On 02/02/2017 06:51 AM, Leonard den Ottolander wrote:
pkcheck might not be directly vulnerable. However, pkexec is.
If that's so, why are you supplying patches to pkcheck rather than fixing pkexec?
If your bug report, you said, "The author clearly states that in his example exploit he gives himself a break, ... choosing a more easily exploitable binary so he does not have to add a privilege escalation." But that's not true. The author used pkexec *because* it's SUID root. Lots of programs can be made to crash due to memory errors. Those are bugs, but it's only exploitable if you can cause a program that has rights other than your own to execute code on your behalf. If you cause a program with your own rights to execute code, you're just executing code via a complicated path. It's not a security flaw because you have the rights to execute the same code directly, rather than through a memory handling flaw.