Debian Bug report logs -
#787932
policykit-1: CVE-2015-3218: crash authentication_agent_new with invalid object path in RegisterAuthenticationAgent
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 6 Jun 2015 13:42:02 UTC
Severity: normal
Tags: patch, security, upstream
Found in version policykit-1/0.105-3
Fixed in versions policykit-1/0.113-1, policykit-1/0.105-11
Done: Martin Pitt <mpitt@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#787932; Package src:policykit-1.
(Sat, 06 Jun 2015 13:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>.
(Sat, 06 Jun 2015 13:42:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: policykit-1
Version: 0.105-3
Severity: normal
Tags: security upstream patch
Hi,
the following vulnerability was published for policykit-1.
CVE-2015-3218[0]:
crash authentication_agent_new with invalid object path in RegisterAuthenticationAgent
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-3218
[1] http://cgit.freedesktop.org/polkit/commit/?id=48e646918efb2bf0b3b505747655726d7869f31c
Regards,
Salvatore
Marked as fixed in versions policykit-1/0.113-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 03 Jul 2015 17:15:08 GMT) (full text, mbox, link).
Reply sent
to Martin Pitt <mpitt@debian.org>:
You have taken responsibility.
(Fri, 10 Jul 2015 11:24:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 10 Jul 2015 11:24:15 GMT) (full text, mbox, link).
Message #12 received at 787932-close@bugs.debian.org (full text, mbox, reply):
Source: policykit-1
Source-Version: 0.105-11
We believe that the bug you reported is fixed in the latest version of
policykit-1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 787932@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Pitt <mpitt@debian.org> (supplier of updated policykit-1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 10 Jul 2015 13:03:33 +0200
Source: policykit-1
Binary: policykit-1 policykit-1-doc libpolkit-gobject-1-0 libpolkit-gobject-1-dev libpolkit-agent-1-0 libpolkit-agent-1-dev libpolkit-backend-1-0 libpolkit-backend-1-dev gir1.2-polkit-1.0
Architecture: source amd64 all
Version: 0.105-11
Distribution: unstable
Urgency: medium
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Martin Pitt <mpitt@debian.org>
Description:
gir1.2-polkit-1.0 - GObject introspection data for PolicyKit
libpolkit-agent-1-0 - PolicyKit Authentication Agent API
libpolkit-agent-1-dev - PolicyKit Authentication Agent API - development files
libpolkit-backend-1-0 - PolicyKit backend API
libpolkit-backend-1-dev - PolicyKit backend API - development files
libpolkit-gobject-1-0 - PolicyKit Authorization API
libpolkit-gobject-1-dev - PolicyKit Authorization API - development files
policykit-1 - framework for managing administrative policies and privileges
policykit-1-doc - documentation for PolicyKit-1
Closes: 787932 791397
Changes:
policykit-1 (0.105-11) unstable; urgency=medium
.
* Add 00git_invalid_object_paths.patch: backend: Handle invalid object paths
in RegisterAuthenticationAgent (CVE-2015-3218, Closes: #787932)
* policykit-1.postinst: Reload systemd before restarting polkitd.service, to
avoid "Warning: polkitd.service changed on disk". (Closes: #791397)
Checksums-Sha1:
f7d841f7ef7dfb7671f2b61c03eb97a6921f6227 2881 policykit-1_0.105-11.dsc
7835caf3197a45bbcf8968c8b3d8a679febe2733 20516 policykit-1_0.105-11.debian.tar.xz
184b601758d6b6797f9f5609069cd81f1adcde14 14486 gir1.2-polkit-1.0_0.105-11_amd64.deb
e4834a16839e42be86d3e1d1f888b163339d1eed 22382 libpolkit-agent-1-0_0.105-11_amd64.deb
17aaac1f6484e1d791c4cf3052d6d6edea703fe9 28236 libpolkit-agent-1-dev_0.105-11_amd64.deb
