The officially official Devuan Forum!

You are not logged in.

#1 2022-01-26 19:55:22

Micronaut
Member
Registered: 2019-07-04
Posts: 201  

Security Alert: PolicyKit

Slashdot has posted a story about a major flaw in PolicyKit, a widely used SUID utility in many Linux distributions. The arguments in the comments started quickly about whether this is a "systemd specific" problem.

https://linux.slashdot.org/story/22/01/ … red-pwnkit

So, is it really a systemd specific problem? Is PolicyKit found in Devuan or other distros that do not use systemd? In other words will there be a patch for Devuan?

Online

#2 2022-01-26 20:02:20

xinomilo
Unknown
Registered: 2017-07-02
Posts: 315  

Re: Security Alert: PolicyKit

don't know mch about policykit, but it can't be a systemd issue... buggy pkexec binary was present since it was introduced back in 2009. (long before systemd entered debian).. so i'd say nothing to do with systemd.

and devuan is already patched, just upgrade..: https://bugs.devuan.org/cgi/bugreport.cgi?bug=658

Offline

#3 2022-01-26 20:37:43

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Security Alert: PolicyKit

Technical explanation here:

https://blog.qualys.com/vulnerabilities … -2021-4034

Of particular note:

we note that OpenBSD is not exploitable, because its kernel refuses to execve() a program if argc is 0

Puffy ftw! big_smile

Anyway it's only a local vulnerability with a severity of 7.8. Ho hum.

EDIT:

Micronaut wrote:

is it really a systemd specific problem?

Nope.

As noted above OpenBSD has polkit but that OS is fundamentally incompatible with systemd, as is Alpine Linux.

Last edited by Head_on_a_Stick (2022-01-26 20:43:03)


Brianna Ghey — Rest In Power

Offline

#4 2022-01-26 23:08:32

Altoid
Member
Registered: 2017-05-07
Posts: 1,415  

Re: Security Alert: PolicyKit

Hello:

Head_on_a_Stick wrote:

... only a local vulnerability with a severity of 7.8.

Update available as of early afternoon -03:00 GMT.
Go Devuan !

BTW:
-----------------------------------------------------------------------------------------------------------------------------------
To obtain a root shell use su -. Using just su will result in "command not found" messages.
-----------------------------------------------------------------------------------------------------------------------------------
The slickest stiky I've seen yet.  8^D

Best,

A.

Last edited by Altoid (2022-01-26 23:10:21)

Offline

#5 2022-01-26 23:23:03

GlennW
Member
From: Brisbane, Australia
Registered: 2019-07-18
Posts: 582  

Re: Security Alert: PolicyKit

I read that too. Thank you for the updates today :-)


pic from 1993, new guitar day.

Offline

#6 2022-01-29 23:04:00

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: Security Alert: PolicyKit

Good piece from Ariadne about this:

https://ariadne.space/2022/01/27/cve-2021-4034/


Brianna Ghey — Rest In Power

Offline

Board footer