Security update for polkit SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1914-1 Final 1 1 2019-08-15T09:48:52Z current 2019-08-15T09:48:52Z 2019-08-15T09:48:52Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for polkit This update for polkit fixes the following issues: Security issue fixed: - CVE-2019-6133: Fixed improper caching of auth decisions, which could bypass uid checking in the interactive backend (bsc#1121826). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-1914 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WACL7CXBMNAPN66ZQLNZWBJ426BKAHKC/#WACL7CXBMNAPN66ZQLNZWBJ426BKAHKC E-Mail link for openSUSE-SU-2019:1914-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1121826 SUSE Bug 1121826 https://www.suse.com/security/cve/CVE-2019-6133/ SUSE CVE CVE-2019-6133 page openSUSE Leap 15.0 openSUSE Leap 15.1 libpolkit0-0.114-lp151.5.3.1 libpolkit0-32bit-0.114-lp151.5.3.1 polkit-0.114-lp151.5.3.1 polkit-devel-0.114-lp151.5.3.1 polkit-doc-0.114-lp151.5.3.1 typelib-1_0-Polkit-1_0-0.114-lp151.5.3.1 libpolkit0-0.114-lp151.5.3.1 as a component of openSUSE Leap 15.0 libpolkit0-32bit-0.114-lp151.5.3.1 as a component of openSUSE Leap 15.0 polkit-0.114-lp151.5.3.1 as a component of openSUSE Leap 15.0 polkit-devel-0.114-lp151.5.3.1 as a component of openSUSE Leap 15.0 polkit-doc-0.114-lp151.5.3.1 as a component of openSUSE Leap 15.0 typelib-1_0-Polkit-1_0-0.114-lp151.5.3.1 as a component of openSUSE Leap 15.0 libpolkit0-0.114-lp151.5.3.1 as a component of openSUSE Leap 15.1 libpolkit0-32bit-0.114-lp151.5.3.1 as a component of openSUSE Leap 15.1 polkit-0.114-lp151.5.3.1 as a component of openSUSE Leap 15.1 polkit-devel-0.114-lp151.5.3.1 as a component of openSUSE Leap 15.1 polkit-doc-0.114-lp151.5.3.1 as a component of openSUSE Leap 15.1 typelib-1_0-Polkit-1_0-0.114-lp151.5.3.1 as a component of openSUSE Leap 15.1 In PolicyKit (aka polkit) 0.115, the "start time" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c. CVE-2019-6133 openSUSE Leap 15.0:libpolkit0-0.114-lp151.5.3.1 openSUSE Leap 15.0:libpolkit0-32bit-0.114-lp151.5.3.1 openSUSE Leap 15.0:polkit-0.114-lp151.5.3.1 openSUSE Leap 15.0:polkit-devel-0.114-lp151.5.3.1 openSUSE Leap 15.0:polkit-doc-0.114-lp151.5.3.1 openSUSE Leap 15.0:typelib-1_0-Polkit-1_0-0.114-lp151.5.3.1 openSUSE Leap 15.1:libpolkit0-0.114-lp151.5.3.1 openSUSE Leap 15.1:libpolkit0-32bit-0.114-lp151.5.3.1 openSUSE Leap 15.1:polkit-0.114-lp151.5.3.1 openSUSE Leap 15.1:polkit-devel-0.114-lp151.5.3.1 openSUSE Leap 15.1:polkit-doc-0.114-lp151.5.3.1 openSUSE Leap 15.1:typelib-1_0-Polkit-1_0-0.114-lp151.5.3.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WACL7CXBMNAPN66ZQLNZWBJ426BKAHKC/#WACL7CXBMNAPN66ZQLNZWBJ426BKAHKC https://www.suse.com/security/cve/CVE-2019-6133.html CVE-2019-6133 https://bugzilla.suse.com/1070943 SUSE Bug 1070943 https://bugzilla.suse.com/1121826 SUSE Bug 1121826 https://bugzilla.suse.com/1121872 SUSE Bug 1121872