polkit

Link	package \| bugs open \| bugs closed \| Wiki \| GitHub \| web search
Description	Application development toolkit for controlling system-wide privileges
Version	124-2 [extra]

Resolved

Group	Affected	Fixed	Severity	Status	Ticket
AVG-2654	0.120-3	0.120-5	High	Fixed
AVG-2028	0.118-1	0.119-1	Medium	Fixed
AVG-897	0.115+24+g5230646-1	0.116-1	High	Fixed	FS#61751
AVG-828	0.115+3+g8638ec5-1	0.115+24+g5230646-1	High	Fixed

Issue	Group	Severity	Remote	Type	Description
CVE-2021-4115	AVG-2654	Medium	No	Denial of service	There is a file descriptor leak in polkit, which can enable an unprivileged user to cause polkit to crash, due to file descriptor exhaustion.
CVE-2021-4034	AVG-2654	High	No	Privilege escalation	A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged...
CVE-2021-3560	AVG-2028	Medium	No	Privilege escalation	A security issue was found in polkit before version 0.119. When a requesting process disconnects from dbus-daemon just before the call to...
CVE-2019-6133	AVG-897	High	No	Authentication bypass	In PolicyKit (aka polkit) 0.115, the "start time" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions...
CVE-2018-19788	AVG-828	High	No	Privilege escalation	A security issue has been found in polkit <= 0.115, where an unprivileged user with a UID > INT_MAX can successfully execute any systemctl command.

Advisories

Date	Advisory	Group	Severity	Type
04 Apr 2022	ASA-202204-2	AVG-2654	High	multiple issues
09 Jun 2021	ASA-202106-24	AVG-2028	Medium	privilege escalation
08 Jan 2019	ASA-201901-2	AVG-828	High	privilege escalation