From unknown Fri Mar 29 14:09:09 2024 X-Loop: owner@bugs.devuan.org Subject: bug#658: policykit-1: CVE-2021-4034 Reply-To: Dimitris , 658@bugs.devuan.org Resent-From: Dimitris Resent-To: devuan-bugs@lists.dyne.org Resent-CC: dimitris@stinpriza.org, Devuan Dev Team X-Loop: owner@bugs.devuan.org Resent-Date: Wed, 26 Jan 2022 10:26:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.devuan.org X-Devuan-PR-Message: report 658 X-Devuan-PR-Package: policykit-1 X-Devuan-PR-Keywords: Received: via spool by submit@bugs.devuan.org id=B.164319273526496 (code B); Wed, 26 Jan 2022 10:26:01 +0000 Received: (at submit) by bugs.devuan.org; 26 Jan 2022 10:25:35 +0000 Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by doc.devuan.org with IMAP (fetchmail-6.4.16) for (single-drop); Wed, 26 Jan 2022 10:25:35 +0000 (UTC) Received: from cacofonix.stinpriza.org (cacofonix.stinpriza.org [148.251.45.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.dyne.org (Postfix) with ESMTPS id 562386617D6 for ; Wed, 26 Jan 2022 11:24:31 +0100 (CET) Authentication-Results: mail.dyne.org; dkim=pass (2048-bit key; unprotected) header.d=stinpriza.org header.i=@stinpriza.org header.b="dWMmA0AS"; dkim-atps=neutral Received: from [192.168.0.102] (unknown [45.153.183.197]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by cacofonix.stinpriza.org (Postfix) with ESMTPSA id 0D0B32A42F31 for ; Wed, 26 Jan 2022 12:24:29 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stinpriza.org; s=mail; t=1643192670; bh=FZxlfPOwbgQpABLC9Mo7GDP1x2d2YcDISmp/X7oakt4=; h=Date:To:From:Subject:From; b=dWMmA0ASZzzgkJ0J99tShgbE8oe41DMxochT9hXgDcnyxZ7/BDGQgd4442XfR3tHF jMMiWCtdXzHGanCnA1yCg1dDVr6tQDcGbilD39GJotS3354g/3TFj7iVeskuLi7EeZ zoRUODjymee+A9pXYkO+YwNTahlD0WTQlLRtogQI3PU03t6GhA/cy5sxv61kFLGFc6 UZFsYL5hs/jcrOTl+6QOueZvkZtiR8aNsIgJq2RiEJ0v3jDHuAcB8YMnP3T+WxweFR QmGl2euzMihNvWR0FTTckPk6a8yKtAi3d9J0WVhzJYSW8JGanyMcK5D5WC4Z05JyUY Pic0ukiZxSOLQ== Message-ID: <40c391db-619c-579c-c077-3360f12400d3@stinpriza.org> Date: Wed, 26 Jan 2022 12:24:28 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.1 Content-Language: en-US To: Devuan Bug Tracking System From: Dimitris Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.11 (cacofonix.stinpriza.org [0.0.0.0]); Wed, 26 Jan 2022 12:24:30 +0200 (EET) X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_PASS,URIBL_BLOCKED autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dyne.org Package: policykit-1 Version: 0.105-31+devuan1 Severity: critical Tags: security Justification: root security hole X-Debbugs-Cc: dimitris@stinpriza.org hey, just a heads up on a very recent vulnerability found in polkit. a Local Privilege Escalation in polkit's pkexec (CVE-2021-4034). fixed in some versions in debian, probably devuan needs to address this too. links : https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt https://security-tracker.debian.org/tracker/CVE-2021-4034 thanks in advance, d. -- System Information: Distributor ID: Devuan Description: Devuan GNU/Linux 5 (daedalus/ceres) Release: 5 Codename: daedalus ceres Architecture: x86_64 Kernel: Linux 5.16.2-xanmod1 (SMP w/4 CPU threads) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=el_GR.