[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE Request: policykit (minor)
From:       Kees Cook <kees () ubuntu ! com>
Date:       2010-04-01 16:55:25
Message-ID: 20100401165525.GD4078 () outflux ! net
[Download RAW message or body]

Hi,

Dan Rosenberg found[1] a minor information disclosure vulnerability
in pkexec, which has been fixed[2] upstream.  It would disclose the
existence of files a given user would normally not be able to confirm:

$ pkexec /home/drosenbe/secret/hidden
(password prompt)
$ pkexec /home/drosenbe/secret/doesnotexist
Error getting information about /home/drosenbe/secret/doesnotexist: No such file or directory

Thanks,

-Kees

[1] Ubuntu bug: https://launchpad.net/bugs/532852
[2] http://cgit.freedesktop.org/PolicyKit/commit/?id=14bdfd816512a82b1ad258fa143ae5faa945df8a

-- 
Kees Cook
Ubuntu Security Team
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic