[Pkg-utopia-maintainers] Bug#1005784: policykit-1: CVE-2021-4115: file descriptor leak allows an unprivileged user to cause a crash

Simon McVittie smcv at debian.org
Mon Feb 14 22:07:49 GMT 2022


On Mon, 14 Feb 2022 at 22:29:29 +0100, Salvatore Bonaccorso wrote:
> Simon, Michael opinions on the DSA need? *If* it's automatically
> restarted after crash, then we can schedule the fixes via the upcoming
> point releases IMHO.

I can't say much about the impact of a vulnerability that doesn't have
a patch or any details available, but if it's literally just running
out of fd space and crashing, that's pretty weak even as an attack
on availability.

polkitd is D-Bus-activated on-demand, so a crash should just inconvenience
people who are actively trying to authenticate at that moment: the next
time a client tries to contact polkit, systemd (if used) or dbus-daemon
(if using other init systems) will relaunch polkitd automatically before
delivering the message.

    smcv



More information about the Pkg-utopia-maintainers mailing list