Date: Tue, 27 Mar 2012 22:06:59 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Tim Sammut <underling@...too.org>, security <security@...too.org> Subject: Re: CVE Request: PolicyKit change allows users in "wheel" group to become root without a password On 03/27/2012 08:45 PM, Tim Sammut wrote: > Hi. > > Please assign a CVE to this issue. > > An intended change in PolicyKit  version 0.103  allows users > of the "wheel" group to become root without providing the root > password. While this was intentional, we believe it presents a > security concern for our users . > >  > http://cgit.freedesktop.org/PolicyKit/commit/?id=763faf434b445c20ae9529100d3ef5290976d0c9 > >  > http://www.mail-archive.com/polkit-devel@...ts.freedesktop.org/msg00327.html > >  https://bugs.gentoo.org/show_bug.cgi?id=401513 > >  > http://patch-tracker.debian.org/patch/series/view/policykit-1/0.104-2/05_revert-admin-identities-unix-group-wheel.patch > >  https://launchpad.net/ubuntu/+source/policykit-1/0.103-1 > > thank you tim Please use CVE-2011-4945 for this issue (link #4 is from 2011). -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