It was reported that when executing a program via "pkexec --user nonpriv program", the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing privilege escalation.
Original bug report (contains reproducer):
Created polkit tracking bugs for this issue:
Affects: fedora-all [bug 1300747]
I'd like to request a CVE for this issue, thanks.
This issue affects the versions of polkit as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Latest kernel upstream discussion for a kernel side fix: https://patchwork.kernel.org/patch/9753697/