Bug 90829 - CVE-2015-3218: backend: Handle invalid object paths in RegisterAuthenticationAgent
Summary: CVE-2015-3218: backend: Handle invalid object paths in RegisterAuthentication...
Status: RESOLVED FIXED
Alias: None
Product: PolicyKit
Classification: Unclassified
Component: daemon (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: David Zeuthen (not reading bugmail)
QA Contact: David Zeuthen (not reading bugmail)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-03 14:46 UTC by Colin Walters
Modified: 2015-06-03 19:58 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments
0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch (4.27 KB, patch)
2015-06-03 14:46 UTC, Colin Walters
Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Colin Walters 2015-06-03 14:46:30 UTC
Created attachment 116267 [details] [review]
0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch

Properly propagate the error, otherwise we dereference a `NULL`
    pointer.  This is a local, authenticated DoS.
Comment 1 Colin Walters 2015-06-03 14:54:09 UTC
See
Comment 3 Philip Withnall 2015-06-03 15:12:37 UTC
Comment on attachment 116267 [details] [review]
0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch

Review of attachment 116267 [details] [review]:
-----------------------------------------------------------------

Might want to mention in the commit message that RegisterAuthenticationAgentWithOptions and UnregisterAuthentication have also been checked and don’t need changes.

Other than that, looks good to me!

::: src/polkitbackend/polkitbackendinteractiveauthority.c
@@ +1551,5 @@
>                            const gchar *unique_system_bus_name,
>                            const gchar *locale,
>                            const gchar *object_path,
> +                          GVariant    *registration_options,
> +			  GError     **error)

Technically the rest of the parameters should be re-indented because of the ‘**’ for the GError, but I really don’t care that much.
Comment 4 Miloslav Trmac 2015-06-03 19:49:39 UTC
ACK.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.