[Pkg-utopia-maintainers] policykit-1 CVE-2018-19788 in jessie

Santiago Ruano Rincón santiagorr at riseup.net
Mon Dec 31 02:27:47 GMT 2018


El 20/12/18 a las 12:57, Moritz Muehlenhoff escribió:
> On Thu, Dec 20, 2018 at 03:11:49PM +0530, Abhijith PA wrote:
> > Hi Santiago,
> > 
> > On Thursday 20 December 2018 01:00 AM, Santiago Ruano Rincón wrote:
> > > Dear Maintainers,
> > > 
> > > (It seems my first attempt to send this mail failed. Sorry if you
> > > received it twice)
> > > 
> > > As opposed to stretch, I have been unable to reproduce CVE-2018-19788 in
> > > jessie. i.e. systemctl correctly doesn't allow me to stop services, and
> > > pkexec blocks me from executing applications that need privileges. 
> > 
> > I couldn't reproduce in my jessie machine either.
> > 
> > > Do you think is it safe to consider jessie as not-affected? Or is it
> > > still worth to apply the patch?
> > 
> > I think its okay to mark as not-affected.
> 
> Don't mark issues as not-affected just because some specific reproducer
> doesn't trigger. This should only be done if source code analysis
> has shown it to be not affected.

Thanks Abhijith and Moritz.

For different reasons, and despite the differences with stretch are
minimal, I have been unable to carry out a serious source code analysis.
I won't be able to actually work on this (including following-up if a
reversion/problem arises), so I have unclaimed it.

Sorry if it has taken so long.

Cheers,

S
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20181230/fb0d640a/attachment.sig>


More information about the Pkg-utopia-maintainers mailing list