Date: Wed, 26 Mar 2014 09:08:56 +0100 From: Sebastian Krahmer <krahmer@...e.de> To: oss-security@...ts.openwall.com Subject: Re: KAuth security issues On Wed, Mar 26, 2014 at 08:56:51AM +0100, Florian Weimer wrote: > On 03/26/2014 08:10 AM, Sebastian Krahmer wrote: >> I love to talk to myself, in particular via mailing lists. >> This issue seems to be addressed meanwhile via >> >> https://git.reviewboard.kde.org/r/117056/ >> >> by fixing the underlying polkit qt binding. > > Is the proposed change really correct? It uses getuid() as the subject, > which looks wrong if you want to use this wrapper to check the capabilities > of a D-Bus peer. Indeed, please see here: https://bugzilla.novell.com/show_bug.cgi?id=864716 I'd avoid anything with PolkitProcessSubject entirely. Sebastian -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@...e.de - SuSE Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