On 02/02/2017 07:35 AM, Leonard den Ottolander wrote:
If that's so, why are you supplying patches to pkcheck rather than fixing pkexec?
The patch has a fix for three memory leaks. One memory leak that allows heap spraying in pkexec.c that according to the aforementioned article is*directly* exploitable and has been fixed upstream.
It took me a while to find the patch that you mentioned, which is probably why your bugs are being disregarded. Entirely too much of your existing bug reports is spent discussing a non-issue.
If you want this issue to be taken seriously, I have a couple of pointers: First, drop the bug reports that have been closed. Those tickets are now convoluted and clouded by misguided discussion of a bug in pkcheck.c, which isn't expoitable. Continued arguing in those bug reports will be counter-productive.
Open a new bug report and focus on this patch, exclusively: https://cgit.freedesktop.org/polkit/commit/src/programs/pkexec.c?id=6c992bc8...
The upstream developer has disallowed multiple --user specifications in order to close a memory leak. That memory leak can be used to cause the heap and the stack to run in to each other, and that flaw has previously been combined with bugs in glibc to produce an exploit. The glibc bug is now fixed, but there is still a risk that collision could be exploitable in combination with other, as yet undiscovered bugs. If Red Hat is concerned with changing the behavior of pkexec in scripts, then they can still fix the memory leak without otherwise changing the behavior of the program by adding:
if (opt_user != NULL) { g_free(opt_user); }
..instead of the upstream solution of failing on multiple --user specifications. This will correct the leak and won't break any scripts that call --user multiple times.
That's it. Keep your bug report simple. Focus on the program that presents a security vulnerability due to being SUID root. Offer a solution that doesn't break any existing user applications. Since the problem has been fixed upstream already, you don't need any bug reports with freedesktop.org, just with Red Hat for the polkit-112 package.