Debian Bug report logs -
#723717
policykit-1: CVE-2013-4288
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Thu, 19 Sep 2013 06:24:02 UTC
Severity: grave
Tags: patch, security
Found in version policykit-1/0.96-4
Fixed in versions policykit-1/0.112-1, policykit-1/0.105-3+nmu1
Done: Michael Gilbert <mgilbert@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#723717; Package policykit-1.
(Thu, 19 Sep 2013 06:24:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>.
(Thu, 19 Sep 2013 06:24:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: policykit-1
Severity: grave
Tags: security
Justification: user security hole
Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4288 for details
and patches.
Cheers,
Moritz
Reply sent
to Michael Biebl <biebl@debian.org>:
You have taken responsibility.
(Thu, 19 Sep 2013 16:06:54 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Thu, 19 Sep 2013 16:06:54 GMT) (full text, mbox, link).
Message #10 received at 723717-close@bugs.debian.org (full text, mbox, reply):
Source: policykit-1
Source-Version: 0.112-1
We believe that the bug you reported is fixed in the latest version of
policykit-1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 723717@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated policykit-1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 19 Sep 2013 17:39:54 +0200
Source: policykit-1
Binary: policykit-1 policykit-1-doc libpolkit-gobject-1-0 libpolkit-gobject-1-dev libpolkit-agent-1-0 libpolkit-agent-1-dev gir1.2-polkit-1.0
Architecture: source amd64 all
Version: 0.112-1
Distribution: experimental
Urgency: low
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description:
gir1.2-polkit-1.0 - GObject introspection data for PolicyKit
libpolkit-agent-1-0 - PolicyKit Authentication Agent API
libpolkit-agent-1-dev - PolicyKit Authentication Agent API - development files
libpolkit-gobject-1-0 - PolicyKit Authorization API
libpolkit-gobject-1-dev - PolicyKit Authorization API - development files
policykit-1 - framework for managing administrative policies and privileges
policykit-1-doc - documentation for PolicyKit-1
Closes: 723717
Changes:
policykit-1 (0.112-1) experimental; urgency=low
.
* New upstream release.
- Fixes CVE-2013-4288, unix-process subject for authorization is racy.
(Closes: #723717)
* Remove 00git_pkexec_pam_env.patch and 09_link_libmozjs.patch, both merged
upstream.
* Drop explicit Build-Depends on gir1.2-glib-2.0.
* Bump Standards-Version to 3.9.4. No further changes.
Checksums-Sha1:
4af18b75e9a3ac56145edb9d2593ac2d1b3f109d 2641 policykit-1_0.112-1.dsc
374397f1c32fa1290be0fce378fe9bab541ee4bf 1429240 policykit-1_0.112.orig.tar.gz
49a70babc717dfcfb9fd24edc3e898beacad91df 16388 policykit-1_0.112-1.debian.tar.gz
be3955c8a12bf939d5894e9f076f45e5446ddb9f 92808 policykit-1_0.112-1_amd64.deb
9a21adfe310968829191dc0d64ec80e78c1d6e64 242522 policykit-1-doc_0.112-1_all.deb
068fc2ea641287c18b656231d0ba85c977ced430 40410 libpolkit-gobject-1-0_0.112-1_amd64.deb
18ee6a8536a550c9e9fed32b23c9f897f58908df 58930 libpolkit-gobject-1-dev_0.112-1_amd64.deb
