12-Year-Old Linux Vulnerability Grants Root Access

[fstjohn]

Any thoughts about this? How-to-geek article today
https://tinyurl.com/ybujeqyy

[sydbat]

I guess that explains the update for polkit this morning. Not anything to be worried about. This is why Linux is superior - many, many eyes on various code (because open source) find possible issues and the fixes are almost instantaneous. You don't have to wait for a specific day each month to have a possible patch become available, if a patch is ever created without some media outlet making it news.

[karlchen]

Hi, folks.

Users of Linux Mint 19.x and 20.x should be safe from the reported policykit vulnerability thanks to Ubuntu's recent policykit bugfix. Cf. USN-5252-1: PolicyKit vulnerability. This statement will apply, provided you have accepted and installed the available policykit bugfix.

Cheers,
Karl

[JoeFootball]

Any thoughts about this?

My thoughts are that I will continue to keep my systems updated, and keep my network behind a proper router.

[AZgl1800]

if you read that article, Mint and Ubuntu have already fixed this

[acerimusdux]

Yes, this was a particularly nasty one. It potentially allowed a user to obtain root access.

Fortunately not many will actually be affected. Since:

1. An attacker to utilize this has to already have local access to the machine. It's a privilege escalation vulnerability.
2. They would have to know about the vulnerability and execute a pkexec command carefully designed to exploit it.
3. This has already been patched by most distributions (though debian testing seems to still be vulnerable). Researchers gave a little time for it to be patched before publicly announcing it.

So for a desktop user, mainly don't allow a user you don't trust to have access to your machine. But if you do have a linux system which can't be patched yet, and do need to allow other users access to it, it is suggested you can temporarily remove SUID permissios from pkexec (sudo chmod g-s /usr/bin/pkexec). But this won't be needed for users of Mint (and would prevent proper fuctioning of pkexec).

[rickNS]

Yet another non issue.

Took 12 years to discover, affected zero people.

This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host

And just how does "someone" get access to the machine to run commands in the first place ?

I'm guessing, you have to invite the "attacker" into your house, start, and log into your pc, and then hand it (the vulnerable host) to them ?

[karlchen]

The Ubuntu article, which I had linked to, is not based on any click-bait article.
I suggest

• not to get into panic when reading click-bait articles about the latest software vulnerability on the one hand
• but also not to be impressed too much by those experts, who, based on missing pieces of information in the click-bait articles, immediately explain that the found vulnerability could not be exploited on your Linux Mint desktop machines, on the other hand.
• to spend a thought or two on trying to imagine the malicious unprivileged local user on your system might actually not be a single entity, but two:
  the unprivileged local user (you) and a not so benevolent piece of software, exploiting the vulnerability.
  Not all users get all their software exclusively from trustworthy sources.
• to take into consideration that the Ubuntu developers do not publish security notes for fun and that the policykit maintainers did not fix the vulnerability for fun.
• to install the security updates offered by Update Manager in a timely fashion. - Better safe than sorry.

Disclaimer:
This is purely my personal point of view and my personal approach to newly detected vulnerabilities.

[Schultz]

Yet another non issue.

Yes it was . . . until it became public knowledge. Now it is an issue.

[rene]

Yes it was . . . until it became public knowledge. Now it is an issue.

Not for "us" though, i.e., one's average desktop Linux user without malicious users nor infected by on desktop Linux for all even halfway practical purposes nonexistent malware.

Which wouldn't be to say that it wouldn't be good to not have this bug of course, but otherwise, and as always, yawn...

[Hoser Rob]

I guess that explains the update for polkit this morning. Not anything to be worried about. This is why Linux is superior - many, many eyes on various code (because open source) find possible issues and the fixes are almost instantaneous. You don't have to wait for a specific day each month to have a possible patch become available, if a patch is ever created without some media outlet making it news.

That argument would be a LOT more convincing if the bug wasn't 12 years old.

[Schultz]

Not for "us" though, i.e., one's average desktop Linux user without malicious users nor infected by on desktop Linux for all even halfway practical purposes nonexistent malware.

Which wouldn't be to say that it wouldn't be good to not have this bug of course, but otherwise, and as always, yawn...

My point, which seems like you missed, is that now that it's out in the open, it is an issue. It doesn't matter whether you or I don't have someone around our computers we don't trust. After all, we are only 2 people, out of how many in the world?

Yawn

[rene]

My point, which seems like you missed, is that now that it's out in the open, it is an issue.

I clearly did not miss said point since I explicitly responded to it saying that for us your point is wrong; that for us, with the above definition of such, it is not an issue. That we desktop Linux users can, as always we can, continue to pick our noses and not care.

Sure; for not private, non desktop Linux users it can be an issue. I here on the Linux Mint desktop Linux operating system forum however don't give a fluing fyck.

[d4damager]

How can I check if my system is patched? I've ran update on my Mint 19.0 a few times last few days but don't remember seeing a polkit update, and neither does it show up when I do apt-get update && apt-get upgrade

[Schultz]

How can I check if my system is patched? I've ran update on my Mint 19.0 a few times last few days but don't remember seeing a polkit update, and neither does it show up when I do apt-get update && apt-get upgrade

See this post by JoeFootball: viewtopic.php?p=2130247#p2130247

[d4damager]

How can I check if my system is patched? I've ran update on my Mint 19.0 a few times last few days but don't remember seeing a polkit update, and neither does it show up when I do apt-get update && apt-get upgrade

See this post by JoeFootball: viewtopic.php?p=2130247#p2130247

Thanks, the apt changelog does indeed show the Jan 2022 update (0.105-20ubuntu0.18.04.6)