[CentOS] Serious attack vector on pkcheck ignored by Red Hat

Gordon Messmer gordon.messmer at gmail.com
Thu Feb 2 18:39:02 UTC 2017


On 02/02/2017 07:35 AM, Leonard den Ottolander wrote:
>> If that's so, why are you supplying patches to pkcheck rather than
>> fixing pkexec?
> The patch has a fix for three memory leaks. One memory leak that allows
> heap spraying in pkexec.c that according to the aforementioned article
> is*directly*  exploitable and has been fixed upstream.



It took me a while to find the patch that you mentioned, which is 
probably why your bugs are being disregarded.  Entirely too much of your 
existing bug reports is spent discussing a non-issue.

If you want this issue to be taken seriously, I have a couple of 
pointers:  First, drop the bug reports that have been closed. Those 
tickets are now convoluted and clouded by misguided discussion of a bug 
in pkcheck.c, which isn't expoitable. Continued arguing in those bug 
reports will be counter-productive.

Open a new bug report and focus on this patch, exclusively:
https://cgit.freedesktop.org/polkit/commit/src/programs/pkexec.c?id=6c992bc8aefa195a41eaa41c07f46f17de18e25c

The upstream developer has disallowed multiple --user specifications in 
order to close a memory leak.  That memory leak can be used to cause the 
heap and the stack to run in to each other, and that flaw has previously 
been combined with bugs in glibc to produce an exploit.  The glibc bug 
is now fixed, but there is still a risk that collision could be 
exploitable in combination with other, as yet undiscovered bugs.  If Red 
Hat is concerned with changing the behavior of pkexec in scripts, then 
they can still fix the memory leak without otherwise changing the 
behavior of the program by adding:

if (opt_user != NULL)
   {
     g_free(opt_user);
   }

..instead of the upstream solution of failing on multiple --user 
specifications.  This will correct the leak and won't break any scripts 
that call --user multiple times.

That's it.  Keep your bug report simple.  Focus on the program that 
presents a security vulnerability due to being SUID root. Offer a 
solution that doesn't break any existing user applications.  Since the 
problem has been fixed upstream already, you don't need any bug reports 
with freedesktop.org, just with Red Hat for the polkit-112 package.




More information about the CentOS mailing list