[ubuntu/disco-proposed] policykit-1 0.105-22ubuntu1 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Fri Dec 7 16:32:13 UTC 2018


policykit-1 (0.105-22ubuntu1) disco; urgency=medium

  * SECURITY UPDATE: authorization bypass with large uid
    - debian/patches/CVE-2018-19788-1.patch: allow negative uids/gids in
      PolkitUnixUser and Group objects in src/polkit/polkitunixgroup.c,
      src/polkit/polkitunixprocess.c, src/polkit/polkitunixuser.c.
    - debian/patches/CVE-2018-19788-2.patch: add tests to
      test/data/etc/group, test/data/etc/passwd,
      test/data/etc/polkit-1/localauthority/10-test/com.example.pkla,
      test/polkitbackend/polkitbackendlocalauthoritytest.c.
    - CVE-2018-19788

Date: Fri, 07 Dec 2018 08:18:07 -0500
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/policykit-1/0.105-22ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 07 Dec 2018 08:18:07 -0500
Source: policykit-1
Binary: policykit-1 policykit-1-doc libpolkit-gobject-1-0 libpolkit-gobject-1-dev libpolkit-agent-1-0 libpolkit-agent-1-dev libpolkit-backend-1-0 libpolkit-backend-1-dev gir1.2-polkit-1.0
Architecture: source
Version: 0.105-22ubuntu1
Distribution: disco
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Description:
 gir1.2-polkit-1.0 - GObject introspection data for PolicyKit
 libpolkit-agent-1-0 - PolicyKit Authentication Agent API
 libpolkit-agent-1-dev - PolicyKit Authentication Agent API - development files
 libpolkit-backend-1-0 - PolicyKit backend API
 libpolkit-backend-1-dev - PolicyKit backend API - development files
 libpolkit-gobject-1-0 - PolicyKit Authorization API
 libpolkit-gobject-1-dev - PolicyKit Authorization API - development files
 policykit-1 - framework for managing administrative policies and privileges
 policykit-1-doc - documentation for PolicyKit-1
Changes:
 policykit-1 (0.105-22ubuntu1) disco; urgency=medium
 .
   * SECURITY UPDATE: authorization bypass with large uid
     - debian/patches/CVE-2018-19788-1.patch: allow negative uids/gids in
       PolkitUnixUser and Group objects in src/polkit/polkitunixgroup.c,
       src/polkit/polkitunixprocess.c, src/polkit/polkitunixuser.c.
     - debian/patches/CVE-2018-19788-2.patch: add tests to
       test/data/etc/group, test/data/etc/passwd,
       test/data/etc/polkit-1/localauthority/10-test/com.example.pkla,
       test/polkitbackend/polkitbackendlocalauthoritytest.c.
     - CVE-2018-19788
Checksums-Sha1:
 01b2bbb3c010b5344221d9f2a672d895baf795bb 3030 policykit-1_0.105-22ubuntu1.dsc
 87ed922e1b2f0d138da0006cbaf01c6d9856a885 64484 policykit-1_0.105-22ubuntu1.debian.tar.xz
 4016c0e197688d211c2d480cbd80bc85b16723f3 8931 policykit-1_0.105-22ubuntu1_source.buildinfo
Checksums-Sha256:
 6704c37262cf78c2a10866fbeb87673e304fbbdfe95e648c6d20b50944f94944 3030 policykit-1_0.105-22ubuntu1.dsc
 93b5afaf404837bd0c8e8a029c71e4ce7154b78996eb9bdcf423c3c4e566c424 64484 policykit-1_0.105-22ubuntu1.debian.tar.xz
 09a372a652962922542ee3b80d79ed9e91fdf389ebfe54c120b721f23ef73184 8931 policykit-1_0.105-22ubuntu1_source.buildinfo
Files:
 a45a762336236e83d88752b1ae4f268b 3030 admin optional policykit-1_0.105-22ubuntu1.dsc
 0b88dd3a1a54126fa8ea0601e0181d1b 64484 admin optional policykit-1_0.105-22ubuntu1.debian.tar.xz
 94a80134c6787ae3f091471f1c6939be 8931 admin optional policykit-1_0.105-22ubuntu1_source.buildinfo
Original-Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers at lists.alioth.debian.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAlwKoDkACgkQZWnYVadE
vpPLLRAAkuedapIHkPgnZKx4sGefdY6dPtJa4yrx5CVcG49i4eUsUvxRHaBKVmaJ
vsw9EeuAlQ9bOcckngLDar6PRhaphPjfGTbQH2Ke3bsZr0qjHMZBAR8UH62xy5rR
VgTZeujLdnmX/Lu65Js6wi/Lb8OmKKJBFB09lUMAt6GR3u23FBIjjhTxZYznD9YJ
uWrdHEYyKkynsOTTww03Vms2ikzDbBHpqCYWaVsAWsjuUmu0evX1CICtCw3ssT+M
w6XP4RFcwCrcy5Y7T5+TRbmzqctIU5n1zZ0ldIvi59WcSO1Seu66oVzoXLh0gFAk
GrJi+pwwCEbWKF94onshULz/+uGxAINLLmtduZAZxKfOU/b6Bi5OGImkD7+x/bii
NOE6pKWt9K967xbFdUZ2UCGAa3uKpV3C/DbDymkcnYuqLYjbFGGuIHbzYjtzMfiE
Am1TSqyRqEW1WN/rtnli6DgpLN7Bcd8ivWltP09MGlOXZUJ4aqWG/pwfEevGCxki
NSH4Y2qch7Mxh0yc5Di5ZRmVs6tmF4aRCbjz55y154+qHgLrBHfnQNXVp8EYekLA
NN+dMZ3p/kB05wtCuic92LFFCi1dOy7XsNbsUPBpccn2jye1rWI12EfTBbkcGlcF
owyJf5JF44frpsdws5fxwxl/tSwB9vVFjic+hDK9vSwUMsRVwyg=
=RwM2
-----END PGP SIGNATURE-----


More information about the Disco-changes mailing list