Debian Bug report logs -
#1005784
policykit-1: CVE-2021-4115: file descriptor leak allows an unprivileged user to cause a crash
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 14 Feb 2022 21:33:01 UTC
Severity: important
Tags: security, upstream
Found in versions policykit-1/0.105-31, policykit-1/0.105-31.1, policykit-1/0.105-31+deb11u1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#1005784; Package src:policykit-1.
(Mon, 14 Feb 2022 21:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>.
(Mon, 14 Feb 2022 21:33:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: policykit-1
Version: 0.105-31.1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 0.105-31
Control: found -1 0.105-31+deb11u1
Control: found -1 0.105-25
Control: found -1 0.105-25+deb10u1
Hi,
The following vulnerability was published for policykit-1.
CVE-2021-4115[0]:
| file descriptor leak allows an unprivileged user to cause a crash
See [1]. Upstream has not yet pushed the commit into the repository,
Simon, Michael opinions on the DSA need? *If* it's automatically
restarted after crash, then we can schedule the fixes via the upcoming
point releases IMHO.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-4115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4115
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2007534
Regards,
Salvatore
Marked as found in versions policykit-1/0.105-31.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 14 Feb 2022 21:33:03 GMT) (full text, mbox, link).
Marked as found in versions policykit-1/0.105-31+deb11u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 14 Feb 2022 21:33:04 GMT) (full text, mbox, link).
Marked as found in versions policykit-1/0.105-25.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 14 Feb 2022 21:33:04 GMT) (full text, mbox, link).
Marked as found in versions policykit-1/0.105-25+deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 14 Feb 2022 21:33:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#1005784; Package src:policykit-1.
(Mon, 14 Feb 2022 22:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>.
(Mon, 14 Feb 2022 22:09:05 GMT) (full text, mbox, link).
Message #18 received at 1005784@bugs.debian.org (full text, mbox, reply):
On Mon, 14 Feb 2022 at 22:29:29 +0100, Salvatore Bonaccorso wrote:
> Simon, Michael opinions on the DSA need? *If* it's automatically
> restarted after crash, then we can schedule the fixes via the upcoming
> point releases IMHO.
I can't say much about the impact of a vulnerability that doesn't have
a patch or any details available, but if it's literally just running
out of fd space and crashing, that's pretty weak even as an attack
on availability.
polkitd is D-Bus-activated on-demand, so a crash should just inconvenience
people who are actively trying to authenticate at that moment: the next
time a client tries to contact polkit, systemd (if used) or dbus-daemon
(if using other init systems) will relaunch polkitd automatically before
delivering the message.
smcv
Information forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#1005784; Package src:policykit-1.
(Tue, 15 Feb 2022 06:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>.
(Tue, 15 Feb 2022 06:09:03 GMT) (full text, mbox, link).
Message #23 received at 1005784@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Simon,
On Mon, Feb 14, 2022 at 10:07:49PM +0000, Simon McVittie wrote:
> On Mon, 14 Feb 2022 at 22:29:29 +0100, Salvatore Bonaccorso wrote:
> > Simon, Michael opinions on the DSA need? *If* it's automatically
> > restarted after crash, then we can schedule the fixes via the upcoming
> > point releases IMHO.
>
> I can't say much about the impact of a vulnerability that doesn't have
> a patch or any details available, but if it's literally just running
> out of fd space and crashing, that's pretty weak even as an attack
> on availability.
Apologies, this is my fault. I was expecting that the commit is going
to be pushed out soon (as the issue was public after 15:00 UTC) but
apparently not. I'm attaching teh aimed patch. The issue is introduced
by the "PolkitSystemBusName: Retrieve both pid and uid" patch we
backport.
> polkitd is D-Bus-activated on-demand, so a crash should just inconvenience
> people who are actively trying to authenticate at that moment: the next
> time a client tries to contact polkit, systemd (if used) or dbus-daemon
> (if using other init systems) will relaunch polkitd automatically before
> delivering the message.
Yes, that would be exactly the poing. As polkitd will be relaunched I
think this would be more no-dsa than needing a DSA. Along with the
point release update we maight as well replace the changes done for
CVE-2021-4034 with the upstream approach (with correct exit status).
Regards,
Salvatore
[full-patch-for-CVE-2021-4115.patch (text/x-diff, attachment)]
No longer marked as found in versions policykit-1/0.105-25+deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 15 Feb 2022 06:12:02 GMT) (full text, mbox, link).
No longer marked as found in versions policykit-1/0.105-25.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 15 Feb 2022 06:12:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Feb 15 13:06:13 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon