Hi Colin, On Sat, 2015-05-30 at 09:36 -0400, an unknown sender wrote: > On Fri, May 29, 2015, at 02:08 PM, Tavis Ormandy wrote: > > Hello, I've noticed polkitd dumps core if you set an invalid object > > path when calling RegisterAuthenticationAgent. It looks like this code > > doesn't check if error was set before dereferencing it: > > Indeed, thanks for the report. Can someone review this patch?
The approach looks sound to me. A few things: 1. Please use spaces instead of tabs. 2. The test case doesn’t unref the GDBusConnection. 3. There’s no need for the ‘out’ label in the test case — just check if (reply != NULL) instead. 4. Would it be possible to plumb the test case into the tests/ directory? > I suppose this'll need a CVE, as local, authenticated users can > can DoS polkitd. Looks like it. I’ve checked RegisterAuthenticationAgentWithOptions and UnregisterAuthenticationAgent and they should not be vulnerable to the same attack. Philip
signature.asc
Description: This is a digitally signed message part
_______________________________________________ polkit-devel mailing list polkit-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/polkit-devel
