From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id 2FWCIraTwmAU0gAAgWs5BA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 11 Jun 2021 00:35:34 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id MLipHbaTwmCRCgAAbx9fmQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 10 Jun 2021 22:35:34 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id BE871AC7A
	for <larch@yhetil.org>; Fri, 11 Jun 2021 00:35:33 +0200 (CEST)
Received: from localhost ([::1]:35004 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1lrTGu-0005e3-Gf
	for larch@yhetil.org; Thu, 10 Jun 2021 18:35:32 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:48020)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jbranso@dismail.de>)
 id 1lrTGb-0005dq-JX; Thu, 10 Jun 2021 18:35:13 -0400
Received: from mx1.dismail.de ([78.46.223.134]:22690)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jbranso@dismail.de>)
 id 1lrTGZ-0006YH-0S; Thu, 10 Jun 2021 18:35:13 -0400
Received: from mx1.dismail.de (localhost [127.0.0.1])
 by mx1.dismail.de (OpenSMTPD) with ESMTP id 7abb6300;
 Fri, 11 Jun 2021 00:35:03 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dismail.de; h=
 mime-version:date:content-type:from:message-id:subject:to; s=
 20190914; bh=FPxn2Wwli7Hhyisb4dmaIE9RUiaiLnQ8MrAL6uEKz4g=; b=LOK
 svSeUwoEmH1Up694sCqJEH3SoxwoAvjSbpsKKnXa6CHKWT6aiTFi+y20IHocnOCZ
 m9/gonvAmcRVC0VIljZkLfcxIXLWqzS2M3jQyj0rndHsjs6Z7rC2haIcqnkL5Opf
 VWoO6PeGPqI67YIEOWgqbx/XImWdFnqBkDKIWsqkEt/EGkHW40hNsIXVAwJEjeNL
 xBIwzHPViILlK54+vcbaVZjNtvYIqyIc+i7K4tOonwTZB8rjMgatShbOV38j2pFs
 ySzvgdXxX0FJMgAQoDYpIFcS2CnxUDhy0DCwcDNQpEbC46RDZYsZjMAgukUCv4sj
 HJTrRyrWCpBI2PX/RZQ==
Received: from smtp2.dismail.de (<unknown> [10.240.26.12])
 by mx1.dismail.de (OpenSMTPD) with ESMTP id 5c1ee69c;
 Fri, 11 Jun 2021 00:35:03 +0200 (CEST)
Received: from smtp2.dismail.de (localhost [127.0.0.1])
 by smtp2.dismail.de (OpenSMTPD) with ESMTP id d067858e;
 Fri, 11 Jun 2021 00:35:03 +0200 (CEST)
Received: by dismail.de (OpenSMTPD) with ESMTPSA id e5088877
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); 
 Fri, 11 Jun 2021 00:35:02 +0200 (CEST)
MIME-Version: 1.0
Date: Thu, 10 Jun 2021 22:35:02 +0000
Content-Type: multipart/alternative;
 boundary="--=_RainLoop_896_307531294.1623364502"
X-Mailer: RainLoop/1.14.0a
From: jbranso@dismail.de
Message-ID: <fec72ae9477f1606cbec32d8cf532044@dismail.de>
Subject: Is Guix vulnerable to this polkit CVE?
To: guix-devel@gnu.org, guix-security@gnu.org
Received-SPF: pass client-ip=78.46.223.134; envelope-from=jbranso@dismail.de;
 helo=mx1.dismail.de
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1623364534;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=FPxn2Wwli7Hhyisb4dmaIE9RUiaiLnQ8MrAL6uEKz4g=;
	b=t6xeU67cLeh5ykxhHmn6m6Q6VEb2mFPJto4/JxCrhLK8awJ9SbaxCFaAHoaE8ZAQlK3OaX
	pEVvhIEHUrMBSx513u7EZ8WD8OHN/D+/XgRJ/xKqR2mHoV3uvrQnC+ZNvEvw9lgzJcmCxj
	4tGAQ0IKJsUt+7MqdXA5UzF+RVyCRkIBtTA71ZaUZe/DrOK+Fqdb7v/vtOAK5YI/gO4V1v
	/19nZc7Hrw7yPsiE7xx3uoxmCXfO9nwSvCmD/wTY906mNTyj7kGiD6yaFkgT4NPJsMald+
	JrCfxApynOoDqpwowfZQATPXloKxmvM++fmeHEbG3MmrasqatDD3tAQ+ZDN6Lw==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1623364534; a=rsa-sha256; cv=none;
	b=MffmmUu+aqpa7UyfybT3dtxze6aNrC6kvQWJjymW1hApm5PVi+yqBxtEo7jNlYk32otnuA
	GtUNCvel8aP/0jVcoyOcloyybcEdWXHh1qKK9kBcdUviRCYyed6B3LXSDKTvpxHSfOmt7Y
	87pySkRfwCCDm/pGkIFho++LRFk4smsU3F2Wu/rnlwlFE9Sb+QpDwQAKoxY+RN4PDD3Pw9
	KV/psRn9ACD/tNf6DBWd+z+9wwCsHj8fjXGfSzp1OrSyA0xUr4m93V5FbHrV/6XFFD4YRU
	pgaN5e8/wthabAS/JNGDExfrs8K6swzMBohEFI8hHf58u7n+bIhLBe3WyKGOLA==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=dismail.de header.s=20190914 header.b="LOK svSe";
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Spam-Score: -2.13
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=dismail.de header.s=20190914 header.b="LOK svSe";
	dmarc=pass (policy=reject) header.from=dismail.de;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Queue-Id: BE871AC7A
X-Spam-Score: -2.13
X-Migadu-Scanner: scn0.migadu.com
X-TUID: if4yV7Nik2bw


