Devuan logs - #268, boring messages


Message sent to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:


X-Loop: owner@bugs.devuan.org
Subject: bug#268: policykit-1: CVE-2018-19788
Reply-To: Berbe <bernard+devuan@rosset.net>, 268@bugs.devuan.org
Resent-From: Berbe <bernard+devuan@rosset.net>
Resent-To: devuan-bugs@lists.dyne.org
Resent-CC: owner@bugs.devuan.org
Resent-Date: Fri, 07 Dec 2018 17:48:01 UTC
Resent-Message-ID: <handler.268.B.154420463918042@bugs.devuan.org>
Resent-Sender: owner@bugs.devuan.org
X-Devuan-PR-Message: report 268
X-Devuan-PR-Package: policykit-1
X-Devuan-PR-Keywords: 
Received: via spool by submit@bugs.devuan.org id=B.154420463918042
          (code B ref -1); Fri, 07 Dec 2018 17:48:01 UTC
Received: (at submit) by bugs.devuan.org; 7 Dec 2018 17:43:59 +0000
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Fri, 07 Dec 2018 18:43:59 +0100 (CET)
Received: from mail.rosset.net (rosset.net [62.210.209.186])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 2837BF6093F
	for <submit@bugs.devuan.org>; Fri,  7 Dec 2018 18:41:09 +0100 (CET)
Authentication-Results: vm6.ganeti.dyne.org;
	dkim=pass (1024-bit key; unprotected) header.d=rosset.net header.i=@rosset.net header.b="w5T9rg5y";
	dkim-atps=neutral
Received: by mail.rosset.net (Postfix, from userid 1000)
	id B6C2DE0279; Fri,  7 Dec 2018 18:41:08 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=rosset.net;
	s=NetNeutrality; t=1544204468;
	bh=Qh2OhVEyGD+yxbVNHnJqf32+SUjphhhTnfoF6byME0E=;
	h=From:To:Subject:Date:From;
	b=w5T9rg5yEFFmx2XrRekDJMB5hWOh0kIZ+nl9pbmupwIQUADrvIi8UC89aIoPBszD8
	 eWnzJ2b9V28vdVkkkUIbSN7VeYZgk9xniNPjD3j8PK70OzZrNmrXY68Us0jA/EZD/C
	 Jl5dGa4OJeWOZXdCcEwz6kAMLdKLRF65W3A7sgQA=
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Berbe <bernard+devuan@rosset.net>
To: Devuan Bug Tracking System <submit@bugs.devuan.org>
Message-ID: <154420446865.5084.8077177848613701893.reportbug@sd-49041.dedibox.fr>
X-Mailer: reportbug 7.1.6+devuan2.1
Date: Fri, 07 Dec 2018 18:41:08 +0100
X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

Package: policykit-1
Version: 0.105-18+devuan2.11
Severity: critical

Dear Maintainer,

Following CVE-2018-19788, it seems the current stable 0.105-18+devuan2.11 is susceptible to the bug in policykit-1 package from upstream, allowing any user with UID > INT_MAX to have access to root commands:

1. service nginx status
-bash: service: command not found
2. sudo useradd -u 4000000000 test
3. sudo -u test service nginx status
nginx is running.


-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 9 (n/a)
Release:	9
Codename:	n/a

Architecture: x86_64

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages policykit-1 depends on:
ii  dbus                   1.10.26-0+deb9u1
ii  libc6                  2.24-11+deb9u3
ii  libglib2.0-0           2.50.3-2
ii  libpam0g               1.1.8-3.6
ii  libpolkit-agent-1-0    0.105-18+devuan2.11
ii  libpolkit-backend-1-0  0.105-18+devuan2.11
ii  libpolkit-gobject-1-0  0.105-18+devuan2.11

policykit-1 recommends no packages.

policykit-1 suggests no packages.

