On Thu, 2017-02-02 at 07:16 -0800, Gordon Messmer wrote:
On 02/02/2017 06:51 AM, Leonard den Ottolander wrote:
pkcheck might not be directly vulnerable. However, pkexec is.
If that's so, why are you supplying patches to pkcheck rather than fixing pkexec?
The patch has a fix for three memory leaks. One memory leak that allows heap spraying in pkexec.c that according to the aforementioned article is *directly* exploitable and has been fixed upstream. (Check references I provided.)
Two similar memory leaks exist in pkcheck.c, for which I also provided patches. Even though these might not be so easily exploitable the memory leaks in themselves allow a local attacker to "spray the heap", which makes it easier for him to leverage an attack. You do not want to allow an attacker to have such potent tools readily available.
Memory leaks are always bad, but these are seriously bad because they are attacker controlled.
Regards, Leonard.