Summary: | <sys-auth/polkit-0.115-r2: Unprivileged users with UID > INT_MAX can successfully execute privileged operations | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Vlad K. <vk-gentoo-bugs> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | freedesktop-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://gitlab.freedesktop.org/polkit/polkit/issues/74 | ||
See Also: | https://github.com/systemd/systemd/issues/11026 | ||
Whiteboard: | B1 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 661470 | ||
Bug Blocks: |
Description
Vlad K.
2018-12-05 18:06:42 UTC
Also, upstream has a patch: https://gitlab.freedesktop.org/zbyszek/polkit/commit/2cb40c4d5feeaa09325522bd7d97910f1b59e379 I suggest waiting a bit for this to be merged. https://gitlab.freedesktop.org/polkit/polkit/merge_requests/14 (In reply to Mike Gilbert from comment #2) > I suggest waiting a bit for this to be merged. > > https://gitlab.freedesktop.org/polkit/polkit/merge_requests/14 That PR has been merged and is now closed. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf27a98f65a37ac7ed9086a08999aec70dc9dfbb commit cf27a98f65a37ac7ed9086a08999aec70dc9dfbb Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2018-12-06 23:11:06 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2018-12-06 23:11:39 +0000 sys-auth/polkit: backport fix for CVE-2018-19788 Bug: https://bugs.gentoo.org/672578 Package-Manager: Portage-2.3.52_p8, Repoman-2.3.12_p20 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-auth/polkit/files/CVE-2018-19788.patch | 339 +++++++++++++++++++++++++++++ sys-auth/polkit/polkit-0.115-r2.ebuild | 142 ++++++++++++ 2 files changed, 481 insertions(+) Let's wait a couple days before stabilizing please. security@: ping This issue was resolved and addressed in GLSA 201908-14 at https://security.gentoo.org/glsa/201908-14 by GLSA coordinator Aaron Bauman (b-man). |