Devuan bug report logs - #269
policykit-1: CVE-2018-19788

Package: policykit-1; Severity: critical; Reported by: Berbe <[email protected]>; merged with #268; Done: KatolaZ <[email protected]>; Maintainer for policykit-1 is Devuan Dev Team <[email protected]>.

Message received at [email protected]:

Date: Wed, 27 Feb 2019 11:39:41 +0100
From: KatolaZ <[email protected]>
To: [email protected]
Subject: solved in beowulf
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="vcy6cimoko4p6jrk"
Content-Disposition: inline
User-Agent: NeoMutt/20170113 (1.7.2)


--vcy6cimoko4p6jrk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

This has been solved in policykit-0.105-25+devuan1, available in
beowulf and ceres. Closing.


--vcy6cimoko4p6jrk
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQSOWdaqRF79tKFTPVpfILOuC18GLwUCXHZo7QAKCRBfILOuC18G
L4pkAJ9woTAlntVgxQ7dm4xlGv8/2OVHKwCeLCLHNeynWA/LJjVKmHMGnSnU7Gs=
=yH5+
-----END PGP SIGNATURE-----

--vcy6cimoko4p6jrk--

Notification sent to Berbe <[email protected]>:
bug acknowledged by developer. Full text available.

Reply sent to KatolaZ <[email protected]>:
You have taken responsibility. Full text available.

Message received at [email protected]:

Date: Sat, 8 Dec 2018 10:58:35 +0100
From: KatolaZ <[email protected]>
To: [email protected]
Subject: mmhhh
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: NeoMutt/20170113 (1.7.2)

[Reported here due to a glitch with #268]

There is no need to become root in order to use `service`:

$ /usr/sbin/service nginx status
[ ok ] nginx is running.
$

Even with a user with id larger than 4000000000:

$ sudo -u testpolkit /usr/sbin/service nginx stop
[....] Stopping nginx: nginxstart-stop-daemon: warning: failed to kill 2509: Operation not permitted
. ok
$

That's because sudo does *not* use policykit to test user privileges
(rather, it uses its own config files). So maybe this is not
applicable in this case?

HND

KatolaZ

Acknowledgement sent to KatolaZ <[email protected]>:
Extra info received and forwarded to list. Copy sent to [email protected]. Full text available.

Information forwarded to [email protected], [email protected]:
bug#269; Package policykit-1. Full text available.

Merged 268 269. Request was from KatolaZ <[email protected]> to [email protected]. Full text available.

Message received at [email protected]:

Received: (at submit) by bugs.devuan.org; 7 Dec 2018 17:43:59 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from tupac3.dyne.org [195.169.149.119]
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Fri, 07 Dec 2018 18:43:59 +0100 (CET)
Received: from mail.rosset.net (rosset.net [62.210.209.186])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 2837BF6093F
	for <[email protected]>; Fri,  7 Dec 2018 18:41:09 +0100 (CET)
Authentication-Results: vm6.ganeti.dyne.org;
	dkim=pass (1024-bit key; unprotected) header.d=rosset.net [email protected] header.b="w5T9rg5y";
	dkim-atps=neutral
Received: by mail.rosset.net (Postfix, from userid 1000)
	id B6C2DE0279; Fri,  7 Dec 2018 18:41:08 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=rosset.net;
	s=NetNeutrality; t=1544204468;
	bh=Qh2OhVEyGD+yxbVNHnJqf32+SUjphhhTnfoF6byME0E=;
	h=From:To:Subject:Date:From;
	b=w5T9rg5yEFFmx2XrRekDJMB5hWOh0kIZ+nl9pbmupwIQUADrvIi8UC89aIoPBszD8
	 eWnzJ2b9V28vdVkkkUIbSN7VeYZgk9xniNPjD3j8PK70OzZrNmrXY68Us0jA/EZD/C
	 Jl5dGa4OJeWOZXdCcEwz6kAMLdKLRF65W3A7sgQA=
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Berbe <[email protected]>
To: Devuan Bug Tracking System <[email protected]>
Subject: policykit-1: CVE-2018-19788
Message-ID: <154420446865.5084.8077177848613701893.reportbug@sd-49041.dedibox.fr>
X-Mailer: reportbug 7.1.6+devuan2.1
Date: Fri, 07 Dec 2018 18:41:08 +0100
X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,SPF_PASS autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

Package: policykit-1
Version: 0.105-18+devuan2.11
Severity: critical

Dear Maintainer,

Following CVE-2018-19788, it seems the current stable 0.105-18+devuan2.11 is susceptible to the bug in policykit-1 package from upstream, allowing any user with UID > INT_MAX to have access to root commands:

1. service nginx status
-bash: service: command not found
2. sudo useradd -u 4000000000 test
3. sudo -u test service nginx status
nginx is running.


-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 9 (n/a)
Release:	9
Codename:	n/a

Architecture: x86_64

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages policykit-1 depends on:
ii  dbus                   1.10.26-0+deb9u1
ii  libc6                  2.24-11+deb9u3
ii  libglib2.0-0           2.50.3-2
ii  libpam0g               1.1.8-3.6
ii  libpolkit-agent-1-0    0.105-18+devuan2.11
ii  libpolkit-backend-1-0  0.105-18+devuan2.11
ii  libpolkit-gobject-1-0  0.105-18+devuan2.11

policykit-1 recommends no packages.

policykit-1 suggests no packages.

-- no debconf information

Acknowledgement sent to Berbe <[email protected]>:
New bug report received and forwarded. Copy sent to [email protected]. Full text available.

Report forwarded to [email protected], [email protected]:
bug#269; Package policykit-1. Full text available.

Devuan bug report logs - #269 policykit-1: CVE-2018-19788

Message received at [email protected]:

Message received at [email protected]:

Message received at [email protected]:

Devuan bug report logs - #269
policykit-1: CVE-2018-19788