oss-sec mailing list archives

CVE Request: policykit (minor)

From: Kees Cook <kees () ubuntu com>
Date: Thu, 1 Apr 2010 09:55:25 -0700

Hi,

Dan Rosenberg found[1] a minor information disclosure vulnerability
in pkexec, which has been fixed[2] upstream.  It would disclose the
existence of files a given user would normally not be able to confirm:

$ pkexec /home/drosenbe/secret/hidden
(password prompt)
$ pkexec /home/drosenbe/secret/doesnotexist
Error getting information about /home/drosenbe/secret/doesnotexist: No such file or directory

Thanks,

-Kees

[1] Ubuntu bug: https://launchpad.net/bugs/532852
[2] http://cgit.freedesktop.org/PolicyKit/commit/?id=14bdfd816512a82b1ad258fa143ae5faa945df8a

-- 
Kees Cook
Ubuntu Security Team

Current thread:

CVE Request: policykit (minor) Kees Cook (Apr 01)
- Re: CVE Request: policykit (minor) Josh Bressers (Apr 01)