[Pkg-utopia-maintainers] Bug#1005784: policykit-1: CVE-2021-4115: file descriptor leak allows an unprivileged user to cause a crash

[Salvatore Bonaccorso]

Hi Simon,

On Mon, Feb 14, 2022 at 10:07:49PM +0000, Simon McVittie wrote:
> On Mon, 14 Feb 2022 at 22:29:29 +0100, Salvatore Bonaccorso wrote:
> > Simon, Michael opinions on the DSA need? *If* it's automatically
> > restarted after crash, then we can schedule the fixes via the upcoming
> > point releases IMHO.
> 
> I can't say much about the impact of a vulnerability that doesn't have
> a patch or any details available, but if it's literally just running
> out of fd space and crashing, that's pretty weak even as an attack
> on availability.

Apologies, this is my fault. I was expecting that the commit is going
to be pushed out soon (as the issue was public after 15:00 UTC) but
apparently not. I'm attaching teh aimed patch. The issue is introduced
by the "PolkitSystemBusName: Retrieve both pid and uid" patch we
backport.

> polkitd is D-Bus-activated on-demand, so a crash should just inconvenience
> people who are actively trying to authenticate at that moment: the next
> time a client tries to contact polkit, systemd (if used) or dbus-daemon
> (if using other init systems) will relaunch polkitd automatically before
> delivering the message.

Yes, that would be exactly the poing. As polkitd will be relaunched I
think this would be more no-dsa than needing a DSA. Along with the
point release update we maight as well replace the changes done for
CVE-2021-4034 with the upstream approach (with correct exit status).

Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: full-patch-for-CVE-2021-4115.patch
Type: text/x-diff
Size: 2455 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20220215/93df245c/attachment-0001.patch>