Devuan bug report logs - #658
policykit-1: CVE-2021-4034

Package: policykit-1; Severity: critical; Reported by: Dimitris <dimitris@stinpriza.org>; Done: Mark Hindley <mark@hindley.org.uk>; Maintainer for policykit-1 is Devuan Dev Team <devuan-dev@lists.dyne.org>.
Marked as fixed in versions 0.105-31+devuan2. Request was from Mark Hindley <mark@hindley.org.uk> to control@bugs.devuan.org. Full text available.
Marked as fixed in versions 0.105-25+devuan9. Request was from Mark Hindley <mark@hindley.org.uk> to control@bugs.devuan.org. Full text available.
Marked as fixed in versions 0.105-25+devuan0~bpo2+2. Request was from Mark Hindley <mark@hindley.org.uk> to control@bugs.devuan.org. Full text available.

Message received at 658-done@bugs.devuan.org:


Received: (at 658-done) by bugs.devuan.org; 26 Jan 2022 13:09:03 +0000
Return-Path: <mark@hindley.org.uk>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Wed, 26 Jan 2022 13:09:03 +0000 (UTC)
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.dyne.org (Postfix) with ESMTPS id 9DC7B6617D5
	for <658-done@bugs.devuan.org>; Wed, 26 Jan 2022 14:07:47 +0100 (CET)
Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk)
	by mx.hindley.org.uk with smtp (Exim 4.84_2)
	(envelope-from <mark@hindley.org.uk>)
	id 1nCi1Z-0002UQ-2J; Wed, 26 Jan 2022 13:07:45 +0000
Received: (nullmailer pid 19532 invoked by uid 1000);
	Wed, 26 Jan 2022 13:07:44 -0000
Date: Wed, 26 Jan 2022 13:07:44 +0000
From: Mark Hindley <mark@hindley.org.uk>
To: Dimitris <dimitris@stinpriza.org>, 658-done@bugs.devuan.org
Subject: Re: bug#658: policykit-1: CVE-2021-4034
Message-ID: <YfFHoBAYS5u30+hO@hindley.org.uk>
References: <40c391db-619c-579c-c077-3360f12400d3@stinpriza.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <40c391db-619c-579c-c077-3360f12400d3@stinpriza.org>
X-Debbugs-No-Ack: No Thanks
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS,
	URIBL_BLOCKED autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dyne.org

Version: 0.105-31.1+devuan1

Dimitris,

On Wed, Jan 26, 2022 at 12:24:28PM +0200, Dimitris wrote:
> Package: policykit-1
> Version: 0.105-31+devuan1
> Severity: critical
> Tags: security
> Justification: root security hole
> X-Debbugs-Cc: dimitris@stinpriza.org

Updated binaries are already in unstable, daedalus, chimaera-security and
beowulf-security. Ascii-security is building.

Mark

Notification sent to Dimitris <dimitris@stinpriza.org>:
bug acknowledged by developer. Full text available.
Reply sent to Mark Hindley <mark@hindley.org.uk>:
You have taken responsibility. Full text available.

Message received at 658@bugs.devuan.org:


