A security issue in polkit has been announced on February 17: https://www.openwall.com/lists/oss-security/2022/02/18/1 https://bugzilla.redhat.com/show_bug.cgi?id=2007534 I don't think the fix is public yet. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
SRPM: polkit-0.118-1.3.mga8.src.rpm i586: libpolkit1_0-0.118-1.3.mga8.i586.rpm libpolkit1-devel-0.118-1.3.mga8.i586.rpm libpolkit-gir1.0-0.118-1.3.mga8.i586.rpm polkit-0.118-1.3.mga8.i586.rpm x86_64: lib64polkit1_0-0.118-1.3.mga8.x86_64.rpm lib64polkit1-devel-0.118-1.3.mga8.x86_64.rpm lib64polkit-gir1.0-0.118-1.3.mga8.x86_64.rpm polkit-0.118-1.3.mga8.x86_64.rpm
Assignee: bugsquad => qa-bugsWhiteboard: MGA8TOO => (none)Version: Cauldron => 8
Tested in a MGA8-64 Vbox Plasma guest. No installation issues. Referred to Bug 16319 for testing procedure: Made sure polkit was working before the update. After... # systemctl status polkit ● polkit.service - Authorization Manager Loaded: loaded (/usr/lib/systemd/system/polkit.service; static) Active: active (running) since Sat 2022-02-19 10:35:19 EST; 2min 31s a> Docs: man:polkit(8) Main PID: 10064 (polkitd) Tasks: 6 (limit: 4695) Memory: 5.7M CPU: 132ms CGroup: /system.slice/polkit.service └─10064 /usr/lib/polkit-1/polkitd --no-debug Feb 19 10:35:19 localhost.localdomain systemd[1]: Starting Authorization Ma> Feb 19 10:35:19 localhost.localdomain polkitd[10064]: Started polkitd versi> Feb 19 10:35:19 localhost.localdomain polkitd[10064]: Loading rules from di> Feb 19 10:35:19 localhost.localdomain polkitd[10064]: Loading rules from di> Feb 19 10:35:19 localhost.localdomain polkitd[10064]: Finished loading, com> Feb 19 10:35:19 localhost.localdomain polkitd[10064]: Acquired the name org> Feb 19 10:35:19 localhost.localdomain systemd[1]: Started Authorization Man> Feb 19 10:35:19 localhost.localdomain polkitd[10064]: Registered Authentica> Started MCC as a regular user, which prompted me for the root password. Looks good here.
Whiteboard: (none) => MGA8-64-OKCC: (none) => andrewsfarm
Tested in a MGA8-32 Xfce Vbox guest. Did the same test as Comment 2, except that when I ran MCC I intentionally provided the wrong password. Polkit gave me a second chance, the correct password was provided, and MCC started. Looks OK here, too. Validating.
Whiteboard: MGA8-64-OK => MGA8-64-OK MGA8-32-OKCC: (none) => sysadmin-bugsKeywords: (none) => validated_update
Detailed advisory with PoC: https://securitylab.github.com/advisories/GHSL-2021-077-polkit/
openSUSE has issued an advisory for this today (February 17): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/D6R7S5GYVKZ4LZLTJ5KNEDZRGJISXBAZ/
Fedora has issued an advisory for this on February 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KLISGPPFV5UH2W72SRUBNVWZWI7CWAAY/
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0080.html
Status: NEW => RESOLVEDResolution: (none) => FIXED