-- no debconf information


Message sent to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:


X-Loop: owner@bugs.devuan.org
Subject: bug#268: mmhhh
Reply-To: KatolaZ <katolaz@freaknet.org>, 268@bugs.devuan.org
Resent-From: KatolaZ <katolaz@freaknet.org>
Resent-To: devuan-bugs@lists.dyne.org
Resent-CC: owner@bugs.devuan.org
Resent-Date: Sat, 08 Dec 2018 09:16:09 UTC
Resent-Message-ID: <handler.268.B268.154426055030115@bugs.devuan.org>
Resent-Sender: owner@bugs.devuan.org
X-Devuan-PR-Message: report 268
X-Devuan-PR-Package: policykit-1
X-Devuan-PR-Keywords: 
Received: via spool by 268-submit@bugs.devuan.org id=B268.154426055030115
          (code B ref 268); Sat, 08 Dec 2018 09:16:09 UTC
Received: (at 268) by bugs.devuan.org; 8 Dec 2018 09:15:50 +0000
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Sat, 08 Dec 2018 10:15:50 +0100 (CET)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(Authenticated sender: katolaz@freaknet.org)
	with ESMTPSA id 9419EF6097C
Date: Sat, 8 Dec 2018 10:17:18 +0100
From: KatolaZ <katolaz@freaknet.org>
To: 268@bugs.devuan.org
Message-ID: <20181208091718.je273iuhnkih7wux@katolaz.homeunix.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="inqsdvv7znhsuzot"
Content-Disposition: inline
User-Agent: NeoMutt/20170113 (1.7.2)
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org


--inqsdvv7znhsuzot
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

There is no need to become root in order to use `service`:

$ /usr/sbin/service nginx status
[ ok ] nginx is running.
$

Even with a user with id larger than 4000000000:

$ sudo -u testpolkit /usr/sbin/service nginx stop
[....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted
. ok
$

That's because sudo does *not* use policykit to test user privileges
(rather, it uses its own config files). So maybe this is not
applicable in this case?

HND

KatolaZ



--inqsdvv7znhsuzot
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXAuMHAAKCRBfILOuC18G
Lx6cAJwN3gJXo8n6wnxhlHv/kMTu9wydlwCfZTgjMrHT62Ebg1inz4UdLcVfFhA=
=6Ri0
-----END PGP SIGNATURE-----

--inqsdvv7znhsuzot--


Message sent to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:


X-Loop: owner@bugs.devuan.org
Subject: bug#268: mmhhh
Reply-To: KatolaZ <katolaz@freaknet.org>, 268@bugs.devuan.org
Resent-From: KatolaZ <katolaz@freaknet.org>
Resent-To: devuan-bugs@lists.dyne.org
Resent-CC: owner@bugs.devuan.org
Resent-Date: Sat, 08 Dec 2018 09:20:03 UTC
Resent-Message-ID: <handler.268.B268.154426055030115@bugs.devuan.org>
Resent-Sender: owner@bugs.devuan.org
X-Devuan-PR-Message: report 268
X-Devuan-PR-Package: policykit-1
X-Devuan-PR-Keywords: 
Received: via spool by 268-submit@bugs.devuan.org id=B268.154426055030115
          (code B ref 268); Sat, 08 Dec 2018 09:20:03 UTC
Received: (at 268) by bugs.devuan.org; 8 Dec 2018 09:15:50 +0000
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Sat, 08 Dec 2018 10:15:50 +0100 (CET)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(Authenticated sender: katolaz@freaknet.org)
	with ESMTPSA id 9419EF6097C
Date: Sat, 8 Dec 2018 10:17:18 +0100
From: KatolaZ <katolaz@freaknet.org>
To: 268@bugs.devuan.org
Message-ID: <20181208091718.je273iuhnkih7wux@katolaz.homeunix.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="inqsdvv7znhsuzot"
Content-Disposition: inline
User-Agent: NeoMutt/20170113 (1.7.2)
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org


--inqsdvv7znhsuzot
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

There is no need to become root in order to use `service`:

$ /usr/sbin/service nginx status
[ ok ] nginx is running.
$

Even with a user with id larger than 4000000000:

$ sudo -u testpolkit /usr/sbin/service nginx stop
[....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted
. ok
$

That's because sudo does *not* use policykit to test user privileges
(rather, it uses its own config files). So maybe this is not
applicable in this case?

