Bug 807712 – CVE-2011-4945 polkit: Members of 'wheel' group allowed to become root without providing a password

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 807712 - (CVE-2011-4945) CVE-2011-4945 polkit: Members of 'wheel' group allowed to become root without providing a password

Summary:	CVE-2011-4945 polkit: Members of 'wheel' group allowed to become root without...

Status:	CLOSED NOTABUG

Aliases:	CVE-2011-4945

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20111209,repo...
Keywords:	Reopened, Security

Depends On:
Blocks:	807730
	Show dependency tree / graph

Reported:	2012-03-28 10:38 EDT by Jan Lieskovsky
Modified:	2015-07-31 02:49 EDT (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2012-03-28 12:54:49 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Jan Lieskovsky 2012-03-28 10:38:36 EDT

Starting from PolicyKit version v0.103 the following upstream change:

http://cgit.freedesktop.org/PolicyKit/commit/?id=763faf434b445c20ae9529100d3ef5290976d0c9

of the default value of AdminIdentities variable of the PolicyKit Local Authority configuration enabled the local users, belonging to the 'wheel' group to be allowed to authenticate, when administrator authentication was needed. A local user, member of the 'wheel' group could use this default policy configuration settings to become privileged user (root) without providing a password. While this change has been applied by the PolicyKit upstream intentionally, some distributions are considering this change to impersonate a security flaw.

References:
[1] https://bugs.gentoo.org/show_bug.cgi?id=401513
[2] http://patch-tracker.debian.org/patch/series/view/policykit-1/0.104-2/05_revert-admin-identities-unix-group-wheel.patch
[3] https://launchpad.net/ubuntu/+source/policykit-1/0.103-1

CVE request:
[4] http://www.openwall.com/lists/oss-security/2012/03/28/1

CVE assignment:
[5] http://www.openwall.com/lists/oss-security/2012/03/28/2

Comment 1 Jan Lieskovsky 2012-03-28 10:40:33 EDT

This issue did NOT affect the version of the polkit package, as shipped with Red Hat Enterprise Linux 6.

--

This issue did NOT affect the versions of the polkit package, as shipped with Fedora release of 15 and 16.

Comment 2 Jan Lieskovsky 2012-03-28 10:45:51 EDT

Statement:


Not vulnerable. This issue did not affect the version of polkit as shipped with Red Hat Enterprise Linux 6 as it did not include the upstream commit 763faf434b445c20ae9529100d3ef5290976d0c9 that introduced this issue.

Note You need to log in before you can comment on or make changes to this bug.