The "cookie" value that Polkit hands out is global to all polkit
users. And when `AuthenticationAgentResponse` is invoked, we
previously only received the cookie and target identity, and attempted
to find an agent from that.
The problem is that the current cookie is just an integer
counter, and if it overflowed, it would be possible for
an successful authorization in one session to trigger a response
in another session.
This CVE also covers the issue reported in https://bugs.freedesktop.org/show_bug.cgi?id=90832 , see http://openwall.com/lists/oss-security/2015/06/16/21
Created polkit tracking bugs for this issue:
Affects: fedora-all [bug 1233810]
polkit-0.113-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
polkit-0.113-4.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.