[Pkg-utopia-maintainers] Bug#1109334: policykit-1: CVE-2025-7519
Simon McVittie
smcv at debian.org
Tue Jul 15 14:49:55 BST 2025
On Tue, 15 Jul 2025 at 14:29:13 +0200, Moritz Mühlenhoff wrote:
>The following vulnerability was published for policykit-1.
>
>CVE-2025-7519[0]:
>| When processing an XML policy with 32 or
>| more nested elements in depth
[...]
>|
>| To exploit
>| this flaw, a high-privilege account is needed
Honestly, I don't think this is a security vulnerability and I think the
CVE should have been rejected. I think it's just a bug.
If an attacker can install XML policy files for polkit, then the
defender has already lost, because write access to /usr provides
arbitrary root code execution; the attacker is already on the protected
side of the airtight hatchway[1].
The clue is in the name: "policy" is exactly the thing that a sysadmin
or distro integrator, with unlimited privileges, uses to control what
privileges are given to users and system processes.
smcv
[1] https://devblogs.microsoft.com/oldnewthing/20240102-00/?p=109217
More information about the Pkg-utopia-maintainers
mailing list