[Pkg-utopia-maintainers] Bug#1093276: Bug#1093276: polkit: When entering (correct) password, then waiting for timeout, password gets copied on CLI!

Michael Biebl biebl at debian.org
Fri Jan 17 20:00:22 GMT 2025 

Control: tags -1 + security

Hi,

looping in the Debian security team as I consider this a security 
sensitive issue, simply to make them aware of it.

We do have an upstream issue now but no CVE number ttbomk.

Regards,
Michael

Am 17.01.25 um 13:48 schrieb Michael Biebl:
> Control: forwarded -1 https://github.com/polkit-org/polkit/issues/545
> 
> Hi,
> 
> thanks for your bug report. I can confirm/reproduce this issue.
> So I've forwarded it to upstream accordingly.
> 
> Am 17.01.25 um 11:23 schrieb li ar:
>> Package: polkitd
>> Version: 122-3
>> Severity: important
>> File: polkit
>> X-Debbugs-Cc: liar666 at yopmail.com
>>
>> Dear Maintainer,
>>
>> *** Reporter, please consider answering these questions, where 
>> appropriate ***
>>
>> Hello,
>>
>> I'm using LMDE6 (Linux Mint based on Debian 12).
>>
>> When, as a normal user, I call a command that requires root privileges 
>> on the command line, instead of getting rejected, I'm asked for root/ 
>> sudo password. I think the tool used to do that is polkit. That's why 
>> I post here.
>>
>> When I enter my (correct) password, but then DO NOT validate it by 
>> hitting return, then let the login/sudo TIMEOUT trigger, then my 
>> actual password get copy-pasted on the command line!!!!
>>
>> When I use "sudo" directly, there is no timeout, thus it does not happen.
>>
>> Example:
>> ```
>> [✘] user at localmachine:~$ service ollama stop
>> ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====  ## 
>> <- I think it is polkit/pkexec that's called here?
>> Authentication is required to stop 'ollama.service'.
>> Authenticating as: USER,,, (user)
>> Password: Failed to stop ollama.service: Connection timed out       ## 
>> <- I just wait for timeout here
>> See system logs and 'systemctl status ollama.service' for details.
>> polkit-agent-helper-1: pam_authenticate failed: Authentication failure
>> [✘] user at localmachine:~$ MyPassw0rd!                                ## 
>> My password is pasted on the CLI!!!!
>> ```

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20250117/a9b5a924/attachment-0001.sig>

More information about the Pkg-utopia-maintainers mailing list