X-Loop: [email protected] Subject: bug#269: policykit-1: CVE-2018-19788 Reply-To: Berbe <[email protected]>, [email protected] Resent-From: Berbe <[email protected]> Resent-To: [email protected] Resent-CC: [email protected] Resent-Date: Sat, 08 Dec 2018 09:40:03 UTC Resent-Message-ID: <[email protected]> Resent-Sender: [email protected] X-Devuan-PR-Message: report 269 X-Devuan-PR-Package: policykit-1 X-Devuan-PR-Keywords: Received: via spool by [email protected] id=B.154420463918042 (code B ref -1); Sat, 08 Dec 2018 09:40:03 UTC Received: (at submit) by bugs.devuan.org; 7 Dec 2018 17:43:59 +0000 Delivered-To: [email protected] Received: from tupac3.dyne.org [195.169.149.119] by fulcanelli with IMAP (fetchmail-6.3.26) for <debbugs@localhost> (single-drop); Fri, 07 Dec 2018 18:43:59 +0100 (CET) Received: from mail.rosset.net (rosset.net [62.210.209.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 2837BF6093F for <[email protected]>; Fri, 7 Dec 2018 18:41:09 +0100 (CET) Authentication-Results: vm6.ganeti.dyne.org; dkim=pass (1024-bit key; unprotected) header.d=rosset.net [email protected] header.b="w5T9rg5y"; dkim-atps=neutral Received: by mail.rosset.net (Postfix, from userid 1000) id B6C2DE0279; Fri, 7 Dec 2018 18:41:08 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=rosset.net; s=NetNeutrality; t=1544204468; bh=Qh2OhVEyGD+yxbVNHnJqf32+SUjphhhTnfoF6byME0E=; h=From:To:Subject:Date:From; b=w5T9rg5yEFFmx2XrRekDJMB5hWOh0kIZ+nl9pbmupwIQUADrvIi8UC89aIoPBszD8 eWnzJ2b9V28vdVkkkUIbSN7VeYZgk9xniNPjD3j8PK70OzZrNmrXY68Us0jA/EZD/C Jl5dGa4OJeWOZXdCcEwz6kAMLdKLRF65W3A7sgQA= Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Berbe <[email protected]> To: Devuan Bug Tracking System <[email protected]> Message-ID: <154420446865.5084.8077177848613701893.reportbug@sd-49041.dedibox.fr> X-Mailer: reportbug 7.1.6+devuan2.1 Date: Fri, 07 Dec 2018 18:41:08 +0100 X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_PASS autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org Package: policykit-1 Version: 0.105-18+devuan2.11 Severity: critical Dear Maintainer, Following CVE-2018-19788, it seems the current stable 0.105-18+devuan2.11 is susceptible to the bug in policykit-1 package from upstream, allowing any user with UID > INT_MAX to have access to root commands: 1. service nginx status -bash: service: command not found 2. sudo useradd -u 4000000000 test 3. sudo -u test service nginx status nginx is running. -- System Information: Distributor ID: Devuan Description: Devuan GNU/Linux 9 (n/a) Release: 9 Codename: n/a Architecture: x86_64 Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages policykit-1 depends on: ii dbus 1.10.26-0+deb9u1 ii libc6 2.24-11+deb9u3 ii libglib2.0-0 2.50.3-2 ii libpam0g 1.1.8-3.6 ii libpolkit-agent-1-0 0.105-18+devuan2.11 ii libpolkit-backend-1-0 0.105-18+devuan2.11 ii libpolkit-gobject-1-0 0.105-18+devuan2.11 policykit-1 recommends no packages. policykit-1 suggests no packages. -- no debconf information
X-Loop: [email protected] From: [email protected] (Devuan bug Tracking System) To: Berbe <[email protected]> Subject: bug#269: Acknowledgement (policykit-1: CVE-2018-19788) Message-ID: <[email protected]> In-Reply-To: <154420446865.5084.8077177848613701893.reportbug@sd-49041.dedibox.fr> References: <154420446865.5084.8077177848613701893.reportbug@sd-49041.dedibox.fr> Precedence: bulk X-Devuan-PR-Message: ack 269 X-Devuan-PR-Package: policykit-1 X-Devuan-PR-Keywords: Reply-To: [email protected] Thank you for the problem report you have sent regarding Devuan. This is an automatically generated reply, to let you know your message has been received. It is being forwarded to the developers mailing list for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): [email protected] If you wish to submit further information on your problem, please send it to [email protected] (and *not* to [email protected]). Please do not reply to the address at the top of this message, unless you wish to report a problem with the bug-tracking system. Devuan Bugs Owner (administrator, Devuan bugs database)
Received: (at control) by bugs.devuan.org; 8 Dec 2018 09:42:44 +0000 Return-Path: <[email protected]> Delivered-To: [email protected] Received: from tupac3.dyne.org [195.169.149.119] by fulcanelli with IMAP (fetchmail-6.3.26) for <debbugs@localhost> (single-drop); Sat, 08 Dec 2018 10:42:44 +0100 (CET) Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: [email protected]) with ESMTPSA id 38695F60A31 Date: Sat, 8 Dec 2018 10:45:26 +0100 From: KatolaZ <[email protected]> To: [email protected] Subject: merge Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: NeoMutt/20170113 (1.7.2) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org merge 268 269 quit done
