oss-sec mailing list archives

CVE Request: PolicyKit change allows users in "wheel" group to become root without a password

From: Tim Sammut <underling () gentoo org>
Date: Tue, 27 Mar 2012 19:45:09 -0700

Hi.

Please assign a CVE to this issue.

An intended change in PolicyKit [1] version 0.103 [2] allows users of
the "wheel" group to become root without providing the root password.
While this was intentional, we believe it presents a security concern
for our users [3].

[1]
http://cgit.freedesktop.org/PolicyKit/commit/?id=763faf434b445c20ae9529100d3ef5290976d0c9
[2]
http://www.mail-archive.com/polkit-devel () lists freedesktop org/msg00327.html
[3] https://bugs.gentoo.org/show_bug.cgi?id=401513

[4]
http://patch-tracker.debian.org/patch/series/view/policykit-1/0.104-2/05_revert-admin-identities-unix-group-wheel.patch
[5] https://launchpad.net/ubuntu/+source/policykit-1/0.103-1

thank you
tim

-- 
Tim Sammut ~ Gentoo Security Team
underling () gentoo org ~ C2375493

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

CVE Request: PolicyKit change allows users in "wheel" group to become root without a password Tim Sammut (Mar 27)
- Re: CVE Request: PolicyKit change allows users in "wheel" group to become root without a password Kurt Seifried (Mar 27)