Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 672578 (CVE-2018-19788) - <sys-auth/polkit-0.115-r2: Unprivileged users with UID > INT_MAX can successfully execute privileged operations
Summary: <sys-auth/polkit-0.115-r2: Unprivileged users with UID > INT_MAX can successf...
Alias: CVE-2018-19788
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa+ cve]
Depends on: CVE-2018-1116
  Show dependency tree
Reported: 2018-12-05 18:06 UTC by Vlad K.
Modified: 2019-08-15 15:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Vlad K. 2018-12-05 18:06:42 UTC
* CVE-2018-19788

  "A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a
  uid greater than INT_MAX to successfully execute any systemctl command."
  -- CVE listing

According to the original issue comments though, this vuln is not only about systemctl commands, but "any PK services".

Gentoo Security Scout
Vladimir Krstulja
Comment 2 Mike Gilbert gentoo-dev 2018-12-05 19:32:06 UTC
I suggest waiting a bit for this to be merged.
Comment 3 Craig Andrews gentoo-dev 2018-12-06 21:42:37 UTC
(In reply to Mike Gilbert from comment #2)
> I suggest waiting a bit for this to be merged.

That PR has been merged and is now closed.
Comment 4 Larry the Git Cow gentoo-dev 2018-12-06 23:11:45 UTC
The bug has been referenced in the following commit(s):

commit cf27a98f65a37ac7ed9086a08999aec70dc9dfbb
Author:     Mike Gilbert <>
AuthorDate: 2018-12-06 23:11:06 +0000
Commit:     Mike Gilbert <>
CommitDate: 2018-12-06 23:11:39 +0000

    sys-auth/polkit: backport fix for CVE-2018-19788
    Package-Manager: Portage-2.3.52_p8, Repoman-2.3.12_p20
    Signed-off-by: Mike Gilbert <>

 sys-auth/polkit/files/CVE-2018-19788.patch | 339 +++++++++++++++++++++++++++++
 sys-auth/polkit/polkit-0.115-r2.ebuild     | 142 ++++++++++++
 2 files changed, 481 insertions(+)
Comment 5 Mike Gilbert gentoo-dev 2018-12-06 23:12:23 UTC
Let's wait a couple days before stabilizing please.
Comment 6 Matt Turner gentoo-dev 2019-06-29 16:48:59 UTC
security@: ping
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2019-08-15 15:55:55 UTC
This issue was resolved and addressed in
 GLSA 201908-14 at
by GLSA coordinator Aaron Bauman (b-man).