Bug 29076 - polkit new security issue CVE-2021-3560
Summary: polkit new security issue CVE-2021-3560
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-06-03 18:37 CEST by David Walser
Modified: 2021-06-08 23:46 CEST (History)
4 users (show)

See Also:
Source RPM: polkit-0.118-1.mga8.src.rpm
CVE: CVE-2021-3560
Status comment:


Attachments

Description David Walser 2021-06-03 18:37:02 CEST
RedHat has issued an advisory today (June 3):
https://access.redhat.com/errata/RHSA-2021:2238

The issue is fixed upstream in 0.119.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-06-03 18:37:19 CEST

Status comment: (none) => Fixed upstream in 0.119
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Lewis Smith 2021-06-03 20:43:45 CEST
Latest Cauldron version is 0.118.
Polkit is committed by different people, so assigning this update globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2021-06-04 00:06:43 CEST
patch added in cauldron/mga7/8

src:
    - polkit-0.116-1.1.mga7
    - polkit-0.118-1.1.mga8

Assignee: pkg-bugs => qa-bugs
CC: (none) => mageia
Status comment: Fixed upstream in 0.119 => (none)
Version: Cauldron => 8
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO

Comment 3 David Walser 2021-06-05 17:10:15 CEST
RPMS list:
polkit-0.116-1.1.mga7
libpolkit1_0-0.116-1.1.mga7
libpolkit-gir1.0-0.116-1.1.mga7
libpolkit1-devel-0.116-1.1.mga7
polkit-0.118-1.1.mga8
libpolkit1_0-0.118-1.1.mga8
libpolkit-gir1.0-0.118-1.1.mga8
libpolkit1-devel-0.118-1.1.mga8
Comment 4 Herman Viaene 2021-06-07 16:23:03 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref bug 16319  for tests.
After installation:
# systemctl restart polkit
[root@mach5 ~]# systemctl -l status polkit
● polkit.service - Authorization Manager
   Loaded: loaded (/usr/lib/systemd/system/polkit.service; static; vendor preset: enabled)
   Active: active (running) since Mon 2021-06-07 16:18:12 CEST; 2s ago
     Docs: man:polkit(8)
 Main PID: 27868 (polkitd)
    Tasks: 9 (limit: 4915)
   Memory: 7.4M
   CGroup: /system.slice/polkit.service
           └─27868 /usr/lib/polkit-1/polkitd --no-debug

Jun 07 16:18:12 mach5.hviaene.thuis systemd[1]: Starting Authorization Manager...
Jun 07 16:18:12 mach5.hviaene.thuis polkitd[27868]: Started polkitd version 0.116
Jun 07 16:18:12 mach5.hviaene.thuis polkitd[27868]: Loading rules from directory /etc/polkit-1/rules.d
Jun 07 16:18:12 mach5.hviaene.thuis polkitd[27868]: Loading rules from directory /usr/share/polkit-1/rules.d
Jun 07 16:18:12 mach5.hviaene.thuis polkitd[27868]: Finished loading, compiling and executing 9 rules
Jun 07 16:18:12 mach5.hviaene.thuis systemd[1]: Started Authorization Manager.
Jun 07 16:18:12 mach5.hviaene.thuis polkitd[27868]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Jun 07 16:18:12 mach5.hviaene.thuis polkitd[27868]: Registered Authentication Agent for unix-session:2 (system bus name :1.57 [/usr/libexec/polkit-kde-authentication->

and then
$ drakconf
Too late to run INIT block at /usr/lib64/perl5/vendor_perl/Glib/Object/Introspection.pm line 257.
Ignore the following Glib::Object::Introspection & Gtk3 warnings
Subroutine Gtk3::main redefined at /usr/share/perl5/vendor_perl/Gtk3.pm line 525.
GLib-LOG **: posix_spawn avoided (child_setup specified)  at /usr/lib64/perl5/vendor_perl/Glib/Object/Introspection.pm line 67.
GLib-LOG **: posix_spawn avoided (child_setup specified)  at /usr/lib64/perl5/vendor_perl/Glib/Object/Introspection.pm line 67.
Overriding existing handler for signal 10. Set JSC_SIGNAL_FOR_GC if you want WebKit to use a different signal
MCC works OK.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
CC: (none) => herman.viaene

Comment 5 Aurelien Oudelet 2021-06-08 21:15:19 CEST
MGA8 Plasma 64

Using QARepo and packages list in Comment 3 for x86_64 arch:

To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  lib64polkit-gir1.0             0.118        1.1.mga8      x86_64  
  lib64polkit1_0                 0.118        1.1.mga8      x86_64  
  polkit                         0.118        1.1.mga8      x86_64

# systemctl restart polkit
# systemctl -l status polkit
● polkit.service - Authorization Manager
     Loaded: loaded (/usr/lib/systemd/system/polkit.service; static)
     Active: active (running) since Tue 2021-06-08 21:13:23 CEST; 22s ago
       Docs: man:polkit(8)
   Main PID: 175759 (polkitd)
      Tasks: 8 (limit: 19128)
     Memory: 5.7M
        CPU: 62ms
     CGroup: /system.slice/polkit.service
             └─175759 /usr/lib/polkit-1/polkitd --no-debug

juin 08 21:13:23 mageia.local systemd[1]: Starting Authorization Manager...
juin 08 21:13:23 mageia.local polkitd[175759]: Started polkitd version 0.118
juin 08 21:13:23 mageia.local polkitd[175759]: Loading rules from directory /etc/polkit-1/rules.d
juin 08 21:13:23 mageia.local polkitd[175759]: Loading rules from directory /usr/share/polkit-1/rules.d
juin 08 21:13:23 mageia.local polkitd[175759]: Finished loading, compiling and executing 10 rules
juin 08 21:13:23 mageia.local systemd[1]: Started Authorization Manager.
juin 08 21:13:23 mageia.local polkitd[175759]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
juin 08 21:13:23 mageia.local polkitd[175759]: Registered Authentication Agent for unix-session:c2 (system......

Running drakconf

OK.
Good to go.

CC: (none) => ouaurelien, sysadmin-bugs
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: (none) => advisory, validated_update
CVE: (none) => CVE-2021-3560

Comment 6 Aurelien Oudelet 2021-06-08 21:21:40 CEST
Advisory:
========================

Updated polkit packages fix a security vulnerability:

A flaw was found in polkit. When a requesting process disconnects from
dbus-daemon just before the call to polkit_system_bus_name_get_creds_sync
starts, the process cannot get a unique uid and pid of the process and it
cannot verify the privileges of the requesting process (CVE-2021-3560).

References:
- https://bugs.mageia.org/show_bug.cgi?id=29076
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3560
- https://access.redhat.com/errata/RHSA-2021:2238
========================

Updated packages in 7/core/updates_testing:
========================
polkit-0.116-1.1.mga7
lib(64)polkit1_0-0.116-1.1.mga7
lib(64)polkit-gir1.0-0.116-1.1.mga7
lib(64)polkit1-devel-0.116-1.1.mga7

from SRPM:
polkit-0.116-1.1.mga7
========================

Updated packages in 8/core/updates_testing:
========================
polkit-0.118-1.1.mga8
libpolkit1_0-0.118-1.1.mga8
libpolkit-gir1.0-0.118-1.1.mga8
libpolkit1-devel-0.118-1.1.mga8

from SRPM:
polkit-0.118-1.1.mga8
Comment 7 Mageia Robot 2021-06-08 23:46:31 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0244.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.