oss-sec mailing list archives
Re: KAuth security issues
From: Sebastian Krahmer <krahmer () suse de>
Date: Wed, 26 Mar 2014 09:08:56 +0100
On Wed, Mar 26, 2014 at 08:56:51AM +0100, Florian Weimer wrote:
On 03/26/2014 08:10 AM, Sebastian Krahmer wrote:I love to talk to myself, in particular via mailing lists. This issue seems to be addressed meanwhile via https://git.reviewboard.kde.org/r/117056/ by fixing the underlying polkit qt binding.Is the proposed change really correct? It uses getuid() as the subject, which looks wrong if you want to use this wrapper to check the capabilities of a D-Bus peer.
Indeed, please see here: https://bugzilla.novell.com/show_bug.cgi?id=864716 I'd avoid anything with PolkitProcessSubject entirely. Sebastian -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team
Current thread:
- KAuth security issues Sebastian Krahmer (Mar 24)
- Re: KAuth security issues Sebastian Krahmer (Mar 26)
- Re: KAuth security issues Florian Weimer (Mar 26)
- Re: KAuth security issues Sebastian Krahmer (Mar 26)
- Re: KAuth security issues Florian Weimer (Mar 26)
- Re: KAuth security issues Sebastian Krahmer (Mar 26)