9e2467de28c35e67852fcb8a3df7828395cc7cc1 22094 libpolkit-agent-1-0_0.112-1_amd64.deb
88b86fe0c68c7ff62bd07d8bff4cc61238faab70 27942 libpolkit-agent-1-dev_0.112-1_amd64.deb
565bd25f43ee4fa148f60c24bcde5199fd00e03b 14514 gir1.2-polkit-1.0_0.112-1_amd64.deb
Checksums-Sha256:
8c6fc2f603366e3e82d6fdb5213bef3523068666e3d9f39f066fdb5e8a3c2ccc 2641 policykit-1_0.112-1.dsc
d695f43cba4748a822fbe864dd32c4887c5da1c71694a47693ace5e88fcf6af6 1429240 policykit-1_0.112.orig.tar.gz
0dcb5b76534d5b34ec8ef38fba11f6e2192a6fc442d11c0b7423884369fd5a23 16388 policykit-1_0.112-1.debian.tar.gz
525340cc57c305b4230fedad041a56c8f10bfb0523149939a772e462431761dd 92808 policykit-1_0.112-1_amd64.deb
6296d0e092ad018b80d9c6c54033c518cae8864eb5b9852cc3cb4dbd50ee56ca 242522 policykit-1-doc_0.112-1_all.deb
ee4314f82d87b1bbc15d7a8659c3baeed9a5899227e8efd0156c598e46ae0b17 40410 libpolkit-gobject-1-0_0.112-1_amd64.deb
0c29ce8ebdb19abb27af8fef3864544ccad2b9b80195ccfc136608a705c9106d 58930 libpolkit-gobject-1-dev_0.112-1_amd64.deb
4c0c98c257627289d28fd750e4db60a02f9fc94bd60def63c720a293168a6054 22094 libpolkit-agent-1-0_0.112-1_amd64.deb
1516e502780c680d1861c61ce0c6ebf5177ad85339a68e4eaac9389b8520d2a4 27942 libpolkit-agent-1-dev_0.112-1_amd64.deb
03953e679b1960e887ed58e6da0e6c6df187b3861c54ad938ff5bb7f908bfedc 14514 gir1.2-polkit-1.0_0.112-1_amd64.deb
Files:
e9d7a03c8d25741a263402c830a5560b 2641 admin optional policykit-1_0.112-1.dsc
b0f2fa00a55f47c6a5d88e9b73f80127 1429240 admin optional policykit-1_0.112.orig.tar.gz
330f63a4d5eb3bd736eda5c895a38888 16388 admin optional policykit-1_0.112-1.debian.tar.gz
663805f996e15376f61fafceee19909d 92808 admin optional policykit-1_0.112-1_amd64.deb
0202d1f477a6cde079b2c1f06515d0cd 242522 doc optional policykit-1-doc_0.112-1_all.deb
9a24e2fb60294bf928cc81e10adf49df 40410 libs optional libpolkit-gobject-1-0_0.112-1_amd64.deb
39a107302a588b13021b496f00696de3 58930 libdevel optional libpolkit-gobject-1-dev_0.112-1_amd64.deb
93312c1055b4c0f2017eb042cca3ca51 22094 libs optional libpolkit-agent-1-0_0.112-1_amd64.deb
0c4bd0f66f55359b028114579852b7af 27942 libdevel optional libpolkit-agent-1-dev_0.112-1_amd64.deb
6f8fa585387c86d8e4b85b0689fa9ddd 14514 introspection optional gir1.2-polkit-1.0_0.112-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQIcBAEBCAAGBQJSOxt0AAoJEGrh4w1gjyLcFVcP/3Qi7CePENClJWQxCG+vLmqt
G6EI/mfzi4OhPq7I2iI791ldwGnDJCJ7yTw4di8WGaKy5uB/3lthSrOUkCDxOXUF
k+TplSuYNn2H22LbMQoc/nJfDdaroKAHg1finTgaxOTxTagBCFwIu/xsTXh4uxE7
Hen5+6IQy+zJJb6Z58O/PGN6vabSVfxtpv0/HLvu6u17FkJpZdzKKAcwahDaQ8Sc
y3yi7FjiwO9g1M0CQsBpfijyeLrGQ4jTB59xNxCma8iCXirD1RypzxJDPGhnu6mu
mwESiAmjSo0zkhVD19mJsGdDrV/1/wrLdHislfNFLHSZxP12kb+8jLWpeW69IYXv
Feg/DwbEzV0i1X/Y/RF7y8xyugfIwCjkNMgQdJZM/qGsLET1I9PNYYu43EHmjIjT
qzwAUFMvC8LV/XNQTb+Lz1x8r4v8vVL3UsH1uydTcBItk3wMpJQTeNrD03rxMypY
BHAX0HtcS9gGLwAJQE/a2XCdflNpEwGICj7kqUYWRgcky4W91p71lUvGHuRiWWt6
yprkcnqAQEhB5fmyTOCnR0DW2TF66ktLHhG4vDlG9M4fNBRMMT4FMTsRNrub8OtN
7jU13vBOLS7mGXWp9XBY6TLRpMq3UleiSAAg2FOUYUmFEM3Yqycv4i72Ce4XqpY4
ZpcbuLw3zuI2Ojf9zKyd
=rukR
-----END PGP SIGNATURE-----
Marked as found in versions policykit-1/0.96-4.