d6d9de92fec58cd8f5af60925625e8065dd68438 43008 libpolkit-backend-1-0_0.105-11_amd64.deb
21814a1abd65828994e92f98673b11fe01efdce1 47542 libpolkit-backend-1-dev_0.105-11_amd64.deb
0d09028653b82184a54212260485cd1d21c7ee14 40888 libpolkit-gobject-1-0_0.105-11_amd64.deb
0a4495628de8eea55ac57bf73945acfff7b3f351 59270 libpolkit-gobject-1-dev_0.105-11_amd64.deb
798bedf6a83fc0c5cd9155b3fb38a02770f89b23 262190 policykit-1-doc_0.105-11_all.deb
5adc5adb0bfc03eae4094fb60e2ea9a4a0f885b2 58866 policykit-1_0.105-11_amd64.deb
Checksums-Sha256:
1cc9fa37a2eca168c749bea7434ea3f3022df0beb963c650830df2ad1130e65d 2881 policykit-1_0.105-11.dsc
38429d9091f9fe4f81f5cb69dc358d806f1be2ea93bc8b3225e253deb1018846 20516 policykit-1_0.105-11.debian.tar.xz
a3171a7c4edcc0db49804299fe4236b0d5a7952c163d04cdc06f87981f8f6a55 14486 gir1.2-polkit-1.0_0.105-11_amd64.deb
e7658a917d1830f20d612d8e77c9fb4e08e5e211c1f26a95640406deca7aee42 22382 libpolkit-agent-1-0_0.105-11_amd64.deb
d5406827e8cb2260b38375bf1f1437c0aac93a4457d9687cb79f9dddbb44245e 28236 libpolkit-agent-1-dev_0.105-11_amd64.deb
1413ba1734b18816b8baf8e5647c516a79912fc2151c8f36142b194a84f8eeac 43008 libpolkit-backend-1-0_0.105-11_amd64.deb
78e36733a9924f8e893c460345ccae444bd89a9faa75a104a142579c4e0938a2 47542 libpolkit-backend-1-dev_0.105-11_amd64.deb
d5cf97cc3f3f8ca8dfa2c5137ebf0c35740fefd2a8a9f85ce0cb4f66e1b0ecc8 40888 libpolkit-gobject-1-0_0.105-11_amd64.deb
52f20646e2932ea272c1adeb7627ebad9742674964f1a3d4c5ca5a8473763aa2 59270 libpolkit-gobject-1-dev_0.105-11_amd64.deb
ddf489867107e1a9e84b285e4d18e769b18db961c91622c27892788a4b90adbb 262190 policykit-1-doc_0.105-11_all.deb
ae6ba92b72d42770e3e0fb9eb1fb63ecd5921a04ef64ca55fd221c1ae83b8be4 58866 policykit-1_0.105-11_amd64.deb
Files:
9bd8c391a162cc3ce2abc88786b2fad1 2881 admin optional policykit-1_0.105-11.dsc
cf3c0645414e8e22d0420d5509089d41 20516 admin optional policykit-1_0.105-11.debian.tar.xz
a35b16510a4de2a70d4288b9eef1e7f3 14486 introspection optional gir1.2-polkit-1.0_0.105-11_amd64.deb
09359ce77c126b0ac9150af4454df67c 22382 libs optional libpolkit-agent-1-0_0.105-11_amd64.deb
8b0835c8b4043bd7c66c61c350e49719 28236 libdevel optional libpolkit-agent-1-dev_0.105-11_amd64.deb
ad90090b647fce8dc7d733deb0597331 43008 libs optional libpolkit-backend-1-0_0.105-11_amd64.deb
de64722e188ddefa8321ef0fdb4f6446 47542 libdevel optional libpolkit-backend-1-dev_0.105-11_amd64.deb
3456cb5033706ab05ff89a92826f26f8 40888 libs optional libpolkit-gobject-1-0_0.105-11_amd64.deb
bbf3133ff9b103be284f22d2ac3388a7 59270 libdevel optional libpolkit-gobject-1-dev_0.105-11_amd64.deb
5bc5c203da27a4e39956281edc584b03 262190 doc optional policykit-1-doc_0.105-11_all.deb
9e5aebf662d530ec3728631a908899c2 58866 admin optional policykit-1_0.105-11_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVn6b5AAoJENFO8V2v4RNHkdEP+wWWiemaI/6OThZz+4cIsBXk
bTz57xcj48B2k9mFs+qPoUBHiPggU+W3ZrdP55gQb/v2pIztKOyJyFXTBbkRQ92b
EKp8fRLHG5vlShLF1OYvuwKRoQZ/LzB/1UBKsKvGqFQET2mCFhaJyxSWub0nPuoe
WDLpnRG2Ma00WJXH5aUcX2mX4qxr63MCneLnELw/aemBnehqJpF10VEf7KxierDw
BtsOxMlS9w71YaVV6tZdcpsocf0BqPmKdrbb38Zgjb6D/YWGfdnaPoyzP6uD4tzq
AqfoQfqm4KPIBa13CaRApqMsp6MpZt+SiU49FWbqU898g/v2KLszlySvoQdYcKhg
0nCr3P4Rip6cGRhi4iP4ZiUr6E+y5jdFYO5COPLhQ/nruyhHSUFW1J7hfUC8cSo1
VJZWcth4Hqu50UPZftEmF/rCFu5zs2VjmMXFTXqbM0d80K+OtSeWa8cxuyGjzNHS
6mIWlfHIUxKZ8X8VnTX+L/+VzKMF1naSz9Lxc2tXaRnf/JyVax77KlOXGrWGgVD4
lolq03x89pwHH4BCLPExra5bG0jzMGnhG9wKGHmHRulBMp+T9r8A2kdRN3FxBCUb
tyPNonSZaTXCNFAQx6ZTuRXYy4HWh9msGVCcZuaBTSkm+U6GEELYOUebFscbb4QU
NxVO1LIlbv4luGFwe237
=dIRD
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 13 Aug 2015 07:27:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:22:22 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon