pkexec bad return code check, leading to segfault

Bug #548903 reported by Dan Rosenberg
This bug affects 1 person
Affects Status Importance Assigned to Milestone
policykit-1 (Ubuntu)

Bug Description

Binary package hint: policykit-1

I reported this bug upstream along with a patch, I just wanted to crosspost it here:

In pkexec.c, user information is looked up using getpwnam_r. The program
checks if the return code is not zero, which would indicate an error, and
terminates if so. However, if no error occurs and the user is not found in the
password database, this function returns 0 and sets the result passwd struct to
NULL ( , but this case is not
checked. As a result, when pwd is dereferenced later in the code, the program
segfaults. Confirm using:

pkexec --user doesnotexist /bin/ls

My patch has been submitted upstream.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.