# PwnKit, a new PolKit vulnerability

## mike155

LWN has an article about a new Polkit vulnerability:

 *Quote:*   

> Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable. This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009. 

 

Original article from Qualys:  PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)

----------

## eccerr0r

Thank you.  Appears <=sys-auth/polkit-0.120-r1 are affected

Issue is: Critical

Exploit is: Local

Ridiculousness of bug: very

Workaround: chmod -s /usr/bin/pkexec

Emergency fix:  apply https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch to sys-auth/polkit-0.120-r1

Fix: pending.  https://bugs.gentoo.org/832057

Note: edited, appears that the fix is fine for older polkit, just need to wait for stabilization

----------

## figueroa

How strange that I learn about this HERE and NOW, and not even posted under security.  I guess it's OK. I've never been able to get pkexec to work to authenticate anything.

----------

## eccerr0r

Normally we don't get the GLSA until after it's been patched which is usually well after discovery and release to more mainstream distributions (...)

Oh well, not sure what the best way is if we aren't privileged to the bug report...

Please do apply the patch or remove suid from pkexec, don't need any more commandeered machines out there.

----------

## fedeliallalinea

 *eccerr0r wrote:*   

> Please do apply the patch or remove suid from pkexec, don't need any more commandeered machines out there.

 

New sys-auth/polkit-0.120-r2 version is out, so only sync and update

----------

## Ionen

The return of GLSAs is still being worked on (not that I've kept up much, afaik it's technical issues with the tooling to publish them -- security-fixing-wise everything is still happening as normal in a timely fashion).

So yes, >=120-r2 and 117-r3 are fixed (117 is the old pre-rust-spidermonkey one, albeit won't be needed for much longer given upstream merged the duktape PR today).

just emerge --sync, update polkit, confirm version and you're done, 120-r2 is already marked stable.

----------

## pietinger

 *figueroa wrote:*   

> How strange that I learn about this HERE and NOW, and not even posted under security.  [...]

 

I think you are right. Moved to Security.

----------

## mike155

Follow-up on LKML: https://lkml.org/lkml/2022/1/26/913

----------

## eccerr0r

I always found this "feature" annoying, alas it wasn't specified by POSIX so it's not wrong... Figures that OpenBSD declares it wrong.

----------

## sam_

 *Ionen wrote:*   

> The return of GLSAs is still being worked on (not that I've kept up much, afaik it's technical issues with the tooling to publish them -- security-fixing-wise everything is still happening as normal in a timely fashion).
> 
> So yes, >=120-r2 and 117-r3 are fixed (117 is the old pre-rust-spidermonkey one, albeit won't be needed for much longer given upstream merged the duktape PR today).
> 
> just emerge --sync, update polkit, confirm version and you're done, 120-r2 is already marked stable.

 

We're getting there!

Polkit GLSA published: GLSA 202201-01

----------