Request was from Michael Gilbert <mgilbert@debian.org>
to control@bugs.debian.org.
(Mon, 14 Oct 2013 00:09:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#723717; Package policykit-1.
(Mon, 14 Oct 2013 00:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>.
(Mon, 14 Oct 2013 00:39:05 GMT) (full text, mbox, link).
Message #17 received at 723717@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
control: tag -1 patch
On Thu, Sep 19, 2013 at 2:15 AM, Moritz Muehlenhoff wrote:
> Package: policykit-1
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4288 for details
> and patches.
Hi,
I've uploaded an nmu fixing this issue. Please see attached patch.
Best wishes,
Mike
[policykit.patch (application/octet-stream, attachment)]
Added tag(s) patch.
Request was from Michael Gilbert <mgilbert@debian.org>
to 723717-submit@bugs.debian.org.
(Mon, 14 Oct 2013 00:39:05 GMT) (full text, mbox, link).
Reply sent
to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility.
(Mon, 14 Oct 2013 00:51:13 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Mon, 14 Oct 2013 00:51:13 GMT) (full text, mbox, link).
Message #24 received at 723717-close@bugs.debian.org (full text, mbox, reply):
Source: policykit-1
Source-Version: 0.105-3+nmu1
We believe that the bug you reported is fixed in the latest version of
policykit-1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 723717@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated policykit-1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 14 Oct 2013 00:08:43 +0000
Source: policykit-1
Binary: policykit-1 policykit-1-doc libpolkit-gobject-1-0 libpolkit-gobject-1-dev libpolkit-agent-1-0 libpolkit-agent-1-dev libpolkit-backend-1-0 libpolkit-backend-1-dev gir1.2-polkit-1.0
Architecture: source amd64 all
Version: 0.105-3+nmu1
Distribution: unstable
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
gir1.2-polkit-1.0 - GObject introspection data for PolicyKit
libpolkit-agent-1-0 - PolicyKit Authentication Agent API
libpolkit-agent-1-dev - PolicyKit Authentication Agent API - development files
libpolkit-backend-1-0 - PolicyKit backend API
libpolkit-backend-1-dev - PolicyKit backend API - development files
libpolkit-gobject-1-0 - PolicyKit Authorization API
libpolkit-gobject-1-dev - PolicyKit Authorization API - development files
policykit-1 - framework for managing administrative policies and privileges
policykit-1-doc - documentation for PolicyKit-1
Closes: 723717
Changes:
policykit-1 (0.105-3+nmu1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix cve-2013-4288: race condition in pkcheck.c (closes: #723717).
