Devuan bug report logs -
#269
policykit-1: CVE-2018-19788
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org
:
bug#269
; Package policykit-1
.
(full text, mbox, link).
Acknowledgement sent to Berbe <bernard+devuan@rosset.net>
:
New bug report received and forwarded. Copy sent to owner@bugs.devuan.org
.
(full text, mbox, link).
Message #5 received at submit@bugs.devuan.org (full text, mbox, reply):
Package: policykit-1
Version: 0.105-18+devuan2.11
Severity: critical
Dear Maintainer,
Following CVE-2018-19788, it seems the current stable 0.105-18+devuan2.11 is susceptible to the bug in policykit-1 package from upstream, allowing any user with UID > INT_MAX to have access to root commands:
1. service nginx status
-bash: service: command not found
2. sudo useradd -u 4000000000 test
3. sudo -u test service nginx status
nginx is running.
-- System Information:
Distributor ID: Devuan
Description: Devuan GNU/Linux 9 (n/a)
Release: 9
Codename: n/a
Architecture: x86_64
Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages policykit-1 depends on:
ii dbus 1.10.26-0+deb9u1
ii libc6 2.24-11+deb9u3
ii libglib2.0-0 2.50.3-2
ii libpam0g 1.1.8-3.6
ii libpolkit-agent-1-0 0.105-18+devuan2.11
ii libpolkit-backend-1-0 0.105-18+devuan2.11
ii libpolkit-gobject-1-0 0.105-18+devuan2.11
policykit-1 recommends no packages.
policykit-1 suggests no packages.
-- no debconf information
Merged 268 269.
Request was from KatolaZ <katolaz@freaknet.org>
to control@bugs.devuan.org
.
(full text, mbox, link).
Information forwarded to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org
:
bug#269
; Package policykit-1
.
(full text, mbox, link).
Acknowledgement sent to KatolaZ <katolaz@freaknet.org>
:
Extra info received and forwarded to list. Copy sent to owner@bugs.devuan.org
.
(full text, mbox, link).
Message #12 received at 269@bugs.devuan.org (full text, mbox, reply):
[Reported here due to a glitch with #268]
There is no need to become root in order to use `service`:
$ /usr/sbin/service nginx status
[ ok ] nginx is running.
$
Even with a user with id larger than 4000000000:
$ sudo -u testpolkit /usr/sbin/service nginx stop
[....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted
. ok
$
That's because sudo does *not* use policykit to test user privileges
(rather, it uses its own config files). So maybe this is not
applicable in this case?
HND
KatolaZ
Reply sent to KatolaZ <katolaz@freaknet.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Berbe <bernard+devuan@rosset.net>
:
bug acknowledged by developer.
(full text, mbox, link).
Message #17 received at 269-done@bugs.devuan.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
This has been solved in policykit-0.105-25+devuan1, available in
beowulf and ceres. Closing.
[signature.asc (application/pgp-signature, inline)]
Send a report that this bug log contains spam.