Advisories » MGASA-2015-0262

Updated polkit package fixes security vulnerabilities

Publication date: 05 Jul 2015
Modification date: 09 Jul 2015
Type: security
Affected Mageia releases : 4 , 5
CVE: CVE-2015-3218 , CVE-2015-3255 , CVE-2015-3256 , CVE-2015-4625

Description

Local privilege escalation in polkit before 0.113 due to predictable
authentication session cookie values (CVE-2015-4625).

Various memory corruption vulnerabilities in polkit before 0.113 in the
use of the JavaScript interpreter, possibly leading to local privilege
escalation (CVE-2015-3256).

Memory corruption vulnerability in polkit before 0.113 in handling
duplicate action IDs, possibly leading to local privilege escalation
(CVE-2015-3255).

Denial of service issue in polkit before 0.113 which allowed any local
user to crash polkitd (CVE-2015-3218).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=16135
• http://lists.freedesktop.org/archives/polkit-devel/2015-July/000432.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3218
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3255
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3256
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4625

SRPMS

4/core

• polkit-0.113-1.mga4

5/core

• polkit-0.113-1.mga5