X-Loop: [email protected] Subject: bug#269: mmhhh Reply-To: KatolaZ <[email protected]>, [email protected] Resent-From: KatolaZ <[email protected]> Resent-To: [email protected] Resent-CC: [email protected] Resent-Date: Sat, 08 Dec 2018 09:59:47 UTC Resent-Message-ID: <[email protected]> Resent-Sender: [email protected] X-Devuan-PR-Message: report 269 X-Devuan-PR-Package: policykit-1 X-Devuan-PR-Keywords: Received: via spool by [email protected] id=B269.154426318019790 (code B ref 269); Sat, 08 Dec 2018 09:59:47 UTC Received: (at 269) by bugs.devuan.org; 8 Dec 2018 09:59:40 +0000 Delivered-To: [email protected] Received: from tupac3.dyne.org [195.169.149.119] by fulcanelli with IMAP (fetchmail-6.3.26) for <debbugs@localhost> (single-drop); Sat, 08 Dec 2018 10:59:40 +0100 (CET) Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: [email protected]) with ESMTPSA id 00210F60A4D Date: Sat, 8 Dec 2018 10:58:35 +0100 From: KatolaZ <[email protected]> To: [email protected] Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: NeoMutt/20170113 (1.7.2) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org [Reported here due to a glitch with #268] There is no need to become root in order to use `service`: $ /usr/sbin/service nginx status [ ok ] nginx is running. $ Even with a user with id larger than 4000000000: $ sudo -u testpolkit /usr/sbin/service nginx stop [....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted . ok $ That's because sudo does *not* use policykit to test user privileges (rather, it uses its own config files). So maybe this is not applicable in this case? HND KatolaZ
X-Loop: [email protected] From: [email protected] (Devuan bug Tracking System) To: KatolaZ <[email protected]> Subject: bug#269: Info received (was mmhhh) Message-ID: <[email protected]> In-Reply-To: <[email protected]> References: <[email protected]> Precedence: bulk X-Devuan-PR-Message: ack-info 269 X-Devuan-PR-Package: policykit-1 X-Devuan-PR-Keywords: Disabled-Doogie-Reply-To: [email protected] Thank you for the additional information you have supplied regarding this problem report. It has been forwarded to the developer(s) and to the developers mailing list to accompany the original report. Your message has been sent to the package maintainer(s): [email protected] If you wish to continue to submit further information on your problem, please send it to [email protected], as before. Please do not reply to the address at the top of this message, unless you wish to report a problem with the bug-tracking system. Devuan Bugs Owner (administrator, Devuan bugs database)
X-Loop: [email protected] From: [email protected] (Devuan bug Tracking System) To: KatolaZ <[email protected]> Cc: [email protected] Subject: bug#269: marked as done (policykit-1: CVE-2018-19788) Message-ID: <[email protected]> In-Reply-To: <[email protected]> References: <[email protected]> <154420446865.5084.8077177848613701893.reportbug@sd-49041.dedibox.fr> Precedence: bulk X-Devuan-PR-Message: closed 269 X-Devuan-PR-Package: policykit-1 X-Devuan-PR-Keywords: Your message dated Wed, 27 Feb 2019 11:39:41 +0100 with message-id <[email protected]> and subject line solved in beowulf has caused the attached bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Devuan Bugs Owner (administrator, Devuan bugs database) -------------------------------------- Received: (at submit) by bugs.devuan.org; 7 Dec 2018 17:43:59 +0000 Return-Path: <[email protected]> Delivered-To: [email protected] Received: from tupac3.dyne.org [195.169.149.119] by fulcanelli with IMAP (fetchmail-6.3.26) for <debbugs@localhost> (single-drop); Fri, 07 Dec 2018 18:43:59 +0100 (CET) Received: from mail.rosset.net (rosset.net [62.210.209.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 2837BF6093F for <[email protected]>; Fri, 7 Dec 2018 18:41:09 +0100 (CET) Authentication-Results: vm6.ganeti.dyne.org; dkim=pass (1024-bit key; unprotected) header.d=rosset.net [email protected] header.b="w5T9rg5y"; dkim-atps=neutral Received: by mail.rosset.net (Postfix, from userid 1000) id B6C2DE0279; Fri, 7 Dec 2018 18:41:08 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=rosset.net; s=NetNeutrality; t=1544204468; bh=Qh2OhVEyGD+yxbVNHnJqf32+SUjphhhTnfoF6byME0E=; h=From:To:Subject:Date:From; b=w5T9rg5yEFFmx2XrRekDJMB5hWOh0kIZ+nl9pbmupwIQUADrvIi8UC89aIoPBszD8 eWnzJ2b9V28vdVkkkUIbSN7VeYZgk9xniNPjD3j8PK70OzZrNmrXY68Us0jA/EZD/C Jl5dGa4OJeWOZXdCcEwz6kAMLdKLRF65W3A7sgQA= Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Berbe <[email protected]> To: