Devuan bug report logs - #658
policykit-1: CVE-2021-4034

Package: policykit-1; Maintainer for policykit-1 is Devuan Dev Team <devuan-dev@lists.dyne.org>; Source for policykit-1 is src:policykit-1.

Reported by: Dimitris <dimitris@stinpriza.org>

Date: Wed, 26 Jan 2022 10:26:01 UTC

Severity: critical

Found in version 0.105-31+devuan1

Fixed in versions 0.105-31.1+devuan1, 0.105-25+devuan0~bpo2+2, 0.105-31+devuan2, 0.105-25+devuan9

Done: Mark Hindley <mark@hindley.org.uk>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to devuan-bugs@lists.dyne.org, dimitris@stinpriza.org, Devuan Dev Team <devuan-dev@lists.dyne.org>:
bug#658; Package policykit-1. (Wed, 26 Jan 2022 10:26:02 GMT) (full text, mbox, link).


Acknowledgement sent to Dimitris <dimitris@stinpriza.org>:
New bug report received and forwarded. Copy sent to dimitris@stinpriza.org, Devuan Dev Team <devuan-dev@lists.dyne.org>. (Wed, 26 Jan 2022 10:26:05 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.devuan.org (full text, mbox, reply):

From: Dimitris <dimitris@stinpriza.org>
To: Devuan Bug Tracking System <submit@bugs.devuan.org>
Subject: policykit-1: CVE-2021-4034
Date: Wed, 26 Jan 2022 12:24:28 +0200
Package: policykit-1
Version: 0.105-31+devuan1
Severity: critical
Tags: security
Justification: root security hole
X-Debbugs-Cc: dimitris@stinpriza.org

hey,

just a heads up on a very recent vulnerability found in polkit. a Local 
Privilege Escalation in polkit's pkexec (CVE-2021-4034). fixed in some 
versions in debian, probably devuan needs to address this too.

links :
https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
https://security-tracker.debian.org/tracker/CVE-2021-4034

thanks in advance,
d.


-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 5 (daedalus/ceres)
Release:	5
Codename:	daedalus ceres
Architecture: x86_64

Kernel: Linux 5.16.2-xanmod1 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=el_GR.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8), LANGUAGE 
not set
Shell: /bin/sh linked to /bin/dash
Init: runit (via /run/runit.stopit)
LSM: AppArmor: enabled

Versions of packages policykit-1 depends on:
ii  dbus                                                   1.12.20-3+devuan3
ii  libc6                                                  2.33-4
ii  libelogind0                                            246.10-3
ii  libexpat1                                              2.4.3-2
ii  libglib2.0-0                                           2.70.2-1
ii  libpam-elogind [logind]                                246.10-3
ii  libpam0g                                               1.4.0-11
ii  libpolkit-agent-1-0                                    0.105-31+devuan1
ii  libpolkit-gobject-1-0                                  0.105-31+devuan1
ii  libpolkit-gobject-elogind-1-0 [libpolkit-gobject-1-0]  0.105-31+devuan1

Versions of packages policykit-1 recommends:
ii  lxpolkit [polkit-1-auth-agent]           0.5.5-2+b1
ii  policykit-1-gnome [polkit-1-auth-agent]  0.105-7+b1

policykit-1 suggests no packages.

Versions of packages policykit-1 is related to:
ii  elogind                          246.10-3
ii  libpam-elogind [libpam-systemd]  246.10-3
pn  systemd                          <none>

-- no debconf information

Information forwarded to devuan-bugs@lists.dyne.org, Devuan Dev Team <devuan-dev@lists.dyne.org>:
bug#658; Package policykit-1. (Wed, 26 Jan 2022 12:12:01 GMT) (full text, mbox, link).


Acknowledgement sent to Dimitris <dimitris@stinpriza.org>:
Extra info received and forwarded to list. Copy sent to Devuan Dev Team <devuan-dev@lists.dyne.org>. (Wed, 26 Jan 2022 12:12:03 GMT) (full text, mbox, link).


Message #10 received at 658@bugs.devuan.org (full text, mbox, reply):

From: Dimitris <dimitris@stinpriza.org>
To: 658@bugs.devuan.org
Subject: Re: policykit-1: CVE-2021-4034
Date: Wed, 26 Jan 2022 14:10:13 +0200
seems a new version (0.105-31.1+devuan1) just came in ceres, which 
merges debian/0.105-31.1, so this is probably fixed for daedalus/ceres!

leaving it open, so you can confirm security fix & close as you think.

thanks!
d.

Reply sent to Mark Hindley <mark@hindley.org.uk>:
You have taken responsibility. (Wed, 26 Jan 2022 13:10:02 GMT) (full text, mbox, link).


Notification sent to Dimitris <dimitris@stinpriza.org>:
bug acknowledged by developer. (Wed, 26 Jan 2022 13:10:04 GMT) (full text, mbox, link).


Message #15 received at 658-done@bugs.devuan.org (full text, mbox, reply):

From: Mark Hindley <mark@hindley.org.uk>
To: Dimitris <dimitris@stinpriza.org>, 658-done@bugs.devuan.org
Subject: Re: bug#658: policykit-1: CVE-2021-4034
Date: Wed, 26 Jan 2022 13:07:44 +0000
Version: 0.105-31.1+devuan1

Dimitris,

On Wed, Jan 26, 2022 at 12:24:28PM +0200, Dimitris wrote:
> Package: policykit-1
> Version: 0.105-31+devuan1
> Severity: critical
> Tags: security
> Justification: root security hole
> X-Debbugs-Cc: dimitris@stinpriza.org

Updated binaries are already in unstable, daedalus, chimaera-security and
beowulf-security. Ascii-security is building.

Mark

Marked as fixed in versions 0.105-25+devuan0~bpo2+2. Request was from Mark Hindley <mark@hindley.org.uk> to control@bugs.devuan.org. (Thu, 27 Jan 2022 17:22:01 GMT) (full text, mbox, link).


Marked as fixed in versions 0.105-25+devuan9. Request was from Mark Hindley <mark@hindley.org.uk> to control@bugs.devuan.org. (Thu, 27 Jan 2022 17:22:01 GMT) (full text, mbox, link).


Marked as fixed in versions 0.105-31+devuan2. Request was from Mark Hindley <mark@hindley.org.uk> to control@bugs.devuan.org. (Thu, 27 Jan 2022 17:22:01 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Sun Aug 7 16:45:17 2022;