Checksums-Sha1:
a139a467bd35f76e89c5cad0497655c7196befe9 3486 policykit-1_0.105-3+nmu1.dsc
4cb783e51feb51b06a831393a4228394051e7e38 18935 policykit-1_0.105-3+nmu1.debian.tar.gz
86657a0adc5320139f70cabcd7c7e92dc9b0d82d 57618 policykit-1_0.105-3+nmu1_amd64.deb
6cd9813db2938884f43055d36af8676bf077bc2d 259974 policykit-1-doc_0.105-3+nmu1_all.deb
a9ea097abd064ef8ebc3c7f0721d24a15c92fc75 39534 libpolkit-gobject-1-0_0.105-3+nmu1_amd64.deb
b2c22b187447e4bf9936a36641135d4c242b9871 57752 libpolkit-gobject-1-dev_0.105-3+nmu1_amd64.deb
38cd74b3ae65d8df821effb9196be545b6b02712 21210 libpolkit-agent-1-0_0.105-3+nmu1_amd64.deb
f062247eb93439753b711d717a1a16ae9ed75e92 26948 libpolkit-agent-1-dev_0.105-3+nmu1_amd64.deb
00796ab98726f6462eb10f98ed4ec5c0b476bbd4 41292 libpolkit-backend-1-0_0.105-3+nmu1_amd64.deb
6de38ef459164c4af4655e4c2166e324d516c087 45854 libpolkit-backend-1-dev_0.105-3+nmu1_amd64.deb
508f315165fe8682880aa1c1f07b61d850098081 13484 gir1.2-polkit-1.0_0.105-3+nmu1_amd64.deb
Checksums-Sha256:
47d01cb26b7404271cacfc7ba86faeecc1b8aa43766414aaa472ad221cb1311a 3486 policykit-1_0.105-3+nmu1.dsc
ddf39833121886c7650849c0466617bd72ca762a727e87fb4f3c757349bd9e8f 18935 policykit-1_0.105-3+nmu1.debian.tar.gz
e0753bed3806883f447ff6ae27989257519e686ba5dff2e0dd65144e027ff162 57618 policykit-1_0.105-3+nmu1_amd64.deb
66c35c0189e6f89d641b94a2216e639c137aa3e1bd42b7deb3813a3920c4322e 259974 policykit-1-doc_0.105-3+nmu1_all.deb
5c60ff660e02e8a8b602b6678f4a506e21016c7de7b209992b1b2e7fd6822641 39534 libpolkit-gobject-1-0_0.105-3+nmu1_amd64.deb
d3281f4433200284593793934291b1d1ddf3e56b0d48f948e26acef23cb53e3e 57752 libpolkit-gobject-1-dev_0.105-3+nmu1_amd64.deb
06d05262838d6b2818064ac9b18b0fbe624ea8b89453cb49d3e28aec29309d94 21210 libpolkit-agent-1-0_0.105-3+nmu1_amd64.deb
66059ec94f276e09e240f37601f92bc383de4732b513b8c59d5a32310b7fcd5d 26948 libpolkit-agent-1-dev_0.105-3+nmu1_amd64.deb
82ef40f20918b233ed51b64f4ba88069cbd484a29c375bf2c3adff293a49c62e 41292 libpolkit-backend-1-0_0.105-3+nmu1_amd64.deb
9a0e19a7d2bf6dcfce4b37bfdc489250df1959ae3519a78a686424560bff14f5 45854 libpolkit-backend-1-dev_0.105-3+nmu1_amd64.deb
c484d098c390e807e320ff702c5dd69d7fd487a6c5cef8fdb95b1bd251bfd74c 13484 gir1.2-polkit-1.0_0.105-3+nmu1_amd64.deb
Files:
c38efee18d55f13dd24bd40a809a8116 3486 admin optional policykit-1_0.105-3+nmu1.dsc
2284e401bf5d4eaef99d3ba9c05bc81d 18935 admin optional policykit-1_0.105-3+nmu1.debian.tar.gz
8cd950f6f963005bccefcf36681e78d4 57618 admin optional policykit-1_0.105-3+nmu1_amd64.deb
a60ed9103788b94a1e560159c4dc82ae 259974 doc optional policykit-1-doc_0.105-3+nmu1_all.deb
6684b54fed90d3f3f9499ab868348ef3 39534 libs optional libpolkit-gobject-1-0_0.105-3+nmu1_amd64.deb
78a359399363a63ab277de85640c4c3a 57752 libdevel optional libpolkit-gobject-1-dev_0.105-3+nmu1_amd64.deb
fe67aef2dd84780bdfb176209c984cf0 21210 libs optional libpolkit-agent-1-0_0.105-3+nmu1_amd64.deb
1c0556a9f37ee2727cefabb1cf2b036c 26948 libdevel optional libpolkit-agent-1-dev_0.105-3+nmu1_amd64.deb
0a7abb6e29fa46fd3cba9b19371c711a 41292 libs optional libpolkit-backend-1-0_0.105-3+nmu1_amd64.deb
0906fbc4cbde34f1de28cd95b2c8e0a5 45854 libdevel optional libpolkit-backend-1-dev_0.105-3+nmu1_amd64.deb
cfe0333c764fae9470ebf125abea6cc8 13484 introspection optional gir1.2-polkit-1.0_0.105-3+nmu1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQQcBAEBCgAGBQJSWz6zAAoJELjWss0C1vRzpRsf/3yGqlQpbiE2XkBjRlp90JDU
phqZB8uh0K4tjc9hlSZSAe+OPMfIiqUzVIJMbkLgxjYccUoyp6ZYVMoAeG0qn7lg
XF56sGd6yqw8/3phJU5jAP9sVBj6rAvgXw3kvAhPpg7XBjESvQ5U+RJX6dS61ED9
hl0pIOOVWRR+T8jmmCjjoYvtIgjGI3Fx1NfcxObRMJKn8koYhLINVA9HW2x/x0kk
GownW29sldPN5OVHYbYoawnPQ/frDwdJWqahI5tvWWY+GXwfx+IBjUai+RdAGIh4
Tjl6J7yRrSuyU+Guo/V5l3/eljuSdwq+eF6xmaoGYaqEwCUfDFVQ3y832G24sL8I
Eu6aQFKCvx8WedkvjjwgtvlMxESiJ1ByQfTX024mTVfATOX08AA4yHdHQ9FREFl1
U3H37i78lV0k2vSLpp0BzrygAMbM7VikYyDKpkkWMvgzJaSBBUZH/HL46BXIYtAU
4likMt/lX5JqfnGUFT9DfZwJpPnIBjSkmz1nXEQEO4g4m91NCpbePYXDX6LA0DGP
AjPiSCG+lRdHbp5gLqgTNP9Y8MK4SfmSD21x4y2RXVs9mEMcPeYNyGlw5Ihz47Vw
/y6lE5Pak+fLKgfuNMoJXWjoiRtnIefQdvdhOUW+IKX+3hkVNj24arADCIYo2P4t
jQ8FuT/NO7fe+bUANNP2DGvjrJ4eNre5gC6zU2OylVqJodmWocY9DLytIYtlgfwE
tN+KeIIRfmYG0bU6aIVPa9PXLyNBti6XMa8QeDJrbg/C1iLWdpv9UT1HjCEdLZrq
DXwS7tkCFcpt3b1toliU2RN/8d7r2fG/UVztZd6Gz5p5W5OFc5yYfRyLsPFHL11S
PsP2jR1syAXtqCXin0JM8eF8aWjZXGljdfPtGTZSVUekv2yd36smAurgZGDpiAzh
VR5+USKD/ZHRdjuhd/bvyNJRe/lW1yk/jenjdAIHpRYW+o3OFkOwswDBWOoEFb3b
Hd1IKAP+soOuAX2wr/grt5c/cYSEb0Ikte7VCkWA1astJfilI5PQyRq8RSmbOcc2
ZR1Fsd+y1cFBTPGlsfrLasyjzqhyPejWq2T7WvmPn4wfkjKar0a6tmBbDN7308gm
hLvMPkvMoAAVGV7P4/SfaW9I/F1o7WfGX1Pac3a87yQ0C7InOFHNUnkVzz7ZLwet
ZHxXa1Ck2783h4cb4S4Y3dUU7WTLi/WsAA/owZdEFxqI9qjy3vOkoOtBUjRkjr2n
ZvHvwpvFpX6yRErNmSHQxd7DzVCziEWyKlD5Axr/ly2baBc8iPeHfJkmIE6ijl/U
xXtbo3a+/aSyUwx4cWmKlxhKrDGzd+ozSYWJvcKzVCvZzrODOeBWLNYA4wW9yts=
=PH8H
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Apr 2015 07:30:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:02:40 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon