Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 794052 (CVE-2021-3560)

Summary: <sys-auth/polkit-0.119: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)
Product: Gentoo Security Reporter: Hank Leininger <hlein>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: allenwebb, atoth, bertrand, freedesktop-bugs, jeff.gazso, sam
Priority: Normal Keywords: PullRequest
Version: unspecifiedFlags: nattka: sanity-check-
Hardware: All   
OS: Linux   
URL: https://marc.info/?l=oss-security&m=162272940507612&w=4
See Also: https://github.com/gentoo/gentoo/pull/25494
Whiteboard: B1 [glsa+ cve]
Package list:
sys-auth/polkit-0.119-r2
Runtime testing required: ---
Bug Depends on: 832075    
Bug Blocks:    

Description Hank Leininger 2021-06-03 16:07:11 UTC
From $URL:

"The vulnerability can be reliably used by an unprivileged local attacker
to bypass authorization and escalate permissions up to the root user."

There is a polkit issue URL, https://gitlab.freedesktop.org/polkit/polkit/-/issues/140, but that 404's.

polkit-0.119 was released an hour ago w/a fix.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-03 16:30:43 UTC
Thank you!
Comment 2 Hank Leininger 2021-06-03 16:59:54 UTC
(In reply to Sam James from comment #1)
> Thank you!

Welcome! I beat you for once, 9 times out of 10 when I check on a new vuln you've already created a bug for it ;)
Comment 3 Larry the Git Cow gentoo-dev 2021-06-03 17:57:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24b2771a8a9c131fbe598b9725f3e9e61247f131

commit 24b2771a8a9c131fbe598b9725f3e9e61247f131
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-06-03 17:56:58 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-06-03 17:57:39 +0000

    sys-auth/polkit: Security bump to version 0.119
    
    Bug: https://bugs.gentoo.org/794052
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-auth/polkit/Manifest            |   1 +
 sys-auth/polkit/polkit-0.119.ebuild | 131 ++++++++++++++++++++++++++++++++++++
 2 files changed, 132 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-03 18:26:53 UTC
No, this isn't fixed yet.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-03 19:57:03 UTC
amd64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-03 19:57:29 UTC
x86 done
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2021-06-07 07:09:03 UTC
ppc64 stable
Comment 8 NATTkA bot gentoo-dev 2021-06-24 23:28:23 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-06-27 02:12:23 UTC Comment hidden (obsolete)
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-12 06:37:24 UTC
arm done
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-12 21:56:05 UTC
arm64 done

all arches done
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-13 00:14:30 UTC
Please cleanup.
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-13 00:16:41 UTC
GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2021-07-13 02:33:07 UTC
This issue was resolved and addressed in
 GLSA 202107-31 at https://security.gentoo.org/glsa/202107-31
by GLSA coordinator John Helmert III (ajak).
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-13 02:35:39 UTC
Reopening for cleanup
Comment 16 Larry the Git Cow gentoo-dev 2022-01-26 00:51:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77e50819c7c7c22dee5ee6b2e7538b3cfff789af

commit 77e50819c7c7c22dee5ee6b2e7538b3cfff789af
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-26 00:50:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-26 00:51:00 +0000

    sys-auth/polkit: backport CVE-2021-3560, CVE-2021-4043 patches to 0.117
    
    Needed for non-Rust arches like sparc.
    
    (Most users are on 0.120 and already fixed in previous commits.)
    
    Bug: https://bugs.gentoo.org/794052
    Bug: https://bugs.gentoo.org/832057
    Signed-off-by: Sam James <sam@gentoo.org>

 .../polkit/files/polkit-0.117-CVE-2021-3560.patch  |  29 +++++
 sys-auth/polkit/polkit-0.117-r3.ebuild             | 136 +++++++++++++++++++++
 2 files changed, 165 insertions(+)
Comment 17 NATTkA bot gentoo-dev 2022-02-05 20:48:47 UTC Comment hidden (obsolete)
Comment 18 Andreas Sturmlechner gentoo-dev 2022-02-05 20:52:14 UTC
Err... cleanup done in c0502be50e13cb62efd5c5fbb3e2cac255490e15.
Comment 19 NATTkA bot gentoo-dev 2022-02-05 20:57:22 UTC
Unable to check for sanity:

> no match for package: sys-auth/polkit-0.119-r2
Comment 20 Larry the Git Cow gentoo-dev 2022-05-15 22:12:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=76caeda5c0ae4a7045d321f32ef95e31722434dd

commit 76caeda5c0ae4a7045d321f32ef95e31722434dd
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-05-15 05:17:19 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-15 22:09:39 +0000

    sys-auth/polkit: drop 0.117-r3, 0.120-r3
    
    Bug: https://bugs.gentoo.org/794052
    Bug: https://bugs.gentoo.org/833574
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-auth/polkit/Manifest                           |   2 -
 sys-auth/polkit/files/polkit-0.115-elogind.patch   |  28 ---
 .../polkit/files/polkit-0.117-CVE-2021-3560.patch  |  29 ---
 ...lkit-0.118-make-netgroup-support-optional.patch | 248 ---------------------
 .../polkit/files/polkit-0.120-CVE-2021-4034.patch  |  72 ------
 .../polkit/files/polkit-0.120-CVE-2021-4115.patch  |  78 -------
 sys-auth/polkit/metadata.xml                       |   1 -
 sys-auth/polkit/polkit-0.117-r3.ebuild             | 136 -----------
 sys-auth/polkit/polkit-0.120-r3.ebuild             | 123 ----------
 9 files changed, 717 deletions(-)