If a user types a carefully crafted series of format strings, they can trick polkit-grant-helper into thinking the password was successful. https://launchpad.net/bugs/205037 src/polkit-grant/polkit-grant-helper.c line 231: /* send to parent */ fprintf (stdout, buf); This should be fprintf(stdout, "%s", buf); I also recommend adding "-Wformat -Wformat-security" to the gcc CFLAGS.
$ grep 'format not a string literal' /scratch/ubuntu/logs/policykit_0.7-2ubuntu6_20080331-1621 polkit-policy-cache.c:150: warning: format not a string literal and no format arguments polkit-grant-helper.c:231: warning: format not a string literal and no format arguments polkit-grant-helper.c:242: warning: format not a string literal and no format arguments There appear to be other cases of this too.
Created attachment 15591 [details] [review] fixes for format string vulnerabilities
CVE-2008-1658
Hi, Thanks for noticing this. I've committed this to HEAD http://gitweb.freedesktop.org/?p=PolicyKit.git;a=commitdiff;h=5bc86a14cc0e356bcf8b5f861674f842869b1be7 with one change: the hunk in src/polkit/polkit-policy-cache.c didn't apply and isn't needed anymore.
Created attachment 15671 [details] [review] Patch for 0.6 Had to backport this for Fedora 8 so sharing the patch against 0.6.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.