[Solved] Is this serious vulnerability patched for Mint?

Chat about anything related to Linux Mint
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 6 months after creation.
Locked
deepakdeshp
Level 20
Level 20
Posts: 12334
Joined: Sun Aug 09, 2015 10:00 am

[Solved] Is this serious vulnerability patched for Mint?

Post by deepakdeshp »

There has been this serious vulnerability. The article says it was patched for Ubuntu. I expect it to be patches for Mint too. Just want to make sure. Is it patched in the kernel? If so which series or is it a non kernel patch?
https://news.google.com/articles/CAIiEO ... id=IN%3Aen
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 2 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
If I have helped you solve a problem, please add [SOLVED] to your first post title, it helps other users looking for help.
Regards,
Deepak

Mint 21.1 Cinnamon 64 bit with AMD A6 / 8GB
Mint 21.1 Cinnamon AMD Ryzen3500U/8gb
RIH
Level 9
Level 9
Posts: 2834
Joined: Sat Aug 22, 2015 3:47 am

Re: Is this serious vulnerability patched for Mint?

Post by RIH »

From Ubuntu (link from your article)
polkit.png
From my Mint Update Manager history..
polkit1.png
Image
User avatar
karlchen
Level 23
Level 23
Posts: 18176
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Is this serious vulnerability patched for Mint?

Post by karlchen »

Hi, folks.

The answer is, "yes, Ubuntu provides the needed policykit patch", cf. this post please:
karlchen wrote: Wed Jan 26, 2022 3:18 pmUsers of Linux Mint 19.x and 20.x should be safe from the reported policykit vulnerability thanks to Ubuntu's recent policykit bugfix. Cf. USN-5252-1: PolicyKit vulnerability. This statement will apply, provided you have accepted and installed the available policykit bugfix.
Cheers,
Karl
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
t42
Level 11
Level 11
Posts: 3709
Joined: Mon Jan 20, 2014 6:48 pm

Re: Is this serious vulnerability patched for Mint?

Post by t42 »

the Register article failed to explicitly state that this vulnerability can't be exploited remotely. The headline "Bug grants root access to any user" in fact means that you need to have a malicious unprivileged user on your system. Not a chance.

Edit: Still consider a fair point made by karlchen below:
to spend a thought or two on trying to imagine the malicious unprivileged local user on your system might actually not be a single entity, but two: the unprivileged local user (you) and a not so benevolent piece of software, exploiting the vulnerability.
Last edited by t42 on Thu Jan 27, 2022 10:01 am, edited 1 time in total.
-=t42=-
User avatar
karlchen
Level 23
Level 23
Posts: 18176
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Is this serious vulnerability patched for Mint?

Post by karlchen »

The Ubuntu article, which I had linked to, is not based on any click-bait article anywhere.
I suggest
  • not to get into panic when reading click-bait articles about the latest software vulnerability on the one hand
  • but also not to be impressed too much by those experts, who, based on missing pieces of information in the click-bait articles, immediately explain that the found vulnerability could not be exploited on your Linux Mint desktop machines, on the other hand.
  • to spend a thought or two on trying to imagine the malicious unprivileged local user on your system might actually not be a single entity, but two:
    the unprivileged local user (you) and a not so benevolent piece of software, exploiting the vulnerability.
    Not all users get all their software exclusively from trustworthy sources.
  • to take into consideration that the Ubuntu developers do not create security alerts for fun and that the policykit maintainers did not fix the vulnerability for fun.
  • to install the security updates offered by Update Manager in a timely fashion. - Better safe than sorry.
Disclaimer:
This is purely my personal point of view and my personal approach to newly detected vulnerabilities.
Image
The people of Alderaan have been bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine for 762 days now.
Lifeline
deepakdeshp
Level 20
Level 20
Posts: 12334
Joined: Sun Aug 09, 2015 10:00 am

Re: Is this serious vulnerability patched for Mint?