HND

KatolaZ



--inqsdvv7znhsuzot
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXAuMHAAKCRBfILOuC18G
Lx6cAJwN3gJXo8n6wnxhlHv/kMTu9wydlwCfZTgjMrHT62Ebg1inz4UdLcVfFhA=
=6Ri0
-----END PGP SIGNATURE-----

--inqsdvv7znhsuzot--


Message sent to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:


X-Loop: owner@bugs.devuan.org
Subject: bug#268: mmhhh
Reply-To: KatolaZ <katolaz@freaknet.org>, 268@bugs.devuan.org
Resent-From: KatolaZ <katolaz@freaknet.org>
Resent-To: devuan-bugs@lists.dyne.org
Resent-CC: owner@bugs.devuan.org
Resent-Date: Sat, 08 Dec 2018 09:22:07 UTC
Resent-Message-ID: <handler.268.B268.154426055030115@bugs.devuan.org>
Resent-Sender: owner@bugs.devuan.org
X-Devuan-PR-Message: report 268
X-Devuan-PR-Package: policykit-1
X-Devuan-PR-Keywords: 
Received: via spool by 268-submit@bugs.devuan.org id=B268.154426055030115
          (code B ref 268); Sat, 08 Dec 2018 09:22:07 UTC
Received: (at 268) by bugs.devuan.org; 8 Dec 2018 09:15:50 +0000
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Sat, 08 Dec 2018 10:15:50 +0100 (CET)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(Authenticated sender: katolaz@freaknet.org)
	with ESMTPSA id 9419EF6097C
Date: Sat, 8 Dec 2018 10:17:18 +0100
From: KatolaZ <katolaz@freaknet.org>
To: 268@bugs.devuan.org
Message-ID: <20181208091718.je273iuhnkih7wux@katolaz.homeunix.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="inqsdvv7znhsuzot"
Content-Disposition: inline
User-Agent: NeoMutt/20170113 (1.7.2)
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org


--inqsdvv7znhsuzot
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

There is no need to become root in order to use `service`:

$ /usr/sbin/service nginx status
[ ok ] nginx is running.
$

Even with a user with id larger than 4000000000:

$ sudo -u testpolkit /usr/sbin/service nginx stop
[....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted
. ok
$

That's because sudo does *not* use policykit to test user privileges
(rather, it uses its own config files). So maybe this is not
applicable in this case?

HND

KatolaZ



--inqsdvv7znhsuzot
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXAuMHAAKCRBfILOuC18G
Lx6cAJwN3gJXo8n6wnxhlHv/kMTu9wydlwCfZTgjMrHT62Ebg1inz4UdLcVfFhA=
=6Ri0
-----END PGP SIGNATURE-----

--inqsdvv7znhsuzot--


Message sent to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:


X-Loop: owner@bugs.devuan.org
Subject: bug#268: mmhhh
Reply-To: KatolaZ <katolaz@freaknet.org>, 268@bugs.devuan.org
Resent-From: KatolaZ <katolaz@freaknet.org>
Resent-To: devuan-bugs@lists.dyne.org
Resent-CC: owner@bugs.devuan.org
Resent-Date: Sat, 08 Dec 2018 09:26:24 UTC
Resent-Message-ID: <handler.268.B268.154426055030115@bugs.devuan.org>
Resent-Sender: owner@bugs.devuan.org
X-Devuan-PR-Message: report 268
X-Devuan-PR-Package: policykit-1
X-Devuan-PR-Keywords: 
Received: via spool by 268-submit@bugs.devuan.org id=B268.154426055030115
          (code B ref 268); Sat, 08 Dec 2018 09:26:24 UTC
Received: (at 268) by bugs.devuan.org; 8 Dec 2018 09:15:50 +0000
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Sat, 08 Dec 2018 10:15:50 +0100 (CET)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(Authenticated sender: katolaz@freaknet.org)
	with ESMTPSA id 9419EF6097C
Date: Sat, 8 Dec 2018 10:17:18 +0100
From: KatolaZ <katolaz@freaknet.org>
To: 268@bugs.devuan.org
Message-ID: <20181208091718.je273iuhnkih7wux@katolaz.homeunix.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="inqsdvv7znhsuzot"
Content-Disposition: inline
User-Agent: NeoMutt/20170113 (1.7.2)
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org