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: runit (via /run/runit.stopit) LSM: AppArmor: enabled Versions of packages policykit-1 depends on: ii dbus 1.12.20-3+devuan3 ii libc6 2.33-4 ii libelogind0 246.10-3 ii libexpat1 2.4.3-2 ii libglib2.0-0 2.70.2-1 ii libpam-elogind [logind] 246.10-3 ii libpam0g 1.4.0-11 ii libpolkit-agent-1-0 0.105-31+devuan1 ii libpolkit-gobject-1-0 0.105-31+devuan1 ii libpolkit-gobject-elogind-1-0 [libpolkit-gobject-1-0] 0.105-31+devuan1 Versions of packages policykit-1 recommends: ii lxpolkit [polkit-1-auth-agent] 0.5.5-2+b1 ii policykit-1-gnome [polkit-1-auth-agent] 0.105-7+b1 policykit-1 suggests no packages. Versions of packages policykit-1 is related to: ii elogind 246.10-3 ii libpam-elogind [libpam-systemd] 246.10-3 pn systemd -- no debconf information From unknown Fri Mar 29 14:09:09 2024 X-Loop: owner@bugs.devuan.org Subject: bug#658: policykit-1: CVE-2021-4034 Reply-To: Dimitris , 658@bugs.devuan.org Resent-From: Dimitris Resent-To: devuan-bugs@lists.dyne.org Resent-CC: Devuan Dev Team X-Loop: owner@bugs.devuan.org Resent-Date: Wed, 26 Jan 2022 12:12:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.devuan.org X-Devuan-PR-Message: followup 658 X-Devuan-PR-Package: policykit-1 X-Devuan-PR-Keywords: References: <40c391db-619c-579c-c077-3360f12400d3@stinpriza.org> <40c391db-619c-579c-c077-3360f12400d3@stinpriza.org> <40c391db-619c-579c-c077-3360f12400d3@stinpriza.org> Received: via spool by 658-submit@bugs.devuan.org id=B658.16431990342771 (code B ref 658); Wed, 26 Jan 2022 12:12:01 +0000 Received: (at 658) by bugs.devuan.org; 26 Jan 2022 12:10:34 +0000 Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by doc.devuan.org with IMAP (fetchmail-6.4.16) for (single-drop); Wed, 26 Jan 2022 12:10:34 +0000 (UTC) Received: from cacofonix.stinpriza.org (cacofonix.stinpriza.org [148.251.45.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.dyne.org (Postfix) with ESMTPS id 458646617E8 for <658@bugs.devuan.org>; Wed, 26 Jan 2022 13:10:15 +0100 (CET) Authentication-Results: mail.dyne.org; dkim=pass (2048-bit key; unprotected) header.d=stinpriza.org header.i=@stinpriza.org header.b="M8MFf+aF"; dkim-atps=neutral Received: from [192.168.0.102] (unknown [45.153.183.197]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by cacofonix.stinpriza.org (Postfix) with ESMTPSA id 52E8F2A42F3B for <658@bugs.devuan.org>; Wed, 26 Jan 2022 14:10:14 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stinpriza.org; s=mail; t=1643199014; bh=9syBQPccdp+5g5Yje5YpE34XUgMz3yFR2xmnh0fn++s=; h=Date:To:References:From:Subject:In-Reply-To:From; b=M8MFf+aFdzcpVKBKw3JmD09TwgcxK7WhLKOlvHHWmcqwkhuWI976i28XLsZ+NHyto KwXYhZbZgVoh56GfelZoyg5qxFpLel0iK4JBhJpF1LMs1sboe5gH+E1IU+JkKNmBAh bVokHPXwfwpKCHsfMyMYajTMEw9r4MSglPJS24GccuuZFd/fcsQg+O09a8oBQ1IwHQ xxhSdO49BF4/Jq3Nz/7Grb0Cl6vBfqGo6tDXI6jSN6eofNwV0uIOhcO5VR4BVdEdaX 1DUuhn41xht3uwGmbNyI8Z3qA6J36bDq7crtItuQ0Lk7q6EcavmkRBPCWQs2u9fOSq 2pc5UYMJcUoJg== Message-ID: <742bab9b-329d-7919-c4c7-913fc9423f92@stinpriza.org> Date: Wed, 26 Jan 2022 14:10:13 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.1 To: 658@bugs.devuan.org Content-Language: en-US From: Dimitris In-Reply-To: <40c391db-619c-579c-c077-3360f12400d3@stinpriza.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.11 (cacofonix.stinpriza.org [0.0.0.0]); Wed, 26 Jan 2022 14:10:14 +0200 (EET) X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,SPF_PASS, URIBL_BLOCKED autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dyne.org seems a new version (0.105-31.1+devuan1) just came in ceres, which merges debian/0.105-31.1, so this is probably fixed for daedalus/ceres! leaving it open, so you can confirm security fix & close as you think. thanks! d. From unknown Fri Mar 29 14:09:09 2024 MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) X-Loop: owner@bugs.devuan.org From: "Devuan bug Tracking System" To: Dimitris Subject: bug#658 closed by Mark Hindley (Re: bug#658: policykit-1: CVE-2021-4034) Message-ID: References: <40c391db-619c-579c-c077-3360f12400d3@stinpriza.org> X-Devuan-PR-Message: they-closed 658 X-Devuan-PR-Package: policykit-1 Reply-To: 658@bugs.devuan.org Date: Wed, 26 Jan 2022 13:10:04 +0000 Content-Type: multipart/mixed; boundary="----------=_1643202604-13971-1" This is a multi-part message in MIME format... ------------=_1643202604-13971-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" This is an automatic notification regarding your bug report which was filed against the policykit-1 package: #658: policykit-1: CVE-2021-4034 It has been closed by Mark Hindley . Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact Mark Hindley by replying to this email. --=20 658: https://bugs.devuan.org/cgi/bugreport.cgi?bug=3D658 Devuan Bug Tracking System Contact owner@bugs.devuan.org with problems ------------=_1643202604-13971-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 658-done) by bugs.devuan.org; 26 Jan 2022 13:09:03 +0000 Return-Path: Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by doc.devuan.org with IMAP (fetchmail-6.4.16) for (single-drop); Wed, 26 Jan 2022 13:09:03 +0000 (UTC) Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.dyne.org (Postfix) with ESMTPS id 9DC7B6617D5 for <658-done@bugs.devuan.org>; Wed, 26 Jan 2022 14:07:47 +0100 (CET) Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk) by mx.hindley.org.uk with smtp (Exim 4.84_2) (envelope-from ) id 1nCi1Z-0002UQ-2J; Wed, 26 Jan 2022 13:07:45 +0000 Received: (nullmailer pid 19532 invoked by uid 1000); Wed, 26 Jan 2022 13:07:44 -0000 Date: Wed, 26 Jan 2022 13:07:44 +0000 From: Mark Hindley To: Dimitris , 658-done@bugs.devuan.org Subject: Re: bug#658: policykit-1: CVE-2021-4034 Message-ID: References: <40c391db-619c-579c-c077-3360f12400d3@stinpriza.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <40c391db-619c-579c-c077-3360f12400d3@stinpriza.org> X-Debbugs-No-Ack: No Thanks X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS, URIBL_BLOCKED autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dyne.org Version: 0.105-31.1+devuan1 Dimitris, On Wed, Jan 26, 2022 at 12:24:28PM +0200, Dimitris wrote: > Package: policykit-1 > Version: 0.105-31+devuan1 > Severity: critical > Tags: security > Justification: root security hole > X-Debbugs-Cc: dimitris@stinpriza.org Updated binaries are already in unstable, daedalus, chimaera-security and beowulf-security. Ascii-security is building. Mark ------------=_1643202604-13971-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by bugs.devuan.org; 26 Jan 2022 10:25:35 +0000 Return-Path: Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by doc.devuan.org with IMAP (fetchmail-6.4.16) for (single-drop); Wed, 26 Jan 2022 10:25:35 +0000 (UTC) Received: from cacofonix.stinpriza.org (cacofonix.stinpriza.org [148.251.45.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.dyne.org (Postfix) with ESMTPS id 562386617D6 for ; Wed, 26 Jan 2022 11:24:31 +0100 (CET) Authentication-Results: mail.dyne.org; dkim=pass (2048-bit key; unprotected) header.d=stinpriza.org header.i=@stinpriza.org header.b="dWMmA0AS"; dkim-atps=neutral Received: from [192.168.0.102] (unknown [45.153.183.197]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by cacofonix.stinpriza.org (Postfix) with ESMTPSA id 0D0B32A42F31 for ; Wed, 26 Jan 2022 12:24:29 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stinpriza.org; s=mail; t=1643192670; bh=FZxlfPOwbgQpABLC9Mo7GDP1x2d2YcDISmp/X7oakt4=; h=Date:To:From:Subject:From; b=dWMmA0ASZzzgkJ0J99tShgbE8oe41DMxochT9hXgDcnyxZ7/BDGQgd4442XfR3tHF jMMiWCtdXzHGanCnA1yCg1dDVr6tQDcGbilD39GJotS3354g/3TFj7iVeskuLi7EeZ zoRUODjymee+A9pXYkO+YwNTahlD0WTQlLRtogQI3PU03t6GhA/cy5sxv61kFLGFc6 UZFsYL5hs/jcrOTl+6QOueZvkZtiR8aNsIgJq2RiEJ0v3jDHuAcB8YMnP3T+WxweFR QmGl2euzMihNvWR0FTTckPk6a8yKtAi3d9J0WVhzJYSW8JGanyMcK5D5WC4Z05JyUY Pic0ukiZxSOLQ== Message-ID: <40c391db-619c-579c-c077-3360f12400d3@stinpriza.org> Date: Wed, 26 Jan 2022 12:24:28 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.1 Content-Language: en-US To: Devuan Bug Tracking System From: Dimitris Subject: policykit-1: CVE-2021-4034 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.11 (cacofonix.stinpriza.org [0.0.0.0]); Wed, 26 Jan 2022 12:24:30 +0200 (EET) X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_PASS,URIBL_BLOCKED autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dyne.org Package: policykit-1 Version: 0.105-31+devuan1 Severity: critical Tags: security Justification: root security hole X-Debbugs-Cc: dimitris@stinpriza.org hey, just a heads up on a very recent vulnerability found in polkit. a Local Privilege Escalation in polkit's pkexec (CVE-2021-4034). fixed in some versions in debian, probably devuan needs to address this too. links : https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt https://security-tracker.debian.org/tracker/CVE-2021-4034 thanks in advance, d. -- System Information: Distributor ID: Devuan Description: Devuan GNU/Linux 5 (daedalus/ceres) Release: 5 Codename: daedalus ceres Architecture: x86_64 Kernel: Linux 5.16.2-xanmod1 (SMP w/4 CPU threads) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=el_GR.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: runit (via /run/runit.stopit) LSM: AppArmor: enabled Versions of packages policykit-1 depends on: ii dbus 1.12.20-3+devuan3 ii libc6 2.33-4 ii libelogind0 246.10-3 ii libexpat1 2.4.3-2 ii libglib2.0-0 2.70.2-1 ii libpam-elogind [logind] 246.10-3 ii libpam0g 1.4.0-11 ii libpolkit-agent-1-0 0.105-31+devuan1 ii libpolkit-gobject-1-0 0.105-31+devuan1 ii libpolkit-gobject-elogind-1-0 [libpolkit-gobject-1-0] 0.105-31+devuan1 Versions of packages policykit-1 recommends: ii lxpolkit [polkit-1-auth-agent] 0.5.5-2+b1 ii policykit-1-gnome [polkit-1-auth-agent] 0.105-7+b1 policykit-1 suggests no packages. Versions of packages policykit-1 is related to: ii elogind 246.10-3 ii libpam-elogind [libpam-systemd] 246.10-3 pn systemd -- no debconf information ------------=_1643202604-13971-1-- From unknown Fri Mar 29 14:09:09 2024 Received: (at control) by bugs.devuan.org; 27 Jan 2022 17:21:06 +0000 Return-Path: Delivered-To: devuanbugs@dyne.org Received: from tupac3.dyne.org [195.169.149.119] by doc.devuan.org with IMAP (fetchmail-6.4.16) for (single-drop); Thu, 27 Jan 2022 17:21:06 +0000 (UTC) Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.dyne.org (Postfix) with ESMTPS id A36C76617F5 for ; Thu, 27 Jan 2022 18:20:57 +0100 (CET) Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk) by mx.hindley.org.uk with smtp (Exim 4.84_2) (envelope-from ) id 1nD8S8-0002sT-BJ for control@bugs.devuan.org; Thu, 27 Jan 2022 17:20:56 +0000 Received: (nullmailer pid 20028 invoked by uid 1000); Thu, 27 Jan 2022 17:20:55 -0000 Date: Thu, 27 Jan 2022 17:20:55 +0000 From: Mark Hindley To: control@bugs.devuan.org Subject: add other CVE-2021-4034 fixed versions Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Debbugs-No-Ack: No Thanks X-Spam-Status: No, score=0.4 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED, RDNS_DYNAMIC,SPF_PASS autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dyne.org package policykit-1 fixed 658 0.105-25+devuan0~bpo2+2 fixed 658 0.105-25+devuan9 fixed 658 0.105-31+devuan2 thanks