It was reported that polkit has a bug, that leads to a minor denial of service, or code execution/privilege escalation.
The only privilege necessary is ability to send D-Bus messages, not even necessarily directly to polkitd (usually privileged services ask polkitd for authorization based of a client request: client<->D-Bus<->service<->D-Bus<->polkitd); the attacker does not need special polkit status.
This bug allows a local user (a person on a multi-user system, or a daemon account after successfully attacking a daemon over the network) to corrupt memory of polkitd.
Corrupting polkitd memory can lead to a crash (known to happen), which is a minor DoS: a specific request being handled during the crash will not get a reply, but polkitd will then be automatically started when next polkit request arrives.
In general corrupting memory can lead to arbitrary code execution as polkitd (no proof of concept exists but I can see no reason for this to be impossible), controlling polkitd allows the attacker to grant to anyone access to any polkit-controlled service, including the ability to run any command as root via pkexec.
Initially reported in https://bugzilla.redhat.com/show_bug.cgi?id=910262
The patches are attached.
Created attachment 1054871 [details]
Created attachment 1054872 [details]
Created attachment 1054873 [details]
Created attachment 1054874 [details]
Created attachment 1054875 [details]
Created attachment 1054876 [details]
Created attachment 1054877 [details]
Created attachment 1054878 [details]
Created attachment 1054879 [details]
Created attachment 1054880 [details]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:0189 https://rhn.redhat.com/errata/RHSA-2016-0189.html