--inqsdvv7znhsuzot
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

There is no need to become root in order to use `service`:

$ /usr/sbin/service nginx status
[ ok ] nginx is running.
$

Even with a user with id larger than 4000000000:

$ sudo -u testpolkit /usr/sbin/service nginx stop
[....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted
. ok
$

That's because sudo does *not* use policykit to test user privileges
(rather, it uses its own config files). So maybe this is not
applicable in this case?

HND

KatolaZ



--inqsdvv7znhsuzot
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXAuMHAAKCRBfILOuC18G
Lx6cAJwN3gJXo8n6wnxhlHv/kMTu9wydlwCfZTgjMrHT62Ebg1inz4UdLcVfFhA=
=6Ri0
-----END PGP SIGNATURE-----

--inqsdvv7znhsuzot--


Message sent to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:


X-Loop: owner@bugs.devuan.org
Subject: bug#268: mmhhh
Reply-To: KatolaZ <katolaz@freaknet.org>, 268@bugs.devuan.org
Resent-From: KatolaZ <katolaz@freaknet.org>
Resent-To: devuan-bugs@lists.dyne.org
Resent-CC: owner@bugs.devuan.org
Resent-Date: Sat, 08 Dec 2018 09:32:01 UTC
Resent-Message-ID: <handler.268.B268.154426055030115@bugs.devuan.org>
Resent-Sender: owner@bugs.devuan.org
X-Devuan-PR-Message: report 268
X-Devuan-PR-Package: policykit-1
X-Devuan-PR-Keywords: 
Received: via spool by 268-submit@bugs.devuan.org id=B268.154426055030115
          (code B ref 268); Sat, 08 Dec 2018 09:32:01 UTC
Received: (at 268) by bugs.devuan.org; 8 Dec 2018 09:15:50 +0000
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Sat, 08 Dec 2018 10:15:50 +0100 (CET)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(Authenticated sender: katolaz@freaknet.org)
	with ESMTPSA id 9419EF6097C
Date: Sat, 8 Dec 2018 10:17:18 +0100
From: KatolaZ <katolaz@freaknet.org>
To: 268@bugs.devuan.org
Message-ID: <20181208091718.je273iuhnkih7wux@katolaz.homeunix.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="inqsdvv7znhsuzot"
Content-Disposition: inline
User-Agent: NeoMutt/20170113 (1.7.2)
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org


--inqsdvv7znhsuzot
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

There is no need to become root in order to use `service`:

$ /usr/sbin/service nginx status
[ ok ] nginx is running.
$

Even with a user with id larger than 4000000000:

$ sudo -u testpolkit /usr/sbin/service nginx stop
[....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted
. ok
$

That's because sudo does *not* use policykit to test user privileges
(rather, it uses its own config files). So maybe this is not
applicable in this case?

HND

KatolaZ



--inqsdvv7znhsuzot
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXAuMHAAKCRBfILOuC18G
Lx6cAJwN3gJXo8n6wnxhlHv/kMTu9wydlwCfZTgjMrHT62Ebg1inz4UdLcVfFhA=
=6Ri0
-----END PGP SIGNATURE-----

--inqsdvv7znhsuzot--


Message sent to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:


