Re: CVE Request: PolicyKit change allows users in "wheel" group to become root without a password

[Kurt Seifried <kseifried () redhat com>]

On 03/27/2012 08:45 PM, Tim Sammut wrote:
> Hi.
>
> Please assign a CVE to this issue.
>
> An intended change in PolicyKit [1] version 0.103 [2] allows users
> of the "wheel" group to become root without providing the root
> password. While this was intentional, we believe it presents a
> security concern for our users [3].
>
> [1] 
> http://cgit.freedesktop.org/PolicyKit/commit/?id=763faf434b445c20ae9529100d3ef5290976d0c9
[2]
> http://www.mail-archive.com/polkit-devel () lists freedesktop org/msg00327.html
[3] https://bugs.gentoo.org/show_bug.cgi?id=401513
> [4] 
> http://patch-tracker.debian.org/patch/series/view/policykit-1/0.104-2/05_revert-admin-identities-unix-group-wheel.patch
[5] https://launchpad.net/ubuntu/+source/policykit-1/0.103-1
> thank you tim

Please use CVE-2011-4945 for this issue (link #4 is from 2011).

-- 
Kurt Seifried Red Hat Security Response Team (SRT)