[Bug 1972654] [NEW] [security review] Sync policykit-1 0.120-6 (main) from Debian experimental

Jeremy Bicha 1972654 at bugs.launchpad.net
Mon May 9 13:31:53 UTC 2022 

*** This bug is a security vulnerability ***

Public security bug reported:

Please sync policykit-1 0.120-6 (main) from Debian experimental

Changelog entries since current kinetic version 0.105-33:
https://tracker.debian.org/media/packages/p/policykit-1/changelog-0.120-6

In particular, see the 0.120-4 changelog entry.

I am filing a bug for Security Team review.
Previously, Debian and Ubuntu developers agreed to keep using
the last version of policykit before it switched to using JavaScript rules.

But that was years ago. I believe Debian & Ubuntu are the only distros
to have opted out of the new policykit. It is harder to maintain
the old style rules when upstream rules use the new format. And it is
a challenge to backport security and other bugfixes from the new
series, without making mistakes or missing important details.

There was a proposal to use duktape instead of mozjs for the JavaScript
interpreter but I don't think that's been merged yet.

It appears the Debian maintainer is considering switching Debian to the
updated version in time for the next Debian Stable release (so uploading
to unstable later this year).

My requested deadline is August 25, Ubuntu 22.10 Feature Freeze.

** Affects: policykit-1 (Ubuntu)
     Importance: Medium
     Assignee: Ubuntu Security Team (ubuntu-security)
         Status: Confirmed


** Tags: kinetic

** Changed in: policykit-1 (Ubuntu)
   Importance: Undecided => Wishlist

** Changed in: policykit-1 (Ubuntu)
       Status: New => Confirmed

** Summary changed:

- Sync policykit-1 0.120-6 (main) from Debian experimental
+ [security review] Sync policykit-1 0.120-6 (main) from Debian experimental

** Changed in: policykit-1 (Ubuntu)
   Importance: Wishlist => Medium

** Changed in: policykit-1 (Ubuntu)
     Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)

** Tags added: kinetic

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Package Archive Administrators, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1972654

Title:
  [security review] Sync policykit-1 0.120-6 (main) from Debian
  experimental

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/policykit-1/+bug/1972654/+subscriptions

More information about the ubuntu-archive mailing list