Publishing details

Changelog

policykit-1 (0.105-4ubuntu3.14.04.2) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS via invalid object path
    - debian/patches/CVE-2015-3218.patch: handle invalid object paths in
      src/polkitbackend/polkitbackendinteractiveauthority.c.
    - CVE-2015-3218
  * SECURITY UPDATE: privilege escalation via duplicate action IDs
    - debian/patches/CVE-2015-3255.patch: fix GHashTable usage in
      src/polkitbackend/polkitbackendactionpool.c.
    - CVE-2015-3255
  * SECURITY UPDATE: privilege escalation via duplicate cookie values
    - debian/patches/CVE-2015-4625-1.patch: use unpredictable cookie values
      in configure.ac, src/polkitagent/polkitagenthelper-pam.c,
      src/polkitagent/polkitagenthelper-shadow.c,
      src/polkitagent/polkitagenthelperprivate.c,
      src/polkitagent/polkitagenthelperprivate.h,
      src/polkitagent/polkitagentsession.c,
      src/polkitbackend/polkitbackendinteractiveauthority.c.
    - debian/patches/CVE-2015-4625-2.patch: bind use of cookies to specific
      uids in data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml,
      data/org.freedesktop.PolicyKit1.Authority.xml,
      docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml,
      docs/polkit/overview.xml, src/polkit/polkitauthority.c,
      src/polkitbackend/polkitbackendauthority.c,
      src/polkitbackend/polkitbackendauthority.h,
      src/polkitbackend/polkitbackendinteractiveauthority.c.
    - debian/patches/CVE-2015-4625-3.patch: update docs in
      data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml,
      data/org.freedesktop.PolicyKit1.Authority.xml,
      docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.AuthenticationAgent.xml,
      docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml,
      docs/polkit/overview.xml, src/polkit/polkitauthority.c,
      src/polkitagent/polkitagentlistener.c,
      src/polkitbackend/polkitbackendauthority.c.
    - CVE-2015-4625
  * SECURITY UPDATE: DoS and information disclosure
    - debian/patches/CVE-2018-1116.patch: properly check UID in
      src/polkit/polkitprivate.h, src/polkit/polkitunixprocess.c,
      src/polkitbackend/polkitbackendinteractiveauthority.c,
      src/polkitbackend/polkitbackendsessionmonitor-systemd.c,
      src/polkitbackend/polkitbackendsessionmonitor.c,
      src/polkitbackend/polkitbackendsessionmonitor.h.
    - debian/libpolkit-gobject-1-0.symbols: updated for new private symbol.
    - CVE-2018-1116

 -- Marc Deslauriers <email address hidden>  Fri, 13 Jul 2018 07:53:14 -0400

Available diffs

Builds

Package files