polkit was updated to the 0.113 release, fixing security issues and bugs.
Security issues fixed:
* Fixes CVE-2015-4625, a local privilege escalation due to predictable
authentication session cookie values. Thanks to Tavis Ormandy, Google Project
Zero for reporting this issue. For the future, authentication agents are
encouraged to use PolkitAgentSession instead of using the D-Bus agent response
API directly. (bsc#935119)
* Fixes CVE-2015-3256, various memory corruption vulnerabilities in use of the
JavaScript interpreter, possibly leading to local privilege escalation.
(bsc#943816)
* Fixes CVE-2015-3255, a memory corruption vulnerability in handling duplicate
action IDs, possibly leading to local privilege escalation. Thanks to
Laurent Bigonville for reporting this issue. (bsc#939246)
* Fixes CVE-2015-3218, which allowed any local user to crash polkitd. Thanks to
Tavis Ormandy, Google Project Zero, for reporting this issue. (bsc#933922)
Other issues fixed:
* On systemd-213 and later, the "active" state is shared across all sessions of
an user, instead of being tracked separately.
* pkexec, when not given a program to execute, runs the users shell by
default.
* Fixed shutdown problems on powerpc64le (bsc#950114)
* polkit had a memory leak (bsc#912889)
- Submitted by Marcus Meissner (msmeissn)