Received: (at 658) by bugs.devuan.org; 26 Jan 2022 12:10:34 +0000
Return-Path: <dimitris@stinpriza.org>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Wed, 26 Jan 2022 12:10:34 +0000 (UTC)
Received: from cacofonix.stinpriza.org (cacofonix.stinpriza.org [148.251.45.81])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.dyne.org (Postfix) with ESMTPS id 458646617E8
	for <658@bugs.devuan.org>; Wed, 26 Jan 2022 13:10:15 +0100 (CET)
Authentication-Results: mail.dyne.org;
	dkim=pass (2048-bit key; unprotected) header.d=stinpriza.org header.i=@stinpriza.org header.b="M8MFf+aF";
	dkim-atps=neutral
Received: from [192.168.0.102] (unknown [45.153.183.197])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by cacofonix.stinpriza.org (Postfix) with ESMTPSA id 52E8F2A42F3B
	for <658@bugs.devuan.org>; Wed, 26 Jan 2022 14:10:14 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stinpriza.org; s=mail;
	t=1643199014; bh=9syBQPccdp+5g5Yje5YpE34XUgMz3yFR2xmnh0fn++s=;
	h=Date:To:References:From:Subject:In-Reply-To:From;
	b=M8MFf+aFdzcpVKBKw3JmD09TwgcxK7WhLKOlvHHWmcqwkhuWI976i28XLsZ+NHyto
	 KwXYhZbZgVoh56GfelZoyg5qxFpLel0iK4JBhJpF1LMs1sboe5gH+E1IU+JkKNmBAh
	 bVokHPXwfwpKCHsfMyMYajTMEw9r4MSglPJS24GccuuZFd/fcsQg+O09a8oBQ1IwHQ
	 xxhSdO49BF4/Jq3Nz/7Grb0Cl6vBfqGo6tDXI6jSN6eofNwV0uIOhcO5VR4BVdEdaX
	 1DUuhn41xht3uwGmbNyI8Z3qA6J36bDq7crtItuQ0Lk7q6EcavmkRBPCWQs2u9fOSq
	 2pc5UYMJcUoJg==
Message-ID: <742bab9b-329d-7919-c4c7-913fc9423f92@stinpriza.org>
Date: Wed, 26 Jan 2022 14:10:13 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.5.1
To: 658@bugs.devuan.org
References: <40c391db-619c-579c-c077-3360f12400d3@stinpriza.org>
 <40c391db-619c-579c-c077-3360f12400d3@stinpriza.org>
Content-Language: en-US
From: Dimitris <dimitris@stinpriza.org>
Subject: Re: policykit-1: CVE-2021-4034
In-Reply-To: <40c391db-619c-579c-c077-3360f12400d3@stinpriza.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.11 (cacofonix.stinpriza.org [0.0.0.0]); Wed, 26 Jan 2022 14:10:14 +0200 (EET)
X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,SPF_PASS,
	URIBL_BLOCKED autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dyne.org

seems a new version (0.105-31.1+devuan1) just came in ceres, which 
merges debian/0.105-31.1, so this is probably fixed for daedalus/ceres!

leaving it open, so you can confirm security fix & close as you think.

thanks!
d.

Acknowledgement sent to Dimitris <dimitris@stinpriza.org>:
Extra info received and forwarded to list. Copy sent to Devuan Dev Team <devuan-dev@lists.dyne.org>. Full text available.
Information forwarded to devuan-bugs@lists.dyne.org, Devuan Dev Team <devuan-dev@lists.dyne.org>:
bug#658; Package policykit-1. Full text available.

Message received at submit@bugs.devuan.org:


