Starting from PolicyKit version v0.103 the following upstream change: http://cgit.freedesktop.org/PolicyKit/commit/?id=763faf434b445c20ae9529100d3ef5290976d0c9 of the default value of AdminIdentities variable of the PolicyKit Local Authority configuration enabled the local users, belonging to the 'wheel' group to be allowed to authenticate, when administrator authentication was needed. A local user, member of the 'wheel' group could use this default policy configuration settings to become privileged user (root) without providing a password. While this change has been applied by the PolicyKit upstream intentionally, some distributions are considering this change to impersonate a security flaw. References: [1] https://bugs.gentoo.org/show_bug.cgi?id=401513 [2] http://patch-tracker.debian.org/patch/series/view/policykit-1/0.104-2/05_revert-admin-identities-unix-group-wheel.patch [3] https://launchpad.net/ubuntu/+source/policykit-1/0.103-1 CVE request: [4] http://www.openwall.com/lists/oss-security/2012/03/28/1 CVE assignment: [5] http://www.openwall.com/lists/oss-security/2012/03/28/2
This issue did NOT affect the version of the polkit package, as shipped with Red Hat Enterprise Linux 6. -- This issue did NOT affect the versions of the polkit package, as shipped with Fedora release of 15 and 16.
Statement: Not vulnerable. This issue did not affect the version of polkit as shipped with Red Hat Enterprise Linux 6 as it did not include the upstream commit 763faf434b445c20ae9529100d3ef5290976d0c9 that introduced this issue.