diff -Nru software-properties-0.92.17.2/debian/changelog software-properties-0.92.17.3/debian/changelog --- software-properties-0.92.17.2/debian/changelog 2013-09-13 12:12:39.000000000 +0000 +++ software-properties-0.92.17.3/debian/changelog 2013-09-13 14:06:19.000000000 +0000 @@ -1,4 +1,4 @@ -software-properties (0.92.17.2) raring-security; urgency=low +software-properties (0.92.17.3) raring-security; urgency=low * SECURITY UPDATE: possible privilege escalation via policykit UID lookup race. @@ -7,7 +7,7 @@ information from the system bus. - CVE-2013-1061 - -- Marc Deslauriers Fri, 13 Sep 2013 08:10:08 -0400 + -- Marc Deslauriers Fri, 13 Sep 2013 10:05:28 -0400 software-properties (0.92.17.1) raring; urgency=low diff -Nru software-properties-0.92.17.2/softwareproperties/dbus/SoftwarePropertiesDBus.py software-properties-0.92.17.3/softwareproperties/dbus/SoftwarePropertiesDBus.py --- software-properties-0.92.17.2/softwareproperties/dbus/SoftwarePropertiesDBus.py 2013-09-13 12:09:40.000000000 +0000 +++ software-properties-0.92.17.3/softwareproperties/dbus/SoftwarePropertiesDBus.py 2013-09-13 14:05:57.000000000 +0000 @@ -331,6 +331,12 @@ # bus, and it does not make sense to restrict operations here return + # get peer PID + if self.dbus_info is None: + self.dbus_info = dbus.Interface(conn.get_object('org.freedesktop.DBus', + '/org/freedesktop/DBus/Bus', False), 'org.freedesktop.DBus') + pid = self.dbus_info.GetConnectionUnixProcessID(sender) + # query PolicyKit if self.polkit is None: self.polkit = dbus.Interface(dbus.SystemBus().get_object(