Bug 23940 - polkit new security issues CVE-2018-19788 and CVE-2019-6133
Summary: polkit new security issues CVE-2018-19788 and CVE-2019-6133
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: Nicolas Lécureuil
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 23297
  Show dependency treegraph
 
Reported: 2018-12-04 14:05 CET by David Walser
Modified: 2019-11-06 13:47 CET (History)
6 users (show)

See Also:
Source RPM: polkit-0.115-2.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-12-04 14:05:20 CET 
A security issue in PolicyKit has been announced on December 3:
https://www.openwall.com/lists/oss-security/2018/12/03/2

Mageia 6 is also affected.
David Walser 2018-12-04 14:05:29 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-12-05 21:34:15 CET 
Assiging to the registered maintainer, CC'ing some committers.

Assignee: bugsquad => mageia
CC: (none) => marja11, olav, thierry.vignaud, tmb

Comment 2 David Walser 2018-12-25 21:09:20 CET 
Fedora has issued an advisory for this on December 10:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/REIH5N4DZK6SAF7PAQQUZG2XCLUV34WV/

Blocks: (none) => 23297
Severity: normal => major

Comment 3 David GEIGER 2018-12-26 10:04:01 CET 
Upstream patch added in Cauldron!

CC: (none) => geiger.david68210

Comment 4 David Walser 2018-12-26 16:10:16 CET 
Fixed by David in polkit-0.115-3.mga7.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 5 David Walser 2019-01-15 02:37:08 CET 
openSUSE has issued an advisory for this on January 11:
https://lists.opensuse.org/opensuse-updates/2019-01/msg00010.html
Comment 7 David Walser 2019-02-01 19:08:39 CET 
(In reply to David Walser from comment #6)
> Fedora has issued an advisory on January 13:
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/HRJ5WATXFNBBCT5JJHNDLF7VEYULG7QX/
> 
> It fixes yet another issue:
> https://gitlab.freedesktop.org/polkit/polkit/issues/75
> https://bugs.chromium.org/p/project-zero/issues/detail?id=1692
> 
> Patch added in Cauldron.

This is CVE-2019-6133.

RedHat has issued an advisory for this on January 31:
https://access.redhat.com/errata/RHSA-2019:0230

Summary: polkit new security issue CVE-2018-19788 => polkit new security issues CVE-2018-19788 and CVE-2019-6133
Severity: major => critical

Comment 8 David Walser 2019-04-22 23:09:07 CEST 
Ubuntu has issued an advisory for CVE-2019-6133 on April 3:
https://usn.ubuntu.com/3934-1/
Comment 9 David Walser 2019-08-12 20:31:17 CEST 
RedHat has issued an advisory for CVE-2018-19788 on August 6:
https://access.redhat.com/errata/RHSA-2019:2046
Comment 10 Mike Rambo 2019-11-06 13:47:07 CET 
Mageia 6 is EOL.

Status: NEW => RESOLVED
Resolution: (none) => OLD
CC: (none) => mrambo
Note You need to log in before you can comment on or make changes to this bug.