From unknown Thu Mar 28 10:31:26 2024 Received: (at submit) by bugs.devuan.org; 7 Dec 2018 17:43:59 +0000 Return-Path: Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by fulcanelli with IMAP (fetchmail-6.3.26) for (single-drop); Fri, 07 Dec 2018 18:43:59 +0100 (CET) Received: from mail.rosset.net (rosset.net [62.210.209.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 2837BF6093F for ; Fri, 7 Dec 2018 18:41:09 +0100 (CET) Authentication-Results: vm6.ganeti.dyne.org; dkim=pass (1024-bit key; unprotected) header.d=rosset.net header.i=@rosset.net header.b="w5T9rg5y"; dkim-atps=neutral Received: by mail.rosset.net (Postfix, from userid 1000) id B6C2DE0279; Fri, 7 Dec 2018 18:41:08 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=rosset.net; s=NetNeutrality; t=1544204468; bh=Qh2OhVEyGD+yxbVNHnJqf32+SUjphhhTnfoF6byME0E=; h=From:To:Subject:Date:From; b=w5T9rg5yEFFmx2XrRekDJMB5hWOh0kIZ+nl9pbmupwIQUADrvIi8UC89aIoPBszD8 eWnzJ2b9V28vdVkkkUIbSN7VeYZgk9xniNPjD3j8PK70OzZrNmrXY68Us0jA/EZD/C Jl5dGa4OJeWOZXdCcEwz6kAMLdKLRF65W3A7sgQA= Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Berbe To: Devuan Bug Tracking System Subject: policykit-1: CVE-2018-19788 Message-ID: <154420446865.5084.8077177848613701893.reportbug@sd-49041.dedibox.fr> X-Mailer: reportbug 7.1.6+devuan2.1 Date: Fri, 07 Dec 2018 18:41:08 +0100 X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_PASS autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org Package: policykit-1 Version: 0.105-18+devuan2.11 Severity: critical Dear Maintainer, Following CVE-2018-19788, it seems the current stable 0.105-18+devuan2.11 is susceptible to the bug in policykit-1 package from upstream, allowing any user with UID > INT_MAX to have access to root commands: 1. service nginx status -bash: service: command not found 2. sudo useradd -u 4000000000 test 3. sudo -u test service nginx status nginx is running. -- System Information: Distributor ID: Devuan Description: Devuan GNU/Linux 9 (n/a) Release: 9 Codename: n/a Architecture: x86_64 Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages policykit-1 depends on: ii dbus 1.10.26-0+deb9u1 ii libc6 2.24-11+deb9u3 ii libglib2.0-0 2.50.3-2 ii libpam0g 1.1.8-3.6 ii libpolkit-agent-1-0 0.105-18+devuan2.11 ii libpolkit-backend-1-0 0.105-18+devuan2.11 ii libpolkit-gobject-1-0 0.105-18+devuan2.11 policykit-1 recommends no packages. policykit-1 suggests no packages. -- no debconf information From unknown Thu Mar 28 10:31:26 2024 Received: (at control) by bugs.devuan.org; 8 Dec 2018 09:42:44 +0000 Return-Path: Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by fulcanelli with IMAP (fetchmail-6.3.26) for (single-drop); Sat, 08 Dec 2018 10:42:44 +0100 (CET) Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: katolaz@freaknet.org) with ESMTPSA id 38695F60A31 Date: Sat, 8 Dec 2018 10:45:26 +0100 From: KatolaZ To: control@bugs.devuan.org Subject: merge Message-ID: <20181208094526.qavcpp77vlwvifwd@katolaz.homeunix.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: NeoMutt/20170113 (1.7.2) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org merge 268 269 quit done From unknown Thu Mar 28 10:31:26 2024 Received: (at 269) by bugs.devuan.org; 8 Dec 2018 09:59:40 +0000 Return-Path: Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by fulcanelli with IMAP (fetchmail-6.3.26) for (single-drop); Sat, 08 Dec 2018 10:59:40 +0100 (CET) Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: katolaz@freaknet.org) with ESMTPSA id 00210F60A4D Date: Sat, 8 Dec 2018 10:58:35 +0100 From: KatolaZ To: 269@bugs.devuan.org Subject: mmhhh Message-ID: <20181208095835.fva7jscctb6giqsq@katolaz.homeunix.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: NeoMutt/20170113 (1.7.2) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org [Reported here due to a glitch with #268] There is no need to become root in order to use `service`: $ /usr/sbin/service nginx status [ ok ] nginx is running. $ Even with a user with id larger than 4000000000: $ sudo -u testpolkit /usr/sbin/service nginx stop [....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted . ok $ That's because sudo does *not* use policykit to test user privileges (rather, it uses its own config files). So maybe this is not applicable in this case? HND KatolaZ From unknown Thu Mar 28 10:31:26 2024 Received: (at 269-done) by bugs.devuan.org; 27 Feb 2019 10:40:08 +0000 Return-Path: Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by fulcanelli with IMAP (fetchmail-6.3.26) for (single-drop); Wed, 27 Feb 2019 11:40:08 +0100 (CET) Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: katolaz@freaknet.org) with ESMTPSA id 61C9AF604C4 Date: Wed, 27 Feb 2019 11:39:41 +0100 From: KatolaZ To: 269-done@bugs.devuan.org Subject: solved in beowulf Message-ID: <20190227103941.urykatbuoz26mnoa@katolaz.homeunix.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vcy6cimoko4p6jrk" Content-Disposition: inline User-Agent: NeoMutt/20170113 (1.7.2) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org --vcy6cimoko4p6jrk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline This has been solved in policykit-0.105-25+devuan1, available in beowulf and ceres. Closing. --vcy6cimoko4p6jrk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXHZo7QAKCRBfILOuC18G L4pkAJ9woTAlntVgxQ7dm4xlGv8/2OVHKwCeLCLHNeynWA/LJjVKmHMGnSnU7Gs= =yH5+ -----END PGP SIGNATURE----- --vcy6cimoko4p6jrk--