X-Loop: owner@bugs.devuan.org
Subject: bug#268: mmhhh
Reply-To: KatolaZ <katolaz@freaknet.org>, 268@bugs.devuan.org
Resent-From: KatolaZ <katolaz@freaknet.org>
Resent-To: devuan-bugs@lists.dyne.org
Resent-CC: owner@bugs.devuan.org
Resent-Date: Sat, 08 Dec 2018 09:34:18 UTC
Resent-Message-ID: <handler.268.B268.154426055030115@bugs.devuan.org>
Resent-Sender: owner@bugs.devuan.org
X-Devuan-PR-Message: report 268
X-Devuan-PR-Package: policykit-1
X-Devuan-PR-Keywords: 
Received: via spool by 268-submit@bugs.devuan.org id=B268.154426055030115
          (code B ref 268); Sat, 08 Dec 2018 09:34:18 UTC
Received: (at 268) by bugs.devuan.org; 8 Dec 2018 09:15:50 +0000
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Sat, 08 Dec 2018 10:15:50 +0100 (CET)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(Authenticated sender: katolaz@freaknet.org)
	with ESMTPSA id 9419EF6097C
Date: Sat, 8 Dec 2018 10:17:18 +0100
From: KatolaZ <katolaz@freaknet.org>
To: 268@bugs.devuan.org
Message-ID: <20181208091718.je273iuhnkih7wux@katolaz.homeunix.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="inqsdvv7znhsuzot"
Content-Disposition: inline
User-Agent: NeoMutt/20170113 (1.7.2)
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org


--inqsdvv7znhsuzot
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

There is no need to become root in order to use `service`:

$ /usr/sbin/service nginx status
[ ok ] nginx is running.
$

Even with a user with id larger than 4000000000:

$ sudo -u testpolkit /usr/sbin/service nginx stop
[....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted
. ok
$

That's because sudo does *not* use policykit to test user privileges
(rather, it uses its own config files). So maybe this is not
applicable in this case?

HND

KatolaZ



--inqsdvv7znhsuzot
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXAuMHAAKCRBfILOuC18G
Lx6cAJwN3gJXo8n6wnxhlHv/kMTu9wydlwCfZTgjMrHT62Ebg1inz4UdLcVfFhA=
=6Ri0
-----END PGP SIGNATURE-----

--inqsdvv7znhsuzot--


Message sent:


X-Loop: owner@bugs.devuan.org
From: owner@bugs.devuan.org (Devuan bug Tracking System)
To: KatolaZ <katolaz@freaknet.org>
Subject: bug#268: Info received (was mmhhh)
Message-ID: <handler.268.B268.154426055030115.ackinfo@bugs.devuan.org>
In-Reply-To: <20181208091718.je273iuhnkih7wux@katolaz.homeunix.net>
References: <20181208091718.je273iuhnkih7wux@katolaz.homeunix.net>
Precedence: bulk
X-Devuan-PR-Message: ack-info 268
X-Devuan-PR-Package: policykit-1
X-Devuan-PR-Keywords: 
Disabled-Doogie-Reply-To: 268@bugs.devuan.org

Thank you for the additional information you have supplied regarding
this problem report.  It has been forwarded to the developer(s) and
to the developers mailing list to accompany the original report.

Your message has been sent to the package maintainer(s):
 owner@bugs.devuan.org

If you wish to continue to submit further information on your problem,
please send it to 268@bugs.devuan.org, as before.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.

Devuan Bugs Owner
(administrator, Devuan bugs database)


Message received at control@bugs.devuan.org:


Received: (at control) by bugs.devuan.org; 8 Dec 2018 09:42:44 +0000
Return-Path: <katolaz@freaknet.org>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Sat, 08 Dec 2018 10:42:44 +0100 (CET)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(Authenticated sender: katolaz@freaknet.org)
	with ESMTPSA id 38695F60A31
Date: Sat, 8 Dec 2018 10:45:26 +0100
From: KatolaZ <katolaz@freaknet.org>
To: control@bugs.devuan.org
Subject: merge
Message-ID: <20181208094526.qavcpp77vlwvifwd@katolaz.homeunix.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: NeoMutt/20170113 (1.7.2)
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

merge 268 269
quit
done





Message sent to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:


