<![CDATA[Dev1 Galaxy Forum / Security Alert: PolicyKit]]> https://dev1galaxy.org/viewtopic.php?id=4833 Sat, 29 Jan 2022 23:04:00 +0000 FluxBB <![CDATA[Re: Security Alert: PolicyKit]]> https://dev1galaxy.org/viewtopic.php?pid=34263#p34263 Good piece from Ariadne about this:

https://ariadne.space/2022/01/27/cve-2021-4034/

]]> Sat, 29 Jan 2022 23:04:00 +0000 https://dev1galaxy.org/viewtopic.php?pid=34263#p34263 <![CDATA[Re: Security Alert: PolicyKit]]> https://dev1galaxy.org/viewtopic.php?pid=34199#p34199 I read that too. Thank you for the updates today :-)

]]> Wed, 26 Jan 2022 23:23:03 +0000 https://dev1galaxy.org/viewtopic.php?pid=34199#p34199 <![CDATA[Re: Security Alert: PolicyKit]]> https://dev1galaxy.org/viewtopic.php?pid=34198#p34198 Hello:

Head_on_a_Stick wrote:

... only a local vulnerability with a severity of 7.8.

Update available as of early afternoon -03:00 GMT.
Go Devuan !

BTW:
-----------------------------------------------------------------------------------------------------------------------------------
To obtain a root shell use su -. Using just su will result in "command not found" messages.
-----------------------------------------------------------------------------------------------------------------------------------
The slickest stiky I've seen yet.  8^D

Best,

A.

]]> Wed, 26 Jan 2022 23:08:32 +0000 https://dev1galaxy.org/viewtopic.php?pid=34198#p34198 <![CDATA[Re: Security Alert: PolicyKit]]> https://dev1galaxy.org/viewtopic.php?pid=34196#p34196 Technical explanation here:

https://blog.qualys.com/vulnerabilities … -2021-4034

Of particular note:

we note that OpenBSD is not exploitable, because its kernel refuses to execve() a program if argc is 0

Puffy ftw! big_smile

Anyway it's only a local vulnerability with a severity of 7.8. Ho hum.

EDIT:

Micronaut wrote:

is it really a systemd specific problem?

Nope.

As noted above OpenBSD has polkit but that OS is fundamentally incompatible with systemd, as is Alpine Linux.

]]> Wed, 26 Jan 2022 20:37:43 +0000 https://dev1galaxy.org/viewtopic.php?pid=34196#p34196 <![CDATA[Re: Security Alert: PolicyKit]]> https://dev1galaxy.org/viewtopic.php?pid=34195#p34195 don't know mch about policykit, but it can't be a systemd issue... buggy pkexec binary was present since it was introduced back in 2009. (long before systemd entered debian).. so i'd say nothing to do with systemd.

and devuan is already patched, just upgrade..: https://bugs.devuan.org/cgi/bugreport.cgi?bug=658

]]> Wed, 26 Jan 2022 20:02:20 +0000 https://dev1galaxy.org/viewtopic.php?pid=34195#p34195 <![CDATA[Security Alert: PolicyKit]]> https://dev1galaxy.org/viewtopic.php?pid=34193#p34193 Slashdot has posted a story about a major flaw in PolicyKit, a widely used SUID utility in many Linux distributions. The arguments in the comments started quickly about whether this is a "systemd specific" problem.

https://linux.slashdot.org/story/22/01/ … red-pwnkit

So, is it really a systemd specific problem? Is PolicyKit found in Devuan or other distros that do not use systemd? In other words will there be a patch for Devuan?

]]> Wed, 26 Jan 2022 19:55:22 +0000 https://dev1galaxy.org/viewtopic.php?pid=34193#p34193