polkit: fix local privilege escalation in pkexec#156750
polkit: fix local privilege escalation in pkexec#156750jonringer merged 1 commit intoNixOS:masterfrom
Conversation
mweinelt
added
the
1.severity: security
This comment has been minimized.
This comment has been minimized.
|
Let's retarget to master and merge a backport immediately. |
> We discovered a Local Privilege Escalation (from any user to root) in > polkit's pkexec, a SUID-root program that is installed by default on > every major Linux distribution https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt Fixes: CVE-2021-4034
mweinelt
requested review from
Ericson2314,
FRidh,
LnL7,
Mic92,
alyssais,
dasJ,
hedning,
jonringer,
jtojnar,
marsam,
matthewbauer,
ttuegel and
zowoq
as code owners
mweinelt
removed request for
Ericson2314,
FRidh,
LnL7,
Mic92,
alyssais,
dasJ,
hedning,
jonringer,
marsam,
matthewbauer and
ttuegel
|
may as well merge staging-next if this is going to be a large rebuild |
|
@jonringer are there any changes in staging-next which may delay this fix being released? If not, I'm okay with that. However, if there is any risk of it, we should hold off. |
|
Should be in the 2.5k-5k range for linux looking at the history. |
it was close to being merged anyway. Mostly waiting on darwin builds |
ofborg
bot
added
10.rebuild-darwin: 11-100
|
jonringer
left a comment
jonringer
left a comment
There was a problem hiding this comment.
https://github.com/NixOS/nixpkgs/pull/156750
1 package built:
polkit
|
Successfully created backport PR #156758 for |
|
Any chance this can be backported to nixos-20.09 as well? |
It wouldn't do much, the related hydra jobs have been discontinued. So there's no CI/CD which will bump the release branches. |
Oh right, fair enough. I spaced out and forgot what year it is, thinking 20.09 was just a few months old. |
|
Managed to exploit the vulnerability, and this patch appears to fix it for me. On sidenote, I think adding a requirement that |
|
Can be backported to nixos-21.05? |
raboof
changed the title
NixOS 21.05 has reached its end-of-life around new years. That is when we stopped backporting security patches. Backporting polkit now and ignoring every security issue that affects 21.05 would provide weird security guarantees, which is why I oppose that scenario. If you are still on NixOS 21.05 I recommend upgrading as soon as possible, in the meantime you can either disable polkit if you don't need it ( |
There is also an effort to resolve this kind of issue in the kernel. v1 https://lore.kernel.org/lkml/20220126043947.10058-1-ariadne@dereferenced.org/T/ via https://twitter.com/ariadneconill/status/1486199140929490949 |
|
I am using unstable channel. Version 21.05 is used in one of the projects. |
Then tell them to update :) |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/cve-2022-0185-and-hardened-kernel/17346/3 |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/cve-2022-0185-and-hardened-kernel/17346/4 |
9 participants
Motivation for this change
https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Fixes: CVE-2021-4034
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)nixos/doc/manual/md-to-db.shto update generated release notes