Devuan bug report logs - #269
policykit-1: CVE-2018-19788

Package: policykit-1; Maintainer for policykit-1 is Devuan Dev Team <>;

Reported by: Berbe <>

Date: Sat, 8 Dec 2018 09:40:03 UTC

Severity: critical

Merged with 268

Done: KatolaZ <>

Full log

🔗 View this message in rfc822 format

Subject: bug#269: policykit-1: CVE-2018-19788
Reply-To: Berbe <>,
Resent-From: Berbe <>
Resent-Date: Sat, 08 Dec 2018 09:40:03 UTC
Resent-Message-ID: <>
X-Devuan-PR-Message: report 269
X-Devuan-PR-Package: policykit-1
Received: via spool by id=B.154420463918042
          (code B ref -1); Sat, 08 Dec 2018 09:40:03 UTC
Received: (at submit) by; 7 Dec 2018 17:43:59 +0000
Received: from []
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Fri, 07 Dec 2018 18:43:59 +0100 (CET)
Received: from ( [])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by (Postfix) with ESMTPS id 2837BF6093F
	for <>; Fri,  7 Dec 2018 18:41:09 +0100 (CET)
	dkim=pass (1024-bit key; unprotected) header.b="w5T9rg5y";
Received: by (Postfix, from userid 1000)
	id B6C2DE0279; Fri,  7 Dec 2018 18:41:08 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;
	s=NetNeutrality; t=1544204468;
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Berbe <>
To: Devuan Bug Tracking System <>
Message-ID: <>
X-Mailer: reportbug 7.1.6+devuan2.1
Date: Fri, 07 Dec 2018 18:41:08 +0100
X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
Package: policykit-1
Version: 0.105-18+devuan2.11
Severity: critical

Dear Maintainer,

Following CVE-2018-19788, it seems the current stable 0.105-18+devuan2.11 is susceptible to the bug in policykit-1 package from upstream, allowing any user with UID > INT_MAX to have access to root commands:

1. service nginx status
-bash: service: command not found
2. sudo useradd -u 4000000000 test
3. sudo -u test service nginx status
nginx is running.

-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 9 (n/a)
Release:	9
Codename:	n/a

Architecture: x86_64

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages policykit-1 depends on:
ii  dbus                   1.10.26-0+deb9u1
ii  libc6                  2.24-11+deb9u3
ii  libglib2.0-0           2.50.3-2
ii  libpam0g               1.1.8-3.6
ii  libpolkit-agent-1-0    0.105-18+devuan2.11
ii  libpolkit-backend-1-0  0.105-18+devuan2.11
ii  libpolkit-gobject-1-0  0.105-18+devuan2.11

policykit-1 recommends no packages.

policykit-1 suggests no packages.

-- no debconf information

Send a report that this bug log contains spam.

Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <>.
Last modified: Sat Aug 8 14:57:44 2020;