If a user types a carefully crafted series of format strings, they can trick polkit-grant-helper into thinking the password was successful.
src/polkit-grant/polkit-grant-helper.c line 231:
/* send to parent */
fprintf (stdout, buf);
This should be fprintf(stdout, "%s", buf);
I also recommend adding "-Wformat -Wformat-security" to the gcc CFLAGS.
$ grep 'format not a string literal' /scratch/ubuntu/logs/policykit_0.7-2ubuntu6_20080331-1621
polkit-policy-cache.c:150: warning: format not a string literal and no format arguments
polkit-grant-helper.c:231: warning: format not a string literal and no format arguments
polkit-grant-helper.c:242: warning: format not a string literal and no format arguments
There appear to be other cases of this too.
Created attachment 15591 [details] [review]
fixes for format string vulnerabilities
Thanks for noticing this. I've committed this to HEAD
with one change: the hunk in src/polkit/polkit-policy-cache.c didn't apply and isn't needed anymore.
Created attachment 15671 [details] [review]
Patch for 0.6
Had to backport this for Fedora 8 so sharing the patch against 0.6.