Devuan bug report logs - #268
policykit-1: CVE-2018-19788

Severity: critical;
Package: policykit-1; Reported by: Berbe <bernard+devuan@rosset.net>;
Date: Fri, 7 Dec 2018 17:48:01 UTC;
merged with #269;
Maintainer for policykit-1 is (unknown).

View this report as an mbox folder.


Report forwarded to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:
bug#268; Package policykit-1. Full text available.



Information forwarded to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:
bug#268; Package policykit-1. Full text available.



Information forwarded to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:
bug#268; Package policykit-1. Full text available.



Information forwarded to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:
bug#268; Package policykit-1. Full text available.



Information forwarded to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:
bug#268; Package policykit-1. Full text available.



Information forwarded to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:
bug#268; Package policykit-1. Full text available.



Information forwarded to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:
bug#268; Package policykit-1. Full text available.



Acknowledgement sent to KatolaZ <katolaz@freaknet.org>:
Extra info received and forwarded to list. Copy sent to owner@bugs.devuan.org. Full text available.



Message received at 268@bugs.devuan.org:

Date: Sat, 8 Dec 2018 10:17:18 +0100
From: KatolaZ <katolaz@freaknet.org>
To: 268@bugs.devuan.org
Subject: mmhhh

[Message part 1 (text/plain, inline)]

There is no need to become root in order to use `service`:

$ /usr/sbin/service nginx status
[ ok ] nginx is running.
$

Even with a user with id larger than 4000000000:

$ sudo -u testpolkit /usr/sbin/service nginx stop
[....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted
. ok
$

That's because sudo does *not* use policykit to test user privileges
(rather, it uses its own config files). So maybe this is not
applicable in this case?

HND

KatolaZ



[signature.asc (application/pgp-signature, inline)]






Merged 268 269. Request was from KatolaZ <katolaz@freaknet.org> to control@bugs.devuan.org. Full text available.



Information forwarded to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:
bug#268; Package policykit-1. Full text available.



Acknowledgement sent to KatolaZ <katolaz@freaknet.org>:
Extra info received and forwarded to list. Copy sent to owner@bugs.devuan.org. Full text available.



Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Sun, 20 Jan 2019 23:03:26 UTC