X-Loop: owner@bugs.devuan.org
Subject: bug#268: mmhhh
Reply-To: KatolaZ <katolaz@freaknet.org>, 268@bugs.devuan.org
Resent-From: KatolaZ <katolaz@freaknet.org>
Resent-To: devuan-bugs@lists.dyne.org
Resent-CC: owner@bugs.devuan.org
Resent-Date: Sat, 08 Dec 2018 09:54:18 UTC
Resent-Message-ID: <handler.268.B268.154426284012115@bugs.devuan.org>
Resent-Sender: owner@bugs.devuan.org
X-Devuan-PR-Message: report 268
X-Devuan-PR-Package: policykit-1
X-Devuan-PR-Keywords: 
Received: via spool by 268-submit@bugs.devuan.org id=B268.154426284012115
          (code B ref 268); Sat, 08 Dec 2018 09:54:18 UTC
Received: (at 268) by bugs.devuan.org; 8 Dec 2018 09:54:00 +0000
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Sat, 08 Dec 2018 10:54:00 +0100 (CET)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(Authenticated sender: katolaz@freaknet.org)
	with ESMTPSA id 743AFF60A39
Resent-From: Enzo <katolaz@katolaz.homeunix.net>
Resent-Date: Sat, 8 Dec 2018 10:56:34 +0100
Resent-Message-ID: <20181208095634.cj5i2g62e3tefxhb@katolaz.homeunix.net>
Resent-To: 269@bugs.devuan.org
Date: Sat, 8 Dec 2018 10:17:18 +0100
From: KatolaZ <katolaz@freaknet.org>
To: 268@bugs.devuan.org
Message-ID: <20181208091718.je273iuhnkih7wux@katolaz.homeunix.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="inqsdvv7znhsuzot"
Content-Disposition: inline
User-Agent: NeoMutt/20170113 (1.7.2)
X-Spam-Status: No, score=-0.8 required=5.0 tests=ALL_TRUSTED,
	HEADER_FROM_DIFFERENT_DOMAINS autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org


--inqsdvv7znhsuzot
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

There is no need to become root in order to use `service`:

$ /usr/sbin/service nginx status
[ ok ] nginx is running.
$

Even with a user with id larger than 4000000000:

$ sudo -u testpolkit /usr/sbin/service nginx stop
[....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted
. ok
$

That's because sudo does *not* use policykit to test user privileges
(rather, it uses its own config files). So maybe this is not
applicable in this case?

HND

KatolaZ



--inqsdvv7znhsuzot
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXAuMHAAKCRBfILOuC18G
Lx6cAJwN3gJXo8n6wnxhlHv/kMTu9wydlwCfZTgjMrHT62Ebg1inz4UdLcVfFhA=
=6Ri0
-----END PGP SIGNATURE-----

--inqsdvv7znhsuzot--


Message sent:


X-Loop: owner@bugs.devuan.org
From: owner@bugs.devuan.org (Devuan bug Tracking System)
To: KatolaZ <katolaz@freaknet.org>
Subject: bug#268: Info received (was mmhhh)
Message-ID: <handler.268.B268.154426284012115.ackinfo@bugs.devuan.org>
In-Reply-To: <20181208091718.je273iuhnkih7wux@katolaz.homeunix.net>
References: <20181208091718.je273iuhnkih7wux@katolaz.homeunix.net>
Precedence: bulk
X-Devuan-PR-Message: ack-info 268
X-Devuan-PR-Package: policykit-1
X-Devuan-PR-Keywords: 
Disabled-Doogie-Reply-To: 268@bugs.devuan.org

Thank you for the additional information you have supplied regarding
this problem report.  It has been forwarded to the developer(s) and
to the developers mailing list to accompany the original report.

Your message has been sent to the package maintainer(s):
 owner@bugs.devuan.org

If you wish to continue to submit further information on your problem,
please send it to 268@bugs.devuan.org, as before.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the bug-tracking system.

