It was reported that polkit has a bug, that leads to a minor denial of service, or code execution/privilege escalation. The only privilege necessary is ability to send D-Bus messages, not even necessarily directly to polkitd (usually privileged services ask polkitd for authorization based of a client request: client<->D-Bus<->service<->D-Bus<->polkitd); the attacker does not need special polkit status. This bug allows a local user (a person on a multi-user system, or a daemon account after successfully attacking a daemon over the network) to corrupt memory of polkitd. Corrupting polkitd memory can lead to a crash (known to happen), which is a minor DoS: a specific request being handled during the crash will not get a reply, but polkitd will then be automatically started when next polkit request arrives. In general corrupting memory can lead to arbitrary code execution as polkitd (no proof of concept exists but I can see no reason for this to be impossible), controlling polkitd allows the attacker to grant to anyone access to any polkit-controlled service, including the ability to run any command as root via pkexec. Initially reported in https://bugzilla.redhat.com/show_bug.cgi?id=910262 The patches are attached.
Created attachment 1054871 [details] 0001-Don-t-pass-an-uninitialized-JS-parameter.patch
Created attachment 1054872 [details] 0002-Don-t-add-extra-NULL-group-to-subject.groups.patch
Created attachment 1054873 [details] 0003-Don-t-store-unrooted-jsvals-on-heap.patch
Created attachment 1054874 [details] 0004-Fix-a-per-authorization-memory-leak.patch
Created attachment 1054875 [details] 0005-Fix-a-memory-leak-when-registering-an-authentication.patch
Created attachment 1054876 [details] 0006-Wrap-all-JS-usage-within-requests.patch
Created attachment 1054877 [details] 0007-Register-heap-based-JSObject-pointers-to-GC.patch
Created attachment 1054878 [details] 0008-Prevent-builds-against-SpiderMonkey-with-exact-stack.patch
Created attachment 1054879 [details] 0009-Clear-the-JS-operation-callback-before-invoking-JS-i.patch
Created attachment 1054880 [details] 0010-Fix-spurious-timeout-exceptions-on-GC.patch
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0189 https://rhn.redhat.com/errata/RHSA-2016-0189.html