Security update for polkit

polkit was updated to the 0.113 release, fixing security issues and bugs.

Security issues fixed:
* Fixes CVE-2015-4625, a local privilege escalation due to predictable
authentication session cookie values. Thanks to Tavis Ormandy, Google Project
Zero for reporting this issue. For the future, authentication agents are
encouraged to use PolkitAgentSession instead of using the D-Bus agent response
API directly. (bsc#935119)
* Fixes CVE-2015-3256, various memory corruption vulnerabilities in use of the
JavaScript interpreter, possibly leading to local privilege escalation.
(bsc#943816)
* Fixes CVE-2015-3255, a memory corruption vulnerability in handling duplicate
action IDs, possibly leading to local privilege escalation. Thanks to
Laurent Bigonville for reporting this issue. (bsc#939246)
* Fixes CVE-2015-3218, which allowed any local user to crash polkitd. Thanks to
Tavis Ormandy, Google Project Zero, for reporting this issue. (bsc#933922)

Other issues fixed:
* On systemd-213 and later, the "active" state is shared across all sessions of
an user, instead of being tracked separately.
* pkexec, when not given a program to execute, runs the users shell by
default.
* Fixed shutdown problems on powerpc64le (bsc#950114)
* polkit had a memory leak (bsc#912889)

Fixed bugs
bnc#933922
VUL-1: CVE-2015-3218: polkit: crash authentication_agent_new with invalid object path in RegisterAuthenticationAgent
bnc#939246
VUL-0: CVE-2015-3255: polkit: Heap-corruption on duplicate ids
bnc#935119
VUL-1: CVE-2015-4625: polkit: cookie generation wrapping with 32bit counter
bnc#950114
Unable to authenticate reboot with root password
bnc#912889
polkit has a memory leak
bnc#943816
VUL-0: CVE-2015-3256: polkit: Memory corruption via javascript rule evaluation
Selected Binaries
openSUSE Build Service is sponsored by