[v3.2] polkit: cookie generator can wrap and two identical cookies could exist; DoS (CVE-2015-4625)
The “cookie” value that Polkit hands out is global to all polkit
users. And when `AuthenticationAgentResponse` is invoked, we
previously only received the cookie and target identity, and attempted
to find an agent from that.
The problem is that the current cookie is just an integer
counter, and if it overflowed, it would be possible for
an successful authorization in one session to trigger a response
in another session.
Reference:
https://security-tracker.debian.org/tracker/CVE-2015-4625
https://bugs.freedesktop.org/show\_bug.cgi?id=90837
(from redmine: issue id 4415, created on 2015-07-01, closed on 2015-08-06)
- Relations:
- parent #4411 (closed)
- Changesets:
- Revision 6fe5385e by Natanael Copa on 2015-07-08T09:04:27Z:
main/polkit: various security fixes
CVE-2015-3218
CVE-2015-3255
CVE-2015-4625
ref #4411
fixes #4415
(cherry picked from commit a215f1937c91916b1b5162e49e996708eb456e67)