An authentication bypass issue was found in brltty that is using polkit to control access to system resources using PID of the process connecting to the server socket. CVE request: http://seclists.org/oss-sec/2016/q2/59
Created brltty tracking bugs for this issue: Affects: fedora-all [bug 1326801]
It seems there is patch proposed: https://bugzilla.suse.com/show_bug.cgi?id=967436 which is currently tested upstream. This issue doesn't seem serious, so I will wait for upstream.
Mitre responded but did not assign a CVE yet. http://seclists.org/oss-sec/2016/q2/67
It seems the code with the bug wasn't released in Fedora. There is brltty-5.3.1 in Rawhide and the bug was introduced in the upstream devel git after the release. I.e. this is the commit introducing the bug: https://github.com/brltty/brltty/commit/e62b3c925d03239a372d425fb87b2cac65d8ef19
Similar applies to brltty packages in Red Hat Enterprise Linux.