Date: Tue, 27 Mar 2012 22:06:59 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Tim Sammut <underling@...too.org>, security <security@...too.org> Subject: Re: CVE Request: PolicyKit change allows users in "wheel" group to become root without a password On 03/27/2012 08:45 PM, Tim Sammut wrote: > Hi. > > Please assign a CVE to this issue. > > An intended change in PolicyKit  version 0.103  allows users > of the "wheel" group to become root without providing the root > password. While this was intentional, we believe it presents a > security concern for our users . > >  > http://cgit.freedesktop.org/PolicyKit/commit/?id=763faf434b445c20ae9529100d3ef5290976d0c9 > >  > http://firstname.lastname@example.org/msg00327.html > >  https://bugs.gentoo.org/show_bug.cgi?id=401513 > >  > http://patch-tracker.debian.org/patch/series/view/policykit-1/0.104-2/05_revert-admin-identities-unix-group-wheel.patch > >  https://launchpad.net/ubuntu/+source/policykit-1/0.103-1 > > thank you tim Please use CVE-2011-4945 for this issue (link #4 is from 2011). -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.