Received: (at submit) by bugs.devuan.org; 26 Jan 2022 10:25:35 +0000
Return-Path: <dimitris@stinpriza.org>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Wed, 26 Jan 2022 10:25:35 +0000 (UTC)
Received: from cacofonix.stinpriza.org (cacofonix.stinpriza.org [148.251.45.81])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.dyne.org (Postfix) with ESMTPS id 562386617D6
	for <submit@bugs.devuan.org>; Wed, 26 Jan 2022 11:24:31 +0100 (CET)
Authentication-Results: mail.dyne.org;
	dkim=pass (2048-bit key; unprotected) header.d=stinpriza.org header.i=@stinpriza.org header.b="dWMmA0AS";
	dkim-atps=neutral
Received: from [192.168.0.102] (unknown [45.153.183.197])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by cacofonix.stinpriza.org (Postfix) with ESMTPSA id 0D0B32A42F31
	for <submit@bugs.devuan.org>; Wed, 26 Jan 2022 12:24:29 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stinpriza.org; s=mail;
	t=1643192670; bh=FZxlfPOwbgQpABLC9Mo7GDP1x2d2YcDISmp/X7oakt4=;
	h=Date:To:From:Subject:From;
	b=dWMmA0ASZzzgkJ0J99tShgbE8oe41DMxochT9hXgDcnyxZ7/BDGQgd4442XfR3tHF
	 jMMiWCtdXzHGanCnA1yCg1dDVr6tQDcGbilD39GJotS3354g/3TFj7iVeskuLi7EeZ
	 zoRUODjymee+A9pXYkO+YwNTahlD0WTQlLRtogQI3PU03t6GhA/cy5sxv61kFLGFc6
	 UZFsYL5hs/jcrOTl+6QOueZvkZtiR8aNsIgJq2RiEJ0v3jDHuAcB8YMnP3T+WxweFR
	 QmGl2euzMihNvWR0FTTckPk6a8yKtAi3d9J0WVhzJYSW8JGanyMcK5D5WC4Z05JyUY
	 Pic0ukiZxSOLQ==
Message-ID: <40c391db-619c-579c-c077-3360f12400d3@stinpriza.org>
Date: Wed, 26 Jan 2022 12:24:28 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.5.1
Content-Language: en-US
To: Devuan Bug Tracking System <submit@bugs.devuan.org>
From: Dimitris <dimitris@stinpriza.org>
Subject: policykit-1: CVE-2021-4034
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.11 (cacofonix.stinpriza.org [0.0.0.0]); Wed, 26 Jan 2022 12:24:30 +0200 (EET)
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_PASS,URIBL_BLOCKED
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.dyne.org

Package: policykit-1
Version: 0.105-31+devuan1
Severity: critical
Tags: security
Justification: root security hole
X-Debbugs-Cc: dimitris@stinpriza.org

hey,

just a heads up on a very recent vulnerability found in polkit. a Local 
Privilege Escalation in polkit's pkexec (CVE-2021-4034). fixed in some 
versions in debian, probably devuan needs to address this too.

links :
https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
https://security-tracker.debian.org/tracker/CVE-2021-4034

thanks in advance,
d.


-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 5 (daedalus/ceres)
Release:	5
Codename:	daedalus ceres
Architecture: x86_64

Kernel: Linux 5.16.2-xanmod1 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=el_GR.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8), LANGUAGE 
not set
Shell: /bin/sh linked to /bin/dash
Init: runit (via /run/runit.stopit)
LSM: AppArmor: enabled

Versions of packages policykit-1 depends on:
ii  dbus                                                   1.12.20-3+devuan3
ii  libc6                                                  2.33-4
ii  libelogind0                                            246.10-3
ii  libexpat1                                              2.4.3-2
ii  libglib2.0-0                                           2.70.2-1
ii  libpam-elogind [logind]                                246.10-3
ii  libpam0g                                               1.4.0-11
ii  libpolkit-agent-1-0                                    0.105-31+devuan1
ii  libpolkit-gobject-1-0                                  0.105-31+devuan1
ii  libpolkit-gobject-elogind-1-0 [libpolkit-gobject-1-0]  0.105-31+devuan1

Versions of packages policykit-1 recommends:
ii  lxpolkit [polkit-1-auth-agent]           0.5.5-2+b1
ii  policykit-1-gnome [polkit-1-auth-agent]  0.105-7+b1

policykit-1 suggests no packages.

Versions of packages policykit-1 is related to:
ii  elogind                          246.10-3
ii  libpam-elogind [libpam-systemd]  246.10-3
pn  systemd                          <none>

-- no debconf information

Acknowledgement sent to Dimitris <dimitris@stinpriza.org>:
New bug report received and forwarded. Copy sent to dimitris@stinpriza.org, Devuan Dev Team <devuan-dev@lists.dyne.org>. Full text available.
Report forwarded to devuan-bugs@lists.dyne.org, dimitris@stinpriza.org, Devuan Dev Team <devuan-dev@lists.dyne.org>:
bug#658; Package policykit-1. Full text available.

Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Tue, 17 May 2022 18:39:02 UTC