Google's Project Zero has developed an exploit for a glibc vulnerability: http://googleprojectzero.blogspot.de/2014/08/the-poisoned-nul-byte-2014-edition.html Part of that exploit is abusing a memory leak in pkexec's parameter handling. While not in itself a security vulnerability, this memory leak makes exploiting other bugs easier. This is the code in question in pkexec.c (starting line 543): else if (strcmp (argv[n], "--user") == 0 || strcmp (argv[n], "-u") == 0) { n++; if (n >= (guint) argc) { usage (argc, argv); goto out; } opt_user = g_strdup (argv[n]); } If multiple -u arguments are set opt_user gets set multiple times, overwriting (and thus leaking) pointers of previous results.
Created attachment 105295 [details] [review] 0001-Refuse-duplicate-user-arguments-to-pkexec.patch Thanks for your report.
Comment on attachment 105295 [details] [review] 0001-Refuse-duplicate-user-arguments-to-pkexec.patch Review of attachment 105295 [details] [review]: ----------------------------------------------------------------- Yep, looks good to me.
Sure.
Thanks, commited as https://bugs.freedesktop.org/show_bug.cgi?id=83093 .
… as 6c992bc8aefa195a41eaa41c07f46f17de18e25c .
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.