| Summary: | polkit new security issue CVE-2021-4115 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK MGA8-32-OK | ||
| Source RPM: | polkit-0.118-1.2.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2022-02-18 18:52:05 CET
David Walser
2022-02-18 18:56:32 CET
Whiteboard:
(none) =>
MGA8TOO SRPM: polkit-0.118-1.3.mga8.src.rpm i586: libpolkit1_0-0.118-1.3.mga8.i586.rpm libpolkit1-devel-0.118-1.3.mga8.i586.rpm libpolkit-gir1.0-0.118-1.3.mga8.i586.rpm polkit-0.118-1.3.mga8.i586.rpm x86_64: lib64polkit1_0-0.118-1.3.mga8.x86_64.rpm lib64polkit1-devel-0.118-1.3.mga8.x86_64.rpm lib64polkit-gir1.0-0.118-1.3.mga8.x86_64.rpm polkit-0.118-1.3.mga8.x86_64.rpm Assignee:
bugsquad =>
qa-bugs Tested in a MGA8-64 Vbox Plasma guest. No installation issues. Referred to Bug 16319 for testing procedure: Made sure polkit was working before the update. After... # systemctl status polkit ● polkit.service - Authorization Manager Loaded: loaded (/usr/lib/systemd/system/polkit.service; static) Active: active (running) since Sat 2022-02-19 10:35:19 EST; 2min 31s a> Docs: man:polkit(8) Main PID: 10064 (polkitd) Tasks: 6 (limit: 4695) Memory: 5.7M CPU: 132ms CGroup: /system.slice/polkit.service └─10064 /usr/lib/polkit-1/polkitd --no-debug Feb 19 10:35:19 localhost.localdomain systemd[1]: Starting Authorization Ma> Feb 19 10:35:19 localhost.localdomain polkitd[10064]: Started polkitd versi> Feb 19 10:35:19 localhost.localdomain polkitd[10064]: Loading rules from di> Feb 19 10:35:19 localhost.localdomain polkitd[10064]: Loading rules from di> Feb 19 10:35:19 localhost.localdomain polkitd[10064]: Finished loading, com> Feb 19 10:35:19 localhost.localdomain polkitd[10064]: Acquired the name org> Feb 19 10:35:19 localhost.localdomain systemd[1]: Started Authorization Man> Feb 19 10:35:19 localhost.localdomain polkitd[10064]: Registered Authentica> Started MCC as a regular user, which prompted me for the root password. Looks good here. Whiteboard:
(none) =>
MGA8-64-OK Tested in a MGA8-32 Xfce Vbox guest. Did the same test as Comment 2, except that when I ran MCC I intentionally provided the wrong password. Polkit gave me a second chance, the correct password was provided, and MCC started. Looks OK here, too. Validating. Whiteboard:
MGA8-64-OK =>
MGA8-64-OK MGA8-32-OK Detailed advisory with PoC: https://securitylab.github.com/advisories/GHSL-2021-077-polkit/ openSUSE has issued an advisory for this today (February 17): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/D6R7S5GYVKZ4LZLTJ5KNEDZRGJISXBAZ/ Fedora has issued an advisory for this on February 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KLISGPPFV5UH2W72SRUBNVWZWI7CWAAY/
Dave Hodgins
2022-02-22 19:54:51 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0080.html Status:
NEW =>
RESOLVED |