#8431 closed defect (fixed)
polkit (CVE-2016-2568) (wait for upstream)
| Reported by: | Samuel | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | hold |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
A vulnerability has been found in polkit. It allows unprivileged users to gain root privileges through TIOCSTI ioctl. The last version of polkit is over a year old.
Change History (11)
comment:1 by , 8 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 8 years ago
comment:4 by , 8 years ago
| Status: | assigned → new |
|---|
comment:5 by , 8 years ago
Could be a fix:
https://lists.freedesktop.org/archives/polkit-devel/2016-February/000479.html
Entire thread of course.
comment:6 by , 8 years ago
| Owner: | changed from to |
|---|
comment:7 by , 8 years ago
| Milestone: | 7.11 → hold |
|---|---|
| Priority: | high → normal |
| Summary: | polkit (CVE-2016-2568) → polkit (CVE-2016-2568) (wait for upstream) |
Wait for an upstream fix.
comment:8 by , 7 years ago
Suggesting updating to git checkout. This also bumps to mozjs-24.2.0, so that we can remove mozjs17. Same build instructions apply.
http://www.linuxfromscratch.org/~dj/polkit-0.113+git_2919920.tar.xz md5sum: 106bd2fa4f336dc25ad2934dbdaf893c sha256sum: bd0739bf7d69cfe8a2076e69f09198d1baffb6ee977882288b4b1eaa6cb1ea83
Note:
See TracTickets
for help on using tickets.
So what do we do about it? We are not going to remove it. We have to wait for upstream to fix it.
I do not think it is productive to create a ticket until we can do something about it.