Post by deepakdeshp »

Thank you Karlchen for your inputs. I always install the updates without fail that too immediately.
Best way to check if the vulnerability is patches should be to see that the update mentioned in my link for Ubuntu 20.04 is installed on our systems. According to RIHs post that doesn't seem to be the case. I do not know as yet hoto find this information.
If I have helped you solve a problem, please add [SOLVED] to your first post title, it helps other users looking for help.
Regards,
Deepak

Mint 21.1 Cinnamon 64 bit with AMD A6 / 8GB
Mint 21.1 Cinnamon AMD Ryzen3500U/8gb
User avatar
JoeFootball
Level 13
Level 13
Posts: 4674
Joined: Tue Nov 24, 2009 1:52 pm
Location: /home/usa/mn/minneapolis/joe

Re: Is this serious vulnerability patched for Mint?

Post by JoeFootball »

deepakdeshp wrote: I do not know as yet hoto find this information.
Update Manager > View > History of Updates

https://packages.ubuntu.com/source/foca ... olicykit-1
User avatar
smurphos
Level 18
Level 18
Posts: 8501
Joined: Fri Sep 05, 2014 12:18 am
Location: Irish Brit in Portugal
Contact:

Re: Is this serious vulnerability patched for Mint?

Post by smurphos »

Version installed

Code: Select all

apt policy policykit-1
Changelog (hint the first entry is the report of this vulnerability being patched)

Code: Select all

apt changelog policykit-1
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
User avatar
smurphos
Level 18
Level 18
Posts: 8501
Joined: Fri Sep 05, 2014 12:18 am
Location: Irish Brit in Portugal
Contact:

Re: Is this serious vulnerability patched for Mint?

Post by smurphos »

t42 wrote: Thu Jan 27, 2022 7:46 am that you need to have a malicious unprivileged user on your system. Not a chance.
Clearly don't have cats. Mine like to call up random terminal commands from my bash history by stomping all over the keyboard...
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
User avatar
Portreve
Level 13
Level 13
Posts: 4882
Joined: Mon Apr 18, 2011 12:03 am
Location: Within 20,004 km of YOU!
Contact:

Re: Is this serious vulnerability patched for Mint?

Post by Portreve »

Given that most people who use a computer do not keep track of any of this stuff, particularly not anything Linux-related, on the whole I'm not overly worried about potential negatives stemming from these kinds of click-bait articles. That said, however...

I am concerned that a few random idiots and/or bad apples out there in seeing these articles will then amplify them locally to people they know, and/or potential customers or others, who might then falsely get the legitimate impression that Linux is some kind of unsafe and undesirable platform. I forget if it was on here or somewhere else where somebody had overheard a sales person at I think it might have been a Best Buy (but wherever it was...) tell a customer “This computer is too powerful for Linux.”

There's an old saying, and I know I've mentioned it here on LMF before but I think it bears repeating:

What's the difference between a computer sales person and a used car sales person? One of them knows they are lying to you.

Something which really gets me — and I know this might come off as picking on this thread's OP or hurtling insults, which is not my intention — is folk like this thread's OP see one of these articles and then run in here all concerned and worried their OS is at risk and there's this "big unknown danger", posting threads like this, without even bothering to check the Important Notices section first to see if someone in actual authority vis a vis LM has put up an urgent warning or, in fact, anything at all.

Believe me, if there were something of an imminent serious threat nature to Linux in general, the kernel in general, or Ubuntu's distributed kernel or the various versions of other system components they've chosen to use and distribute, or (hypothetically) something specific to Linux Mint, Clem or one of the other admins would be putting up a HUGE notice about it, probably having it show up in all sections of this board, and just as likely as not by the time it would be made public there'd already be a patch for it which then means Clem & Co. would have already pushed it out to the repos and likely flagged it so when you looked at updates you could see it was urgent.
Flying this flag in support of freedom 🇺🇦

Recommended keyboard layout: English (intl., with AltGR dead keys)

Podcasts: Linux Unplugged, Destination Linux

Also check out Thor Hartmannsson's Linux Tips YouTube Channel
RIH
Level 9
Level 9
Posts: 2834
Joined: Sat Aug 22, 2015 3:47 am

Re: Is this serious vulnerability patched for Mint?

