polkit: Privilege escalation — GLSA 202107-31

A vulnerability in polkit could lead to local root privilege escalation.

Affected packages

sys-auth/polkit on all architectures
Affected versions < 0.119
Unaffected versions >= 0.119

Background

polkit is a toolkit for managing policies related to unprivileged processes communicating with privileged process.

Description

The function polkit_system_bus_name_get_creds_sync() was called without checking for error, and as such temporarily treats the authentication request as coming from root.

Impact

Please review the referenced CVE identifiers for details.

Workaround

There is no known workaround at this time.

Resolution

All polkit users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=sys-auth/polkit-0.119"
 

References

Release date
July 13, 2021

Latest revision
July 13, 2021: 1

Severity
high

Exploitable
local

Bugzilla entries