policykit-1 0.105-32 source package in Ubuntu
Changelog
policykit-1 (0.105-32) unstable; urgency=medium * Use upstream patch for CVE-2021-3560. This patch was included in 0.119, so move it into the 0.119/ directory in the patch series. * d/patches: Use upstream's finalized patch for CVE-2021-4034. The patch that was provided to distributors under embargo was not the final version: it used a different exit status, and made an attempt to show help. The version that was actually committed after the embargo period ended interprets argc == 0 as an attack rather than a mistake, and does not attempt to show the help message. * Move some Debian-specific patches into d/p/debian/. This makes it more obvious that they are not intended to go upstream. * d/control: Split the package. pkexec is a setuid program, which makes it a higher security risk than the more typical IPC-based uses of polkit. If we separate out pkexec into its own package, then only packages that rely on being able to run pkexec will have to depend on it, reducing attack surface for users who are able to remove the pkexec package. * d/control: policykit-1 Provides polkitd-pkla. This will give us a migration path to the separate per-backend packages currently available in experimental. * Add patch from Fedora to fix denial of service via fd exhaustion. CVE-2021-4115 (Closes: #1005784) * Standards-Version: 4.6.0 (no changes required) * Build-depend on dbus-daemon instead of dbus. We only need dbus-run-session at build time; we don't need a fully-working system bus. * Use d/watch format version 4 * d/rules: Create localauthority configuration with install(1), not echo(1). This aligns the packaging a bit more closely with experimental. * Always configure the sudo group as root-equivalent. This avoids Debian derivatives getting an unexpected change in behaviour when they switch from inheriting Debian's policykit-1 package to building their own policykit-1 package, perhaps as a result of wanting to apply an unrelated patch. The sudo group is defined to be root-equivalent in base-passwd, so this should be equally true for all Debian derivatives. Thanks to Arnaud Rebillout. * d/polkitd.links: Create more polkit-agent-helper-1 symlinks. This executable has moved several times, and its path gets compiled into the libpolkit-agent-1-0 shared library. Making the executable available in all the locations it has previously had is helpful when swapping between versions during testing. * Acknowledge CVE-2021-4034 NMU. Thanks to Salvatore Bonaccorso. -- Simon McVittie <email address hidden> Fri, 18 Feb 2022 12:45:14 +0000
Upload details
- Uploaded by:
- Utopia Maintenance Team
- Uploaded to:
- Sid
- Original maintainer:
- Utopia Maintenance Team
- Architectures:
- any all
- Section:
- admin
- Urgency:
- Medium Urgency
See full publishing history Publishing
Series | Published | Component | Section |
---|
Downloads
File | Size | SHA-256 Checksum |
---|---|---|
policykit-1_0.105-32.dsc | 2.9 KiB | a097db01604f8bc15b6a0b2f1111e4f0ce00cdb07c7f63a945496aff8119def5 |
policykit-1_0.105.orig.tar.gz | 1.4 MiB | 8fdc7cc8ba4750fcce1a4db9daa759c12afebc7901237e1c993c38f08985e1df |
policykit-1_0.105-32.debian.tar.xz | 75.9 KiB | 6774db88170fbf350aadd73a8bad2bdf29821f4cf70311e00cbf1cb27be9b8e6 |
Available diffs
- diff from 0.105-31.1 to 0.105-32 (9.0 KiB)
No changes file available.
Binary packages built by this source
- gir1.2-polkit-1.0: GObject introspection data for PolicyKit
PolicyKit is a toolkit for defining and handling the policy that
allows unprivileged processes to speak to privileged processes.
.
This package contains introspection data for PolicyKit.
.
It can be used by packages using the GIRepository format to generate
dynamic bindings.
- libpolkit-agent-1-0: PolicyKit Authentication Agent API
PolicyKit is a toolkit for defining and handling the policy that
allows unprivileged processes to speak to privileged processes.
.
This package contains a library for accessing the authentication agent.
- libpolkit-agent-1-0-dbgsym: debug symbols for libpolkit-agent-1-0
- libpolkit-agent-1-dev: PolicyKit Authentication Agent API - development files
PolicyKit is a toolkit for defining and handling the policy that
allows unprivileged processes to speak to privileged processes.
.
This package contains the development files for the library found in
libpolkit-agent-1- 0.
- libpolkit-gobject-1-0: PolicyKit Authorization API
PolicyKit is a toolkit for defining and handling the policy that
allows unprivileged processes to speak to privileged processes.
.
This package contains a library for accessing PolicyKit.
- libpolkit-gobject-1-0-dbgsym: debug symbols for libpolkit-gobject-1-0
- libpolkit-gobject-1-dev: PolicyKit Authorization API - development files
PolicyKit is a toolkit for defining and handling the policy that
allows unprivileged processes to speak to privileged processes.
.
This package contains the development files for the library found in
libpolkit-gobject- 1-0.
- pkexec: run commands as another user with polkit authorization
polkit is an application-level toolkit for defining and handling the policy
that allows unprivileged processes to speak to privileged processes.
It was previously named PolicyKit.
.
pkexec is a setuid program to allow certain users to run commands as
root or as a different user, similar to sudo. Unlike sudo, it carries
out authentication and authorization by sending a request to polkit,
so it uses desktop environments' familiar prompting mechanisms for
authentication and uses polkit policies for authorization decisions.
.
By default, members of the 'sudo' Unix group can use pkexec to run any
command after authenticating. The authorization rules can be changed by
the local system administrator.
.
If this functionality is not required, removing the pkexec package will
reduce security risk by removing a setuid program.
- pkexec-dbgsym: debug symbols for pkexec
- policykit-1: transitional package for polkitd and pkexec
polkit is an application-level toolkit for defining and handling the policy
that allows unprivileged processes to speak to privileged processes.
It was previously named PolicyKit.
.
This transitional package depends on polkitd, the system service used by
polkit, and pkexec, a setuid program analogous to sudo. They were
historically packaged together, but have been separated so that users of
polkitd are not required to install pkexec.
- policykit-1-doc: documentation for PolicyKit-1
PolicyKit is a toolkit for defining and handling the policy that
allows unprivileged processes to speak to privileged processes.
.
This package contains the API documentation of PolicyKit.
- polkitd: framework for managing administrative policies and privileges
PolicyKit is an application-level toolkit for defining and handling the policy
that allows unprivileged processes to speak to privileged processes.
.
It is a framework for centralizing the decision making process with respect to
granting access to privileged operations for unprivileged (desktop)
applications.
.
In a typical use of polkit, an unprivileged application such as gnome-disks
sends requests via D-Bus or other inter-process communication mechanisms
to a privileged system service such as udisks, which asks polkitd for
permission to process those requests. This allows the application to carry
out privileged tasks without making use of setuid, which avoids several
common sources of security vulnerabilities.
.
This package provides the polkitd D-Bus service and supporting programs.
The pkexec program is not included, and can be found in the pkexec package.
- polkitd-dbgsym: debug symbols for polkitd