Bug 2375381 (CVE-2025-53391)

Summary: CVE-2025-53391 zulucrypt: ZuluCrypt PolicyKit Privilege Escalation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in zulucrypt. Misconfigured PolicyKit allows settings within the CMakeLists.txt file to permit a local user to elevate their privileges to root. This insecure configuration bypasses authorization checks, allowing unauthorized actions. The vulnerability is triggered by the PolicyKit authorization process itself, requiring no external input. Consequently, a local attacker can gain root access without authentication.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2375485, 2375486    
Bug Blocks:    

Description OSIDB Bzimport 2025-06-28 22:01:07 UTC 
The Debian zuluPolkit/CMakeLists.txt file for zuluCrypt through the zulucrypt_6.2.0-1 package has insecure PolicyKit allow_any/allow_inactive/allow_active settings that allow a local user to escalate their privileges to root.