polkit-0.113

[Fernando de Oliveira]

​http://www.freedesktop.org/software/polkit/releases/polkit-0.113.tar.gz

​http://www.freedesktop.org/software/polkit/releases/polkit-0.113.tar.gz.sign

​http://cgit.freedesktop.org/polkit/plain/NEWS

or

​http://lists.freedesktop.org/archives/polkit-devel/2015-July/000432.html

--------------
polkit 0.113
--------------

NOTE: This release is an important security update, see below.

WARNING WARNING WARNING: This is a prerelease on the road to polkit
1.0. Public API might change and certain parts of the code still needs
some security review. Use at your own risk.

This is polkit 0.113.

Highlights:

 Fixes CVE-2015-4625, a local privilege escalation due to predictable
 authentication session cookie values. Thanks to Tavis Ormandy, Google
 Project Zero for reporting this issue. For the future, authentication
 agents are encouraged to use PolkitAgentSession instead of using the
 D-Bus agent response API directly.

 Fixes CVE-2015-3256, various memory corruption vulnerabilities in use
 of the JavaScript interpreter, possibly leading to local privilege
 escalation.

 Fixes CVE-2015-3255, a memory corruption vulnerability in handling
 duplicate action IDs, possibly leading to local privilege escalation.
 Thanks to Laurent Bigonville for reporting this issue.

 Fixes CVE-2015-3218, which allowed any local user to crash polkitd.
 Thanks to Tavis Ormandy, Google Project Zero, for reporting this issue.

 On systemd-213 and later, the “active” state is shared across all
 sessions of an user, instead of being tracked separately.

 (pkexec), when not given a program to execute, runs the users’ shell by
 default.

Build requirements

 glib, gobject, gio    >= 2.30
 mozjs185 or mozjs-17.0
 gobject-introspection >= 0.6.2 (optional)
 pam (optional)
 ConsoleKit OR systemd

Changes since polkit 0.112:

     • PolkitSystemBusName: Add public API to retrieve Unix user
     • examples/cancel: Fix to securely lookup subject
     • sessionmonitor-systemd: Deduplicate code paths
     • PolkitSystemBusName: Retrieve both pid and uid
     • Port internals non-deprecated PolkitProcess API where possible
     • Use G_GNUC_BEGIN_IGNORE_DEPRECATIONS to avoid warning spam
     • pkexec: Work around systemd injecting broken XDG_RUNTIME_DIR
     • pkexec: Support just plain "pkexec" to run shell
     • .dir-locals: Style for Emacs - we don't use tabs
     • authority: Avoid cookie wrapping by using u64 counter
     • CVE-2015-3218: backend: Handle invalid object paths in
       RegisterAuthenticationAgent
     • build: Start using git.mk
     • Revert "authority: Avoid cookie wrapping by using u64 counter"
     • authority: Add a helper method for checking whether an identity
       is root
     • CVE-2015-4625: Use unpredictable cookie values, keep them secret
     • CVE-2015-4625: Bind use of cookies to specific uids
     • README: Note to send security reports via DBus's mechanism

     • sessionmonitor-systemd: prepare for D-Bus "user bus" model

     • polkitd: Fix problem with removing non-existent source

     • authority: Fix memory leak in EnumerateActions call results
       handler

     • Post-release version bump to 0.113
     • Don't discard error data returned by
       polkit_system_bus_name_get_user_sync
     • Fix a memory leak
     • Refuse duplicate --user arguments to pkexec
     • Fix a possible NULL dereference.
     • Remove a redundant assignment.
     • Simplify forced error domain registration
     • Fix a typo, s/Evaluting/Evaluating/g
     • s/INCLUDES/AM_CPPFLAGS/g
     • Fix duplicate GError use when "uid" is missing
     • Fix a crash when two authentication requests are in flight.
     • docs: Update for changes to uid
       binding/AuthenticationAgentResponse2
     • Don't pass an uninitialized JS parameter
     • Don't add extra NULL group to subject.groups
     • Don't store unrooted jsvals on heap
     • Fix a per-authorization memory leak
     • Fix a memory leak when registering an authentication agent
     • Wrap all JS usage within “requests”
     • Register heap-based JSObject pointers to GC
     • Prevent builds against SpiderMonkey with exact stack rooting
     • Clear the JS operation callback before invoking JS in the
       callback
     • Fix spurious timeout exceptions on GC
     • Fix GHashTable usage.
     • Fix use-after-free in polkitagentsession.c

     • sessionmonitor-systemd: Use sd_uid_get_state() to check session
       activity

     • PolkitAgentSession: fix race between child and io watches

     • Use libsystemd instead of older libsystemd-login if possible

     • build: Fix several issues on FreeBSD

     • Fixed compilation problem in the backend

Colin Walters and Miloslav Trmač,
July 2, 2015

[bdubbs@…]

Fixed at revision 16212.