|
Message-ID: <20220126141121.GA4424@unix-ag.uni-kl.de> Date: Wed, 26 Jan 2022 15:11:21 +0100 From: Erik Auerswald <auerswal@...x-ag.uni-kl.de> To: oss-security@...ts.openwall.com Cc: Roman Medina-Heigl Hernandez <roman@...labs.com> Subject: Re: pwnkit: Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) Hi, On Wed, Jan 26, 2022 at 02:34:26PM +0200, Henri Salo wrote: > On Wed, Jan 26, 2022 at 12:18:07PM +0100, Roman Medina-Heigl Hernandez wrote: > > PS: Untested because my Debian machine doesn't contain pkexec, > > even though Qualy's advisory says it is by default on Debian. > > We had discussion off-list with Roman and this is the case only when > Debian is updated from previous release to bullseye. In clean installs > pkexec is installed. I think this depends on how Debian is installed (e.g., keeping installer defaults for a desktop system, or using a custom package selection). The "policykit-1" containing pkexec is "optional" and thus not present in all Debian installations: $ lsb_release -d ; apt-cache show policykit-1 | grep Priority Description: Debian GNU/Linux 10 (buster) Priority: optional Priority: optional $ lsb_release -d ; apt-cache show policykit-1 | grep Priority Description: Debian GNU/Linux 11 (bullseye) Priority: optional Priority: optional Best regards, Erik
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.