Devuan bug report logs - #269
policykit-1: CVE-2018-19788

Severity: critical;
Package: policykit-1; Reported by: Berbe <>;
Date: Sat, 8 Dec 2018 09:40:03 UTC;
merged with #268; Done: KatolaZ <>;
Maintainer for policykit-1 is (unknown).

View this report as an mbox folder.

Report forwarded to,
bug#269; Package policykit-1. Full text available.

Acknowledgement sent to Berbe <>:
New bug report received and forwarded. Copy sent to Full text available.

Message received at

From: Berbe <>
To: Devuan Bug Tracking System <>
Subject: policykit-1: CVE-2018-19788
Date: Fri, 07 Dec 2018 18:41:08 +0100

Package: policykit-1
Version: 0.105-18+devuan2.11
Severity: critical

Dear Maintainer,

Following CVE-2018-19788, it seems the current stable 0.105-18+devuan2.11 is susceptible to the bug in policykit-1 package from upstream, allowing any user with UID > INT_MAX to have access to root commands:

1. service nginx status
-bash: service: command not found
2. sudo useradd -u 4000000000 test
3. sudo -u test service nginx status
nginx is running.

-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 9 (n/a)
Release:	9
Codename:	n/a

Architecture: x86_64

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages policykit-1 depends on:
ii  dbus                   1.10.26-0+deb9u1
ii  libc6                  2.24-11+deb9u3
ii  libglib2.0-0           2.50.3-2
ii  libpam0g               1.1.8-3.6
ii  libpolkit-agent-1-0    0.105-18+devuan2.11
ii  libpolkit-backend-1-0  0.105-18+devuan2.11
ii  libpolkit-gobject-1-0  0.105-18+devuan2.11

policykit-1 recommends no packages.

policykit-1 suggests no packages.

-- no debconf information

Merged 268 269. Request was from KatolaZ <> to Full text available.

Information forwarded to,
bug#269; Package policykit-1. Full text available.

Acknowledgement sent to KatolaZ <>:
Extra info received and forwarded to list. Copy sent to Full text available.

Message received at

Date: Sat, 8 Dec 2018 10:58:35 +0100
From: KatolaZ <>
Subject: mmhhh

[Reported here due to a glitch with #268]

There is no need to become root in order to use `service`:

$ /usr/sbin/service nginx status
[ ok ] nginx is running.

Even with a user with id larger than 4000000000:

$ sudo -u testpolkit /usr/sbin/service nginx stop
[....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted
. ok

That's because sudo does *not* use policykit to test user privileges
(rather, it uses its own config files). So maybe this is not
applicable in this case?



Reply sent to KatolaZ <>:
You have taken responsibility. Full text available.

Notification sent to Berbe <>:
bug acknowledged by developer. Full text available.

Message received at

Date: Wed, 27 Feb 2019 11:39:41 +0100
From: KatolaZ <>
Subject: solved in beowulf

[Message part 1 (text/plain, inline)]

This has been solved in policykit-0.105-25+devuan1, available in
beowulf and ceres. Closing.

[signature.asc (application/pgp-signature, inline)]

Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.

Devuan Bugs Owner <>.
Last modified: Sun, 15 Dec 2019 02:02:37 UTC