Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 27 Mar 2012 22:06:59 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Tim Sammut <underling@...too.org>, security <security@...too.org>
Subject: Re: CVE Request: PolicyKit change allows users in
 "wheel" group to become root without a password

On 03/27/2012 08:45 PM, Tim Sammut wrote:
> Hi.
> 
> Please assign a CVE to this issue.
> 
> An intended change in PolicyKit [1] version 0.103 [2] allows users
> of the "wheel" group to become root without providing the root
> password. While this was intentional, we believe it presents a
> security concern for our users [3].
> 
> [1] 
> http://cgit.freedesktop.org/PolicyKit/commit/?id=763faf434b445c20ae9529100d3ef5290976d0c9
>
> 
[2]
> http://www.mail-archive.com/polkit-devel@lists.freedesktop.org/msg00327.html
>
> 
[3] https://bugs.gentoo.org/show_bug.cgi?id=401513
> 
> [4] 
> http://patch-tracker.debian.org/patch/series/view/policykit-1/0.104-2/05_revert-admin-identities-unix-group-wheel.patch
>
> 
[5] https://launchpad.net/ubuntu/+source/policykit-1/0.103-1
> 
> thank you tim

Please use CVE-2011-4945 for this issue (link #4 is from 2011).

-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.