Devuan Bug Tracking System <[email protected]> Subject: policykit-1: CVE-2018-19788 Message-ID: <154420446865.5084.8077177848613701893.reportbug@sd-49041.dedibox.fr> X-Mailer: reportbug 7.1.6+devuan2.1 Date: Fri, 07 Dec 2018 18:41:08 +0100 X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,SPF_PASS autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org Package: policykit-1 Version: 0.105-18+devuan2.11 Severity: critical Dear Maintainer, Following CVE-2018-19788, it seems the current stable 0.105-18+devuan2.11 is susceptible to the bug in policykit-1 package from upstream, allowing any user with UID > INT_MAX to have access to root commands: 1. service nginx status -bash: service: command not found 2. sudo useradd -u 4000000000 test 3. sudo -u test service nginx status nginx is running. -- System Information: Distributor ID: Devuan Description: Devuan GNU/Linux 9 (n/a) Release: 9 Codename: n/a Architecture: x86_64 Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages policykit-1 depends on: ii dbus 1.10.26-0+deb9u1 ii libc6 2.24-11+deb9u3 ii libglib2.0-0 2.50.3-2 ii libpam0g 1.1.8-3.6 ii libpolkit-agent-1-0 0.105-18+devuan2.11 ii libpolkit-backend-1-0 0.105-18+devuan2.11 ii libpolkit-gobject-1-0 0.105-18+devuan2.11 policykit-1 recommends no packages. policykit-1 suggests no packages. -- no debconf information --------------------------------------- Received: (at 269-done) by bugs.devuan.org; 27 Feb 2019 10:40:08 +0000 Return-Path: <[email protected]> Delivered-To: [email protected] Received: from tupac3.dyne.org [195.169.149.119] by fulcanelli with IMAP (fetchmail-6.3.26) for <debbugs@localhost> (single-drop); Wed, 27 Feb 2019 11:40:08 +0100 (CET) Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: [email protected]) with ESMTPSA id 61C9AF604C4 Date: Wed, 27 Feb 2019 11:39:41 +0100 From: KatolaZ <[email protected]> To: [email protected] Subject: solved in beowulf Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vcy6cimoko4p6jrk" Content-Disposition: inline User-Agent: NeoMutt/20170113 (1.7.2) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org --vcy6cimoko4p6jrk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline This has been solved in policykit-0.105-25+devuan1, available in beowulf and ceres. Closing. --vcy6cimoko4p6jrk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXHZo7QAKCRBfILOuC18G L4pkAJ9woTAlntVgxQ7dm4xlGv8/2OVHKwCeLCLHNeynWA/LJjVKmHMGnSnU7Gs= =yH5+ -----END PGP SIGNATURE----- --vcy6cimoko4p6jrk--
X-Loop: [email protected] From: [email protected] (Devuan bug Tracking System) To: Berbe <[email protected]> Subject: bug#269 acknowledged by developer (solved in beowulf) Message-ID: <[email protected]> In-Reply-To: <154420446865.5084.8077177848613701893.reportbug@sd-49041.dedibox.fr> References: <[email protected]> <154420446865.5084.8077177848613701893.reportbug@sd-49041.dedibox.fr> X-Devuan-PR-Message: they-closed 269 X-Devuan-PR-Package: policykit-1 X-Devuan-PR-Keywords: Reply-To: [email protected] This is an automatic notification regarding your bug report #269: policykit-1: CVE-2018-19788, which was filed against the policykit-1 package. It has been closed by one of the developers, namely KatolaZ <[email protected]>. Their explanation is attached below. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact the developer, by replying to this email. Devuan Bugs Owner (administrator, Devuan bugs database) Received: (at 269-done) by bugs.devuan.org; 27 Feb 2019 10:40:08 +0000 Return-Path: <[email protected]> Delivered-To: [email protected] Received: from tupac3.dyne.org [195.169.149.119] by fulcanelli with IMAP (fetchmail-6.3.26) for <debbugs@localhost> (single-drop); Wed, 27 Feb 2019 11:40:08 +0100 (CET) Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: [email protected]) with ESMTPSA id 61C9AF604C4 Date: Wed, 27 Feb 2019 11:39:41 +0100 From: KatolaZ <[email protected]> To: [email protected] Subject: solved in beowulf Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vcy6cimoko4p6jrk" Content-Disposition: inline User-Agent: NeoMutt/20170113 (1.7.2) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org --vcy6cimoko4p6jrk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline This has been solved in policykit-0.105-25+devuan1, available in beowulf and ceres. Closing. --vcy6cimoko4p6jrk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXHZo7QAKCRBfILOuC18G L4pkAJ9woTAlntVgxQ7dm4xlGv8/2OVHKwCeLCLHNeynWA/LJjVKmHMGnSnU7Gs= =yH5+ -----END PGP SIGNATURE----- --vcy6cimoko4p6jrk--
Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.
Devuan Bugs Owner <[email protected]>.
Last modified:
Sun, 1 Dec 2024 00:39:02 UTC