Devuan Bugs Owner
(administrator, Devuan bugs database)


Message sent:


X-Loop: owner@bugs.devuan.org
From: owner@bugs.devuan.org (Devuan bug Tracking System)
To: KatolaZ <katolaz@freaknet.org>
Cc: owner@bugs.devuan.org
Subject: bug#268: marked as done (policykit-1: CVE-2018-19788)
Message-ID: <handler.268.D269.155126400821812.ackdone@bugs.devuan.org>
In-Reply-To: <20190227103941.urykatbuoz26mnoa@katolaz.homeunix.net>
References: <20190227103941.urykatbuoz26mnoa@katolaz.homeunix.net> <154420446865.5084.8077177848613701893.reportbug@sd-49041.dedibox.fr>
Precedence: bulk
X-Devuan-PR-Message: closed 268
X-Devuan-PR-Package: policykit-1
X-Devuan-PR-Keywords: 

Your message dated Wed, 27 Feb 2019 11:39:41 +0100
with message-id <20190227103941.urykatbuoz26mnoa@katolaz.homeunix.net>
and subject line solved in beowulf
has caused the attached bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Devuan Bugs Owner
(administrator, Devuan bugs database)

--------------------------------------
Received: (at submit) by bugs.devuan.org; 7 Dec 2018 17:43:59 +0000
Return-Path: <bernard+devuan@rosset.net>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Fri, 07 Dec 2018 18:43:59 +0100 (CET)
Received: from mail.rosset.net (rosset.net [62.210.209.186])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 2837BF6093F
	for <submit@bugs.devuan.org>; Fri,  7 Dec 2018 18:41:09 +0100 (CET)
Authentication-Results: vm6.ganeti.dyne.org;
	dkim=pass (1024-bit key; unprotected) header.d=rosset.net header.i=@rosset.net header.b="w5T9rg5y";
	dkim-atps=neutral
Received: by mail.rosset.net (Postfix, from userid 1000)
	id B6C2DE0279; Fri,  7 Dec 2018 18:41:08 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=rosset.net;
	s=NetNeutrality; t=1544204468;
	bh=Qh2OhVEyGD+yxbVNHnJqf32+SUjphhhTnfoF6byME0E=;
	h=From:To:Subject:Date:From;
	b=w5T9rg5yEFFmx2XrRekDJMB5hWOh0kIZ+nl9pbmupwIQUADrvIi8UC89aIoPBszD8
	 eWnzJ2b9V28vdVkkkUIbSN7VeYZgk9xniNPjD3j8PK70OzZrNmrXY68Us0jA/EZD/C
	 Jl5dGa4OJeWOZXdCcEwz6kAMLdKLRF65W3A7sgQA=
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Berbe <bernard+devuan@rosset.net>
To: Devuan Bug Tracking System <submit@bugs.devuan.org>
Subject: policykit-1: CVE-2018-19788
Message-ID: <154420446865.5084.8077177848613701893.reportbug@sd-49041.dedibox.fr>
X-Mailer: reportbug 7.1.6+devuan2.1
Date: Fri, 07 Dec 2018 18:41:08 +0100
X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

Package: policykit-1
Version: 0.105-18+devuan2.11
Severity: critical

Dear Maintainer,

Following CVE-2018-19788, it seems the current stable 0.105-18+devuan2.11 is susceptible to the bug in policykit-1 package from upstream, allowing any user with UID > INT_MAX to have access to root commands:

1. service nginx status
-bash: service: command not found
2. sudo useradd -u 4000000000 test
3. sudo -u test service nginx status
nginx is running.


-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 9 (n/a)
Release:	9
Codename:	n/a

Architecture: x86_64

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages policykit-1 depends on:
ii  dbus                   1.10.26-0+deb9u1
ii  libc6                  2.24-11+deb9u3
ii  libglib2.0-0           2.50.3-2
ii  libpam0g               1.1.8-3.6
ii  libpolkit-agent-1-0    0.105-18+devuan2.11
ii  libpolkit-backend-1-0  0.105-18+devuan2.11
ii  libpolkit-gobject-1-0  0.105-18+devuan2.11

policykit-1 recommends no packages.

policykit-1 suggests no packages.