Post by RIH »

deepakdeshp wrote: Thu Jan 27, 2022 1:25 pm Best way to check if the vulnerability is patches should be to see that the update mentioned in my link for Ubuntu 20.04 is installed on our systems. According to RIHs post that doesn't seem to be the case. I do not know as yet hoto find this information.
That is not what my post says at all.
Rather it shows that my PC was secured by an update on 26th. January..
Image
User avatar
jimallyn
Level 19
Level 19
Posts: 9075
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: Is this serious vulnerability patched for Mint?

Post by jimallyn »

Portreve wrote: Thu Jan 27, 2022 6:24 pm
There's an old saying, and I know I've mentioned it here on LMF before but I think it bears repeating:

What's the difference between a computer sales person and a used car sales person? One of them knows they are lying to you.
Which one? I suspect it would be both of them know they are lying.
“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan
User avatar
all41
Level 19
Level 19
Posts: 9498
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: [Solved] Is this serious vulnerability patched for Mint?

Post by all41 »

This was a fresh vulnerability--discovered well before being introduced in the wild.
Vulnerability does not mean an exploit.
The Linux-wide polkit update well preceeded the public announcement.
Mint users only need the latest update manager offerings.
Hey--vulnerabilities are discovered daily in every os.
I am impressed by the Mint teams response.
Thanks
Everything in life was difficult before it became easy.
deepakdeshp
Level 20
Level 20
Posts: 12334
Joined: Sun Aug 09, 2015 10:00 am

Re: [Solved] Is this serious vulnerability patched for Mint?

Post by deepakdeshp »

all41 wrote: Sat Jan 29, 2022 1:51 am This was a fresh vulnerability--discovered well before being introduced in the wild.
Vulnerability does not mean an exploit.
The Linux-wide polkit update well preceeded the public announcement.
Mint users only need the latest update manager offerings.
Hey--vulnerabilities are discovered daily in every os.
I am impressed by the Mint teams response.
Thanks
The patch would have come down from.Ubuntu I feel and not Mint
If I have helped you solve a problem, please add [SOLVED] to your first post title, it helps other users looking for help.
Regards,
Deepak

Mint 21.1 Cinnamon 64 bit with AMD A6 / 8GB
Mint 21.1 Cinnamon AMD Ryzen3500U/8gb
User avatar
all41
Level 19
Level 19
Posts: 9498
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: [Solved] Is this serious vulnerability patched for Mint?

Post by all41 »

Did Mint not point you there
Everything in life was difficult before it became easy.
User avatar
Portreve
Level 13
Level 13
Posts: 4882
Joined: Mon Apr 18, 2011 12:03 am
Location: Within 20,004 km of YOU!
Contact:

Re: Is this serious vulnerability patched for Mint?

Post by Portreve »

jimallyn wrote: Sat Jan 29, 2022 1:30 am
Portreve wrote: Thu Jan 27, 2022 6:24 pm
There's an old saying, and I know I've mentioned it here on LMF before but I think it bears repeating:

What's the difference between a computer sales person and a used car sales person? One of them knows they are lying to you.
Which one? I suspect it would be both of them know they are lying.
The classical implication, which is the one I was referring to, was that the used car sales person knows they are lying. The computer sales person doesn't really know anything about technology and just says whatever it takes, or they just promote the current sales and marketing spiel.
Flying this flag in support of freedom 🇺🇦

Recommended keyboard layout: English (intl., with AltGR dead keys)

Podcasts: Linux Unplugged, Destination Linux

Also check out Thor Hartmannsson's Linux Tips YouTube Channel
User avatar
Portreve
Level 13
Level 13
Posts: 4882
Joined: Mon Apr 18, 2011 12:03 am
Location: Within 20,004 km of YOU!
Contact:

Re: [Solved] Is this serious vulnerability patched for Mint?

Post by Portreve »

all41 wrote: Sat Jan 29, 2022 1:51 am Vulnerability does not mean an exploit.
Exactly. Some vulnerabilities are so hyper-specific that few, if any, computers would be at real risk.

And as always, the biggest exploitable vulnerability an OS has is the one which sits behind the keyboard.
Flying this flag in support of freedom 🇺🇦

Recommended keyboard layout: English (intl., with AltGR dead keys)

Podcasts: Linux Unplugged, Destination Linux

Also check out Thor Hartmannsson's Linux Tips YouTube Channel
Locked

Return to “Chat about Linux Mint”