aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2019-12-23T11:54:33Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10017[3.8] polkit: Temporary auth hijacking via PID reuse and non-atomic fork (CVE...2019-12-23T11:54:33ZAlicha CH[3.8] polkit: Temporary auth hijacking via PID reuse and non-atomic fork (CVE-2019-6133)In PolicyKit (aka polkit) 0.115, the “start time” protection mechanism
can be bypassed because fork() is not atomic, and therefore
authorization
decisions are improperly cached. This is related to lack of uid checking
in polkitbackend/...In PolicyKit (aka polkit) 0.115, the “start time” protection mechanism
can be bypassed because fork() is not atomic, and therefore
authorization
decisions are improperly cached. This is related to lack of uid checking
in polkitbackend/polkitbackendinteractiveauthority.c.
### References:
https://nvd.nist.gov/vuln/detail/CVE-2019-6133
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6133
### Patch:
https://gitlab.freedesktop.org/polkit/polkit/commit/c898fdf4b1aafaa04f8ada9d73d77c8bb76e2f81
*(from redmine: issue id 10017, created on 2019-02-21)*
* Relations:
* parent #100143.8.5Rasmus Thomsenoss@cogitri.devRasmus Thomsenoss@cogitri.dev