[Pkg-utopia-maintainers] Bug#1132234: Processed: reassign 1132234 to src:policykit-1
Salvatore Bonaccorso
carnil at debian.org
Sun Mar 29 19:46:03 BST 2026
Hi,
On Sun, Mar 29, 2026 at 06:28:57PM +0200, Michael Biebl wrote:
> Hi Salvatore,
>
> if I read https://bugzilla.redhat.com/show_bug.cgi?id=2451739 correctly,
> only versions newer than 0.113 are affected.
> Could you update the info in the security tracker accordingly?
>
> And for unstable/testing: there we use systemd socket activation (for
> systemd users), so those users should not be affected, right?
But still versions are affected, because the commit
https://github.com/polkit-org/polkit/commit/ea544ffc18405237ccd95d28d7f45afef49aca17
which introduces the codepath as far I can see is the fix for
CVE-2015-4625, or let's say part of it, which we have picked up as
well. But I will make clear the relation to the above commit and the
fix for CVE-2015-4625.
The CVE is still bit confusing, and with reaching out to you with a
bug report was in hope we can properly assess it. I think to
understand it does not need a DSA, but it is still not clear to me
when the issue can be triggered, in particular given it is still
setuid in trixie. Sourcewise it is still as well present in unstable,
bu we have no easy way to mark soemthing "unimportant" just for
unstable and not for the older suites.
For unstable/trixie i right now do not see an urgency either (given we
do not ship it anymore setuid and as you say we have systemd socket
activation), but mark it fixed once the source-wise fix is applied.
But we still need to properly assess the issue. I was neither able to
directly trigger the problem on a trixie host. Again, that said need
to look closer yet.
Regards,
Salvatore
More information about the Pkg-utopia-maintainers
mailing list