[Pkg-utopia-maintainers] Bug#812512: pkexec tty hijacking via TIOCSTI ioctl
argv minus one
argv.minus.one at gmail.com
Sun Jun 13 03:24:03 BST 2021
Upstream has decided not to fix this vulnerability [1]. Apparently they're
using a Linux kernel patch that makes TIOCSTI require CAP_SYS_ADMIN [2],
making this vulnerability impossible to exploit, but the Debian kernel
sources don't seem to contain such a capability check, so polkit on Debian
is still vulnerable.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1300746
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1299955#c1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20210612/d7359e59/attachment.htm>
More information about the Pkg-utopia-maintainers
mailing list