"A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a
uid greater than INT_MAX to successfully execute any systemctl command."
-- CVE listing
According to the original issue comments though, this vuln is not only about systemctl commands, but "any PK services".
Gentoo Security Scout
Also, upstream has a patch:
I suggest waiting a bit for this to be merged.
(In reply to Mike Gilbert from comment #2)
> I suggest waiting a bit for this to be merged.
That PR has been merged and is now closed.
The bug has been referenced in the following commit(s):
Author: Mike Gilbert <email@example.com>
AuthorDate: 2018-12-06 23:11:06 +0000
Commit: Mike Gilbert <firstname.lastname@example.org>
CommitDate: 2018-12-06 23:11:39 +0000
sys-auth/polkit: backport fix for CVE-2018-19788
Package-Manager: Portage-2.3.52_p8, Repoman-2.3.12_p20
Signed-off-by: Mike Gilbert <email@example.com>
sys-auth/polkit/files/CVE-2018-19788.patch | 339 +++++++++++++++++++++++++++++
sys-auth/polkit/polkit-0.115-r2.ebuild | 142 ++++++++++++
2 files changed, 481 insertions(+)
Let's wait a couple days before stabilizing please.
This issue was resolved and addressed in
GLSA 201908-14 at https://security.gentoo.org/glsa/201908-14
by GLSA coordinator Aaron Bauman (b-man).