[v3.2] polkit: cookie generator can wrap and two identical cookies could exist; DoS (CVE-2015-4625)
The “cookie” value that Polkit hands out is global to all polkit
users. And when `AuthenticationAgentResponse` is invoked, we
previously only received the cookie and target identity, and attempted
to find an agent from that.
The problem is that the current cookie is just an integer
counter, and if it overflowed, it would be possible for
an successful authorization in one session to trigger a response
in another session.
(from redmine: issue id 4415, created on 2015-07-01, closed on 2015-08-06)
- parent #4411 (closed)
- Revision 6fe5385e by Natanael Copa on 2015-07-08T09:04:27Z:
main/polkit: various security fixes CVE-2015-3218 CVE-2015-3255 CVE-2015-4625 ref #4411 fixes #4415 (cherry picked from commit a215f1937c91916b1b5162e49e996708eb456e67)