Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 27 Mar 2012 19:45:09 -0700
From: Tim Sammut <underling@...too.org>
To: oss-security@...ts.openwall.com
CC: security <security@...too.org>
Subject: CVE Request: PolicyKit change allows users in "wheel" group to become
 root without a password

Hi.

Please assign a CVE to this issue.

An intended change in PolicyKit [1] version 0.103 [2] allows users of
the "wheel" group to become root without providing the root password.
While this was intentional, we believe it presents a security concern
for our users [3].

[1]
http://cgit.freedesktop.org/PolicyKit/commit/?id=763faf434b445c20ae9529100d3ef5290976d0c9
[2]
http://www.mail-archive.com/polkit-devel@lists.freedesktop.org/msg00327.html
[3] https://bugs.gentoo.org/show_bug.cgi?id=401513

[4]
http://patch-tracker.debian.org/patch/series/view/policykit-1/0.104-2/05_revert-admin-identities-unix-group-wheel.patch
[5] https://launchpad.net/ubuntu/+source/policykit-1/0.103-1

thank you
tim

-- 
Tim Sammut ~ Gentoo Security Team
underling@...too.org ~ C2375493


Download attachment "signature.asc" of type "application/pgp-signature" (231 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.