-- no debconf information
---------------------------------------
Received: (at 269-done) by bugs.devuan.org; 27 Feb 2019 10:40:08 +0000
Return-Path: <katolaz@freaknet.org>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Wed, 27 Feb 2019 11:40:08 +0100 (CET)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(Authenticated sender: katolaz@freaknet.org)
	with ESMTPSA id 61C9AF604C4
Date: Wed, 27 Feb 2019 11:39:41 +0100
From: KatolaZ <katolaz@freaknet.org>
To: 269-done@bugs.devuan.org
Subject: solved in beowulf
Message-ID: <20190227103941.urykatbuoz26mnoa@katolaz.homeunix.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="vcy6cimoko4p6jrk"
Content-Disposition: inline
User-Agent: NeoMutt/20170113 (1.7.2)
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org


--vcy6cimoko4p6jrk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

This has been solved in policykit-0.105-25+devuan1, available in
beowulf and ceres. Closing.


--vcy6cimoko4p6jrk
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXHZo7QAKCRBfILOuC18G
L4pkAJ9woTAlntVgxQ7dm4xlGv8/2OVHKwCeLCLHNeynWA/LJjVKmHMGnSnU7Gs=
=yH5+
-----END PGP SIGNATURE-----

--vcy6cimoko4p6jrk--

Message sent:


X-Loop: owner@bugs.devuan.org
From: owner@bugs.devuan.org (Devuan bug Tracking System)
To: Berbe <bernard+devuan@rosset.net>
Subject: bug#268 acknowledged by developer
         (solved in beowulf)
Message-ID: <handler.268.D269.155126400821812.notifdone@bugs.devuan.org>
In-Reply-To: <154420446865.5084.8077177848613701893.reportbug@sd-49041.dedibox.fr>
References: <20190227103941.urykatbuoz26mnoa@katolaz.homeunix.net> <154420446865.5084.8077177848613701893.reportbug@sd-49041.dedibox.fr>
X-Devuan-PR-Message: they-closed 268
X-Devuan-PR-Package: policykit-1
X-Devuan-PR-Keywords: 
Reply-To: 268@bugs.devuan.org

This is an automatic notification regarding your bug report
#268: policykit-1: CVE-2018-19788,
which was filed against the policykit-1 package.

It has been closed by one of the developers, namely
KatolaZ <katolaz@freaknet.org>.

Their explanation is attached below.  If this explanation is
unsatisfactory and you have not received a better one in a separate
message then please contact the developer, by replying to this email.

Devuan Bugs Owner
(administrator, Devuan bugs database)

Received: (at 269-done) by bugs.devuan.org; 27 Feb 2019 10:40:08 +0000
Return-Path: <katolaz@freaknet.org>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Wed, 27 Feb 2019 11:40:08 +0100 (CET)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(Authenticated sender: katolaz@freaknet.org)
	with ESMTPSA id 61C9AF604C4
Date: Wed, 27 Feb 2019 11:39:41 +0100
From: KatolaZ <katolaz@freaknet.org>
To: 269-done@bugs.devuan.org
Subject: solved in beowulf
Message-ID: <20190227103941.urykatbuoz26mnoa@katolaz.homeunix.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="vcy6cimoko4p6jrk"
Content-Disposition: inline
User-Agent: NeoMutt/20170113 (1.7.2)
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org


--vcy6cimoko4p6jrk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

This has been solved in policykit-0.105-25+devuan1, available in
beowulf and ceres. Closing.


--vcy6cimoko4p6jrk
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXHZo7QAKCRBfILOuC18G
L4pkAJ9woTAlntVgxQ7dm4xlGv8/2OVHKwCeLCLHNeynWA/LJjVKmHMGnSnU7Gs=
=yH5+
-----END PGP SIGNATURE-----

--vcy6cimoko4p6jrk--

Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Tue, 2 Jun 2020 02:39:02 UTC