Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 27 Mar 2012 19:45:09 -0700
From: Tim Sammut <underling@...too.org>
To: oss-security@...ts.openwall.com
CC: security <security@...too.org>
Subject: CVE Request: PolicyKit change allows users in "wheel" group to become
 root without a password

Hi.

Please assign a CVE to this issue.

An intended change in PolicyKit [1] version 0.103 [2] allows users of
the "wheel" group to become root without providing the root password.
While this was intentional, we believe it presents a security concern
for our users [3].

[1]
http://cgit.freedesktop.org/PolicyKit/commit/?id=763faf434b445c20ae9529100d3ef5290976d0c9
[2]
http://www.mail-archive.com/polkit-devel@...ts.freedesktop.org/msg00327.html
[3] https://bugs.gentoo.org/show_bug.cgi?id=401513

[4]
http://patch-tracker.debian.org/patch/series/view/policykit-1/0.104-2/05_revert-admin-identities-unix-group-wheel.patch
[5] https://launchpad.net/ubuntu/+source/policykit-1/0.103-1

thank you
tim

-- 
Tim Sammut ~ Gentoo Security Team
underling@...too.org ~ C2375493


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