----=_RainLoop_896_307531294.1623364502
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

I just found this article on polkit having a CVE:=0A=0Ahttps://github.blo=
g/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/ (https:/=
/github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bu=
g/)=0AIt looks pretty nasty...=0A=0A" The vulnerability enables an unpriv=
ileged local user to get a root shell on the system. It=E2=80=99s easy to=
 exploit with a few standard command line tools, as you can see in this s=
hort video (https://youtu.be/QZhz64yEd0g). In this blog post, I=E2=80=99l=
l explain how the exploit works and show you where the bug was in the sou=
rce code. "=0AIn the hacker news comments it is fixed in:=0Ahttps://news.=
ycombinator.com/item?id=3D27462247 (https://news.ycombinator.com/item?id=
=3D27462247)=0A=0APolkit version 0.119 fixes it, here's the diff: https:/=
/gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13... (https://gitlab.=
freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e=
3b9b81)=0AYou all awesome devs have probably already fixed it, but I am j=
ust emailing to make sure.=0A=0AThanks!=0A=0AJoshua=0A=0A"Aim for stars..=
.because even if you'll fall at least you'll fall on Uranus."

----=_RainLoop_896_307531294.1623364502
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html><html><head><meta http-equiv=3D"Content-Type" content=3D"t=
ext/html; charset=3Dutf-8" /></head><body><div data-html-editor-font-wrap=
per=3D"true" style=3D"font-family: arial, sans-serif; font-size: 13px;"> =
<br>I just found this article on polkit having a CVE:<br><br><a href=3D"h=
ttps://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-w=
ith-bug/">https://github.blog/2021-06-10-privilege-escalation-polkit-root=
-on-linux-with-bug/</a><br><br><br>It looks pretty nasty...<br><br>" The =
vulnerability enables an unprivileged local user to get a root shell on t=
he system. It=E2=80=99s easy to exploit with a few standard command line =
tools, as you can see in this <a rel=3D"noopener" target=3D"_blank" href=
=3D"https://youtu.be/QZhz64yEd0g">short video</a>. In this blog post, I=
=E2=80=99ll explain how the exploit works and show you where the bug was =
in the source code. "<br><br><br>In the hacker news comments it is fixed =
in:<br><a href=3D"https://news.ycombinator.com/item?id=3D27462247">https:=
//news.ycombinator.com/item?id=3D27462247</a><br><br><span class=3D"commt=
ext c00">Polkit version 0.119 fixes it, here's the diff: <a rel=3D"nofoll=
ow" href=3D"https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13a=
ffe0fa53ff618e07aa8f57f4c0e3b9b81">https://gitlab.freedesktop.org/polkit/=
polkit/-/commit/a04d13...</a><br><br><br>You all awesome devs have probab=
ly already fixed it, but I am just emailing to make sure.<br><br>Thanks!<=
br><br>Joshua<br><br>"Aim for stars...because even if you'll fall at leas=
t you'll fall on Uranus."</span><br><signature></signature> </div></body>=
</html>

----=_RainLoop_896_307531294.1623364502--