oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: KAuth security issues

From: Sebastian Krahmer <krahmer () suse de>
Date: Wed, 26 Mar 2014 09:08:56 +0100
On Wed, Mar 26, 2014 at 08:56:51AM +0100, Florian Weimer wrote:

On 03/26/2014 08:10 AM, Sebastian Krahmer wrote:

I love to talk to myself, in particular via mailing lists.
This issue seems to be addressed meanwhile via

https://git.reviewboard.kde.org/r/117056/

by fixing the underlying polkit qt binding.


Is the proposed change really correct?  It uses getuid() as the subject, 
which looks wrong if you want to use this wrapper to check the capabilities 
of a D-Bus peer.


Indeed, please see here:

https://bugzilla.novell.com/show_bug.cgi?id=864716

I'd avoid anything with PolkitProcessSubject entirely.

Sebastian

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team
Previous By Date Next
Previous By Thread Next

Current thread: