Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>: Bug#915332; Package src:policykit-1.
(Sun, 02 Dec 2018 20:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>.
(Sun, 02 Dec 2018 20:42:05 GMT) (full text, mbox, link).
Marked as found in versions policykit-1/0.105-18.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 02 Dec 2018 20:45:06 GMT) (full text, mbox, link).
Changed Bug title to 'policykit-1: CVE-2018-19788: unprivileged users with UID can successfully execute any systemctl command' from 'policykit: unprivileged users with UID > INT_MAX can successfully execute any systemctl command'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 03 Dec 2018 06:12:05 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 06 Dec 2018 17:45:15 GMT) (full text, mbox, link).
Reply sent
to Moritz Mühlenhoff <jmm@debian.org>:
You have taken responsibility.
(Fri, 07 Dec 2018 20:48:45 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 07 Dec 2018 20:48:45 GMT) (full text, mbox, link).
Subject: Bug#915332: fixed in policykit-1 0.105-23
Date: Fri, 07 Dec 2018 21:09:54 +0000
Source: policykit-1
Source-Version: 0.105-23
We believe that the bug you reported is fixed in the latest version of
policykit-1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 915332@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated policykit-1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 07 Dec 2018 19:55:58 +0100
Source: policykit-1
Binary: policykit-1 policykit-1-doc libpolkit-gobject-1-0 libpolkit-gobject-1-dev libpolkit-agent-1-0 libpolkit-agent-1-dev libpolkit-backend-1-0 libpolkit-backend-1-dev gir1.2-polkit-1.0
Architecture: source
Version: 0.105-23
Distribution: unstable
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description:
gir1.2-polkit-1.0 - GObject introspection data for PolicyKit
libpolkit-agent-1-0 - PolicyKit Authentication Agent API
libpolkit-agent-1-dev - PolicyKit Authentication Agent API - development files
libpolkit-backend-1-0 - PolicyKit backend API
libpolkit-backend-1-dev - PolicyKit backend API - development files
libpolkit-gobject-1-0 - PolicyKit Authorization API
libpolkit-gobject-1-dev - PolicyKit Authorization API - development files
policykit-1 - framework for managing administrative policies and privileges
policykit-1-doc - documentation for PolicyKit-1
Closes: 915332
Changes:
policykit-1 (0.105-23) unstable; urgency=high
.
* Allow negative uids/gids in PolkitUnixUser and Group objects.
Fixes a vulnerability in PolicyKit that allows a user with a uid greater
than INT_MAX to successfully execute arbitrary polkit actions.
(CVE-2018-19788, Closes: #915332)
Checksums-Sha1:
3c4647dba116e2a0d6fe6a984d6d503a7a91c445 2923 policykit-1_0.105-23.dsc
2f9581d0d409e1fc5c93661a1ef84835413ad66e 63580 policykit-1_0.105-23.debian.tar.xz
dea05ac15153764795a50a36ff93f7f0612455ae 9107 policykit-1_0.105-23_source.buildinfo
Checksums-Sha256:
32f9749c68f3f2386bf558b4a97cb998b45cdcbc5b024f729636b5ab61efadb0 2923 policykit-1_0.105-23.dsc
8baafd655eec983b6842b2d59fc80395901200de92a30b05fb3442421dc335f5 63580 policykit-1_0.105-23.debian.tar.xz
7d3882d304278a388dca1c6e7eec59ec4e1e7775a4ca0c98073455144aae15a1 9107 policykit-1_0.105-23_source.buildinfo
Files:
200187b7cd1dece1e6aadcb04e5e70c4 2923 admin optional policykit-1_0.105-23.dsc
fa9bea3ec743aac7a977baa31808b3ec 63580 admin optional policykit-1_0.105-23.debian.tar.xz
7f7aeceebede241311ce7525e410a5d1 9107 admin optional policykit-1_0.105-23_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAlwKzoAACgkQauHfDWCP
ItzRxg/6AyulxvUUj8Pj5nY1uqwzm2e6H/tvqsKtrPTZ3873deyPw/YFE2+oCaQB
XkM8v3KMpH/3mucg0j/GfLmJmo2AOdzld59dCeDuwP9SdIATpCZzakRc+lN3A9uA
gTwQyVotlhHcIZcxbqSFrmBlSrvJ9KS9rl9X1MHqMDl9tAMK9GpuAR4KC4gjojwD
ZhzkXnTo5M+yivmclmGGE6yIEY14kUPbJQr0Jxy9Mx3e5D0VY/CcwCbQ1ghf7O2i
LfSkvFig2cpyqVXqFj9fNOhwL5chKRC8T/+SvWWt0B1Wa43p+vki1fQDEeqOgXNt
O6Yr3kmA0HOs2kp4ERYmkzRYj1UZKI3RWDFggdQkz+A464bltqbC5LsEdt/dXioA
UaeVhbfv3JjM4RVPEHLUksYYKHjTufPlTw/MO0zxpUWOrqdFtWp0PLkJwPP5Z757
7eBDjgBOEUA/7gfiCihA4DKVxtwYDey5Atk4ab48SUgvSrckki9qzKcLE0UzMR5D
+tE+/6AW0trrMwl15Ao6Mp30u6JLn1nzwT0NjAyH49z7rhHAsuIijteaPxFmBbZc
ExMiFaqkqB0NSuDQTuaqZnt5ELJhAAIv1u1UaBn52wgd6b0vu1Xo7k3Gp6/J74Zt
4kpfKB4ExPhKyf0m3TS7IZAg6r+xjW1dnKeRtvXS2EAMQDhzA5M=
=Y4WX
-----END PGP SIGNATURE-----
Reply sent
to Michael Biebl <biebl@debian.org>:
You have taken responsibility.
(Fri, 07 Dec 2018 21:12:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 07 Dec 2018 21:12:05 GMT) (full text, mbox, link).
Source: policykit-1
Source-Version: 0.115-3
We believe that the bug you reported is fixed in the latest version of
policykit-1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 915332@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated policykit-1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 07 Dec 2018 20:17:15 +0100
Source: policykit-1
Binary: policykit-1 policykit-1-doc libpolkit-gobject-1-0 libpolkit-gobject-1-dev libpolkit-agent-1-0 libpolkit-agent-1-dev gir1.2-polkit-1.0
Architecture: source
Version: 0.115-3
Distribution: experimental
Urgency: medium
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description:
gir1.2-polkit-1.0 - GObject introspection data for PolicyKit
libpolkit-agent-1-0 - PolicyKit Authentication Agent API
libpolkit-agent-1-dev - PolicyKit Authentication Agent API - development files
libpolkit-gobject-1-0 - PolicyKit Authorization API
libpolkit-gobject-1-dev - PolicyKit Authorization API - development files
policykit-1 - framework for managing administrative policies and privileges
policykit-1-doc - documentation for PolicyKit-1
Closes: 915332
Changes:
policykit-1 (0.115-3) experimental; urgency=medium
.
* Allow negative uids/gids in PolkitUnixUser and Group objects.
Fixes a vulnerability in PolicyKit that allows a user with a uid greater
than INT_MAX to successfully execute arbitrary polkit actions.
(CVE-2018-19788, Closes: #915332)
Checksums-Sha1:
9753d157a91b0cdf1d3cdb41c25c9c4a5731092e 2782 policykit-1_0.115-3.dsc
7deab24f50eb212c58a06b372da9656deb166296 31464 policykit-1_0.115-3.debian.tar.xz
ccb99b6f74190c15d95196593bb4b3e0175d4c78 9117 policykit-1_0.115-3_source.buildinfo
Checksums-Sha256:
09d953d3183c289b3af842146c5c53229573ac6fe24483694f8984b7ab0f3ff9 2782 policykit-1_0.115-3.dsc
260d0c8e1dcc9e3c4793e1b6b7e501b41a5a7484dae4e51363bc6dfe7540eadc 31464 policykit-1_0.115-3.debian.tar.xz
4da848ea148018581d395a09ffa0283bdcc4d14d7fb1aa00b142930b64b23550 9117 policykit-1_0.115-3_source.buildinfo
Files:
fb667e6c636ed54aa3434dba086c1b71 2782 admin optional policykit-1_0.115-3.dsc
17e1fd554fe1f0dfee64628085b87b00 31464 admin optional policykit-1_0.115-3.debian.tar.xz
66b275d77e5b52dbc1bc29210aca8ab3 9117 admin optional policykit-1_0.115-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAlwKzrgACgkQauHfDWCP
ItxK+Q//Z8lGWsabkSrRKEhm5hJri3BfZ9/cENQa3frWlqIsEb0HKGT03YYTUcZS
VD3n9967eb91XNWbZRdAVpg1ZxgnJ+VlK/jLYP8BSfVEWaoIKVMYn0yDKHooGUEN
Vm6RgsNeDpiDdnaS1Y9xT/0OTsZQLYWWAETha1S7+0NFWIZmdgoAaJ3wGyiNGvRM
KA2zqLIFUI4QCS3BpGmXzvtWRdvGbBBLr7IrT0XdOHaZAkBBP2Z1piIu/iOqSaF1
WpLeW4O7aYLBIMLWQxLbfZ8bG9UJbGAzQEWTujlO1nDKIV57tW6HrAItB2NVtRCN
Ow5BrV+Crv/EwGohanP2AvBg+Yq7uB+RxYKoDmekEBnbTNUKxLVMmGf/D94AACmi
0gBR35lsnr2uZxEg+FgTlYcmAAB38V2FUdFedURreUxTg2fxEw1xrLzEEC1+dN00
ZgAiGz0shNFp6QVjN5/0APYj1IEVuvJMb7OjD5YZaYV2xovUWXEZ6zx20ZC1n2Ms
puRpiQ+MxjaDYipdw89186jkPkIGvh+wBaZEXJ1FAreuLvb9QgEwWl9+Z5mNczot
DugE5lbOwuZTNvjwf25QseiedZYeHybLAPcTrOfC4+BXjR5ShDd8vC1EQkYzDmQD
XJ0wc5LlJtF0zgQ9hfyQ3ICgUBouCTtAln+fJA1fNT+P2zwKEJQ=
=5/+O
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 17 Feb 2019 07:29:00 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.