StarlingX

CVE-2018-19788: polkit: Improper handling of uid

Bug #1849202 reported by Bruce Jones
274
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Critical
Jim Somerville

Bug Description

CVE-2018-19788
status : fixed
cvss2Score : 9
Attack Vector: N
Access Complexity : L
Autentication: S
Availability Impact :C
Affected packages:
['polkit']
A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.
https://nvd.nist.gov/vuln/detail/CVE-2018-19788

CVE References

Bruce Jones (brucej)
tags: added: stx.security
Bruce Jones (brucej)
Changed in starlingx:
importance: Undecided → Critical
tags: added: stx.3.0
Revision history for this message
Ghada Khalil (gkhalil) wrote :

This CVE meets the fix criteria for StarlingX. Therefore, it needs to be fixed in master for stx.3.0 and then cherry-picked to r/stx.2.0.

summary: - Fix CVE-2018-19788
+ CVE-2018-19788: polkit: Improper handling of uid
tags: added: stx.2.0
Ghada Khalil (gkhalil)
Changed in starlingx:
status: New → Triaged
Cindy Xie (xxie1)
Changed in starlingx:
assignee: nobody → Cindy Xie (xxie1)
Revision history for this message
Lin Shuicheng (shuicheng) wrote :

https://access.redhat.com/errata/RHSA-2019:2046
polkit need be upgraded in the rpm lst.

Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: Cindy Xie (xxie1) → Jim Somerville (jsomervi)
Ghada Khalil (gkhalil)
information type: Private Security → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/695740

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/695740
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=647676c202022175a331c29a79dba20ef88e9f74
Submitter: Zuul
Branch: master

commit 647676c202022175a331c29a79dba20ef88e9f74
Author: Jim Somerville <email address hidden>
Date: Thu Nov 21 18:23:21 2019 -0500

    Uprev polkit to version 0.112-22.el7

    This solves:
    polkit: Improper handling of user with uid > INT_MAX leading
    to authentication bypass (CVE-2018-19788)

    See the announcement link:

    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006051.html

    for more details.

    Change-Id: I6eb69cd129b2b6d0e115f65b42f997d2b3f69d9a
    Closes-Bug: 1849202
    Signed-off-by: Jim Somerville <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (f/centos8)

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/698553

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (f/centos8)
Download full text (8.7 KiB)

Reviewed: https://review.opendev.org/698553
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=202776a187184e536adce99b3b0f0ce1ce04fdee
Submitter: Zuul
Branch: f/centos8

commit 063e29fe2e12a306be51755e994d8eb10b2d3614
Author: VictorRodriguez <email address hidden>
Date: Wed Nov 27 17:39:51 2019 -0600

    Add feature to check if a CVE has an open launchpad

    This change enables the capability to track if a CVE to be fixed already
    has an open launchpad in starlingx: https://bugs.launchpad.net/starlingx/

    This will help the security team to focus on the CVEs that do not
    have a launchpad already open, reducing the overhead of analysis of CVEs
    already presented to the development team.

    Story:2006971

    Change-Id: I494f0221cb52a4bf7ace20d75e067b17c719d749
    Signed-off-by: VictorRodriguez <email address hidden>

commit 1d33f5ae60201a6d1baba026a6503ea43843b3ab
Author: Robin Lu <email address hidden>
Date: Mon Nov 11 16:47:49 2019 +0800

    Update OVMF rpm, due to CVE bug.

    CVE bug: CVE-2019-0160
    The updated rpm is selected from the below link.
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006035.html

    Tests:
    simplex, duplex, multi-node

    Closes-Bug: 1849205

    Change-Id: Ifdbbd82de912488af201f028a65c679acc204ed9
    Signed-off-by: Robin Lu <email address hidden>

commit d964e258beb0c75b5a23ec7db1b523f263db7c9f
Author: Jim Somerville <email address hidden>
Date: Mon Nov 25 15:51:29 2019 -0500

    Uprev ntp to version 4.2.6p5-29.el7

    This solves:
    ntp: Stack-based buffer overflow in ntpq and ntpdc allows
    denial of service or code execution (CVE-2018-12327)

    See the announcement link:

    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006016.html

    for more details.

    Change-Id: Ic92fd6af30bf05c6f40cb6a6c60e0bc3811ff22a
    Partial-Bug: 1849197
    Signed-off-by: Jim Somerville <email address hidden>

commit c75164899fb0d242022338d67144c06be7c5b32f
Author: Robin Lu <email address hidden>
Date: Fri Nov 22 16:08:13 2019 +0800

    Update sudo srpm for CVE bug

    To fix below CVE, we will use sudo-1.8.23-4.el7_7.1.src.rpm
    https://lists.centos.org/pipermail/centos-announce/2019-October/023499.html

    CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists

    Closes-Bug: 1852825

    Change-Id: Iaafc053fe6e3b58468b5fa7c47dbc0f61a2d3c44
    Signed-off-by: Robin Lu <email address hidden>

commit ea25ae6f265f6a9531dd72a8576462a71c3074dc
Author: Jim Somerville <email address hidden>
Date: Fri Nov 22 16:35:45 2019 -0500

    Uprev ruby and associated gems to subminor ver 36

    All affected packages are moved forward to their -36 version.

    This solves:
    ruby: Unintentional directory traversal by poisoned NULL byte
    in Dir (CVE-2018-8780)
    rubygems: Improper verification of signatures in tarball
    allows to install mis-signed gem (CVE-2018-1000076)

    along with numerous other issues.

    See the announcement link:

    https://lists.centos.org/pipermail/centos-cr-announce/2019-Augu...

Read more...

tags: added: in-f-centos8
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (r/stx.2.0)

Fix proposed to branch: r/stx.2.0
Review: https://review.opendev.org/698977

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (r/stx.2.0)

Reviewed: https://review.opendev.org/698977
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=f6da3cd048fa331352682660cf4076cf8302c0a2
Submitter: Zuul
Branch: r/stx.2.0

commit f6da3cd048fa331352682660cf4076cf8302c0a2
Author: Jim Somerville <email address hidden>
Date: Thu Nov 21 18:23:21 2019 -0500

    Uprev polkit to version 0.112-22.el7

    This solves:
    polkit: Improper handling of user with uid > INT_MAX leading
    to authentication bypass (CVE-2018-19788)

    See the announcement link:

    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006051.html

    for more details.

    Change-Id: I6eb69cd129b2b6d0e115f65b42f997d2b3f69d9a
    Closes-Bug: 1849202
    Signed-off-by: Jim Somerville <email address hidden>
    (cherry picked from commit 647676c202022175a331c29a79dba20ef88e9f74)

Ghada Khalil (gkhalil)
tags: added: in-r-stx20
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.