Bug 807712 (CVE-2011-4945)

Summary: CVE-2011-4945 polkit: Members of 'wheel' group allowed to become root without providing a password
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: davidz
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 16:54:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 807730    

Description Jan Lieskovsky 2012-03-28 14:38:36 UTC 
Starting from PolicyKit version v0.103 the following upstream change:

http://cgit.freedesktop.org/PolicyKit/commit/?id=763faf434b445c20ae9529100d3ef5290976d0c9

of the default value of AdminIdentities variable of the PolicyKit Local Authority configuration enabled the local users, belonging to the 'wheel' group to be allowed to authenticate, when administrator authentication was needed. A local user, member of the 'wheel' group could use this default policy configuration settings to become privileged user (root) without providing a password. While this change has been applied by the PolicyKit upstream intentionally, some distributions are considering this change to impersonate a security flaw.

References:
[1] https://bugs.gentoo.org/show_bug.cgi?id=401513
[2] http://patch-tracker.debian.org/patch/series/view/policykit-1/0.104-2/05_revert-admin-identities-unix-group-wheel.patch
[3] https://launchpad.net/ubuntu/+source/policykit-1/0.103-1

CVE request:
[4] http://www.openwall.com/lists/oss-security/2012/03/28/1

CVE assignment:
[5] http://www.openwall.com/lists/oss-security/2012/03/28/2
Comment 1 Jan Lieskovsky 2012-03-28 14:40:33 UTC 
This issue did NOT affect the version of the polkit package, as shipped with Red Hat Enterprise Linux 6.

--

This issue did NOT affect the versions of the polkit package, as shipped with Fedora release of 15 and 16.
Comment 2 Jan Lieskovsky 2012-03-28 14:45:51 UTC 
Statement:


Not vulnerable. This issue did not affect the version of polkit as shipped with Red Hat Enterprise Linux 6 as it did not include the upstream commit 763faf434b445c20ae9529100d3ef5290976d0c9 that introduced this issue.