On Thu, Jun 4, 2015, at 09:20 AM, Colin Walters wrote: > > But I'd be most comforatable if we did *both* "uid binding" and "secret > cookie".
Ok, updated patches are in: https://bugs.freedesktop.org/show_bug.cgi?id=90837 https://bugs.freedesktop.org/show_bug.cgi?id=90832 I wouldn't call these final, but I'd say they're good to review. It seems like we agree there's a vulnerability here, so unless I hear any objections I'll ask for another CVE tomorrow. I'm still working on actually attempting to exploit a synthetic cookie collision the patch from https://bugs.freedesktop.org/show_bug.cgi?id=90837#c1 One thing that became clear to me is you need a custom agent to do this; a normal agent won't understand that the request was authenticated "behind its back". So I'm working on: https://github.com/cgwalters/polkit-otherauth-wait-text-agent _______________________________________________ polkit-devel mailing list polkit-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/polkit-devel
