Bug 2375485

Summary: CVE-2025-53391 zulucrypt: ZuluCrypt PolicyKit Privilege Escalation [fedora-41]
Product: [Fedora] Fedora Reporter: Avinash Hanwate <ahanwate>
Component: zulucryptAssignee: Ian McInerney <ian.s.mcinerney>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 41CC: ian.s.mcinerney, mail, projects.rg
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["85f283bf-66b3-4855-b041-63fc3f890b0d"]}
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-06-30 08:18:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2375381    

Description Avinash Hanwate 2025-06-30 03:03:52 UTC 
More information about this security flaw is available in the following bug:

https://bugzilla.redhat.com/show_bug.cgi?id=2375381

Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Comment 1 Ian McInerney 2025-06-30 08:18:04 UTC 
This doesn't affect any Fedora builds of this package. The CVE is specific to the Debian packaging, because they are patching the polkit policy being generated to replace the auth_admin with auth_self in their own packaging https://salsa.debian.org/debian/zulucrypt/-/blob/9d661c9f384c4d889d3387944e14ac70cfb9684b/debian/patches/fix_zulupolkit_policy.patch. Fedora does not do that, so we keep the auth_admin policy.