On 12/6/18 2:20 PM, Shawn Wells wrote:
On 12/6/18 2:18 PM, Shawn Wells wrote:
>
>
>
> On 12/6/18 2:13 PM, Trevor Vaughan wrote:
>> On a related note to pkexec, anyone know how to mitigate this?
>>
>>
https://thehackernews.com/2018/12/linux-user-privilege-policykit.html
>>
>
https://access.redhat.com/security/cve/cve-2018-19788
>
> "Do not allow negative UIDs or UIDs greater than 2147483646."
>
> ....... which is weird, since patches were upstream:
> -
>
https://gitlab.freedesktop.org/zbyszek/polkit/commit/fbaab32cb4ed9ed5f1e3...
> -
>
https://gitlab.freedesktop.org/zbyszek/polkit/commit/7c8c3abdedbb991a69bc...
>
> I'll ask around on the RHEL product security team to see what's up.
If anyone wants to follow along:
https://bugzilla.redhat.com/show_bug.cgi?id=1655925
update: RHEL7 patch currently going through QA and should be released
shortly.