Bug 90829

Summary: CVE-2015-3218: backend: Handle invalid object paths in RegisterAuthenticationAgent
Product: PolicyKit Reporter: Colin Walters <walters>
Component: daemonAssignee: David Zeuthen (not reading bugmail) <zeuthen>
Status: RESOLVED FIXED QA Contact: David Zeuthen (not reading bugmail) <zeuthen>
Severity: normal    
Priority: medium CC: walters
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: 0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch

Description Colin Walters 2015-06-03 14:46:30 UTC 
Created attachment 116267 [details] [review]
0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch

Properly propagate the error, otherwise we dereference a `NULL`
    pointer.  This is a local, authenticated DoS.
Comment 1 Colin Walters 2015-06-03 14:54:09 UTC 
See
Comment 3 Philip Withnall 2015-06-03 15:12:37 UTC 
Comment on attachment 116267 [details] [review]
0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch

Review of attachment 116267 [details] [review]:
-----------------------------------------------------------------

Might want to mention in the commit message that RegisterAuthenticationAgentWithOptions and UnregisterAuthentication have also been checked and don’t need changes.

Other than that, looks good to me!

::: src/polkitbackend/polkitbackendinteractiveauthority.c
@@ +1551,5 @@
>                            const gchar *unique_system_bus_name,
>                            const gchar *locale,
>                            const gchar *object_path,
> +                          GVariant    *registration_options,
> +			  GError     **error)

Technically the rest of the parameters should be re-indented because of the ‘**’ for the GError, but I really don’t care that much.
Comment 4 Miloslav Trmac 2015-06-03 19:49:39 UTC 
ACK.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.