LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

MeeGo alert MeeGo-SA-10:14 (polkit)



From:
    	      "Ware, Ryan R" <ryan.r.ware@intel.com> 


To:
    	      "meego-security@meego.com" <meego-security@meego.com> 


Subject:
    	      [MeeGo-security] [MeeGo-SA-10:14.polkit] pkexec Information
	Disclosure 


Date:
    	      Fri, 27 Aug 2010 16:22:25 -0700


Message-ID:
    	      <C89D96C1.363AD%ryan.r.ware@intel.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
==
MeeGo-SA-10:14.polkit                Security Advisory
                                                                MeeGo
Project

Topic:          pkexec Information Disclosure

Category:       Security
Module:         polkit
Announced:      August 3, 2010
Affects:        MeeGo 1.0
Corrected:      August 3, 2010
MeeGo BID: 2182
CVE:  none

For general information regarding MeeGo Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://www.MeeGo.com/>.

I.   Background

PolicyKit is a toolkit for defining and handling authorizations.
It is used for allowing unprivileged processes to speak to privileged
processes.

II.  Problem Description

Reproduce Steps(steps,current result, reproduce possibility)
===========================================================
http://bugs.freedesktop.org/show_bug.cgi?id=26982
$ mkdir secret 
$ sudo chown root:root secret
$ sudo chmod 400 secret
$ sudo touch secret/hidden
$ pkexec /home/drosenbe/secret/hidden
(password prompt) 
$ pkexec /home/drosenbe/secret/doesnotexist
Error getting information about /home/drosenbe/secret/doesnotexist: No
such file or directory

Expected result:
===========================================================

III. Impact

Allows local users to determine the existence of arbitrary files

IV.  Workaround

None

V.   Solution

Update to package polkit-0.95_git20090913-4.1 or later.

VI. References

http://bugs.meego.com/show_bug.cgi?id=2182

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (Darwin)

iQEcBAEBAgAGBQJMeEPKAAoJECxjfBlj7RcKlhcH/AkN0c3h+me+OUqS6MYey8W4
FoG3xdzc8IBoWJlZ0K2EHlNqgAkv3h74xw786cOuNCChCXnA49iPZHQCNUKEm+mL
+91sXcEr+Mp/NsF9FArreHMsYc3VVtMVzkj4hh6R7SqFtHXWfGL+Q5jEaGSukW+w
m4dyMDWoq1J2p+etNVXetgvDpbbMx1DSWizU/6r6GYSXE0FT9Q9Vt6Tr2DifrhvP
cxzcaU1XXkEqLUMjTwDypxa/NUVpid1Arw/yE6hFo74rg53mhrIEi2eMz/bqbFd9
n0ThM2Lff5tX539p1P+WvDen0/K6L/pS9Rx1omowgmCFdJWIOYrChxOBD4hyoJQ=
=UsyQ
-----END PGP SIGNATURE-----

_______________________________________________
MeeGo-security mailing list
MeeGo-security@meego.com
http://lists.meego.com/listinfo/meego-security
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds