Alerts This Week
Warning Icon 1 562
Alerts This Week
Warning Icon 1 562

Gentoo: GLSA-201204-06 High: PolicyKit Local Access Issue

gentoo
Calendar Grey April 17, 2012
Dist Gentoo Esm H88
Several flaws identified in PolicyKit may enable local adversaries to acquire root privileges on Gentoo environments. It is advised to update promptly.
Multiple vulnerabilities have been found in PolicyKit, the worst of which may allow a local attacker to gain root privileges.

Summary

Multiple vulnerabilities have been found in PolicyKit: * Error messages in the pkexec utility disclose the existence of local files (CVE-2010-0750). * The pkexec utility initially checks the effective user ID of its parent process for authorization, instead of checking the real user ID (CVE-2011-1485). * Members of the "wheel" group are able to execute commands as an administrator without a password (CVE-2011-4945).

Topics%20covered

Topics Covered

security advisory gentoo exploit local access permissions policykit elevation

Resolution

All PolicyKit users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-auth/polkit-0.104-r1"

References

[ 1 ] CVE-2010-0750 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0750 [ 2 ] CVE-2011-1485 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1485 [ 3 ] CVE-2011-4945 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4945

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201204-06
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: High
Title: PolicyKit: Multiple vulnerabilities
Date: April 17, 2012
Bugs: #314535, #364973, #401513
ID: 201204-06

Topics%20covered

Topics Covered

security advisory gentoo exploit local access permissions policykit elevation

Synopsis

Multiple vulnerabilities have been found in PolicyKit, the worst of which may allow a local attacker to gain root privileges.

Background

PolicyKit is a toolkit for controlling privileges for system-wide services.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 sys-auth/polkit < 0.104-r1 >= 0.104-r1

Impact

===== A local attacker could gain elevated privileges or sensitive information.

Workaround

There is no known workaround at this time.

Related News

Your message here