117 lines
4.6 KiB
JSON
117 lines
4.6 KiB
JSON
{
|
|
"Definition": [
|
|
{
|
|
"ID": "oval:org.altlinux.errata:def:20221174",
|
|
"Version": "oval:org.altlinux.errata:def:20221174",
|
|
"Class": "patch",
|
|
"Metadata": {
|
|
"Title": "ALT-PU-2022-1174: package `polkit` update to version 0.116-alt2.M90P.4",
|
|
"AffectedList": [
|
|
{
|
|
"Family": "unix",
|
|
"Platforms": [
|
|
"ALT Linux branch c9f2"
|
|
],
|
|
"Products": [
|
|
"ALT SPWorkstation",
|
|
"ALT SPServer"
|
|
]
|
|
}
|
|
],
|
|
"References": [
|
|
{
|
|
"RefID": "ALT-PU-2022-1174",
|
|
"RefURL": "https://errata.altlinux.org/ALT-PU-2022-1174",
|
|
"Source": "ALTPU"
|
|
},
|
|
{
|
|
"RefID": "BDU:2022-00488",
|
|
"RefURL": "https://bdu.fstec.ru/vul/2022-00488",
|
|
"Source": "BDU"
|
|
},
|
|
{
|
|
"RefID": "CVE-2021-4034",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-4034",
|
|
"Source": "CVE"
|
|
}
|
|
],
|
|
"Description": "This update upgrades polkit to version 0.116-alt2.M90P.4. \nSecurity Fix(es):\n\n * BDU:2022-00488: Уязвимость библиотеки Polkit и инструмента песочницы Bubblewrap, вызванная переполнением буфера на стеке, позволяющая нарушителю повысить свои привилегии до уровня суперпользователя\n\n * CVE-2021-4034: A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.",
|
|
"Advisory": {
|
|
"From": "errata.altlinux.org",
|
|
"Severity": "High",
|
|
"Rights": "Copyright 2024 BaseALT Ltd.",
|
|
"Issued": {
|
|
"Date": "2022-01-31"
|
|
},
|
|
"Updated": {
|
|
"Date": "2022-01-31"
|
|
},
|
|
"BDUs": [
|
|
{
|
|
"ID": "BDU:2022-00488",
|
|
"CVSS": "AV:L/AC:L/Au:S/C:C/I:C/A:C",
|
|
"CVSS3": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
|
|
"CWE": "CWE-125, CWE-787",
|
|
"Href": "https://bdu.fstec.ru/vul/2022-00488",
|
|
"Impact": "High",
|
|
"Public": "20220125"
|
|
}
|
|
],
|
|
"CVEs": [
|
|
{
|
|
"ID": "CVE-2021-4034",
|
|
"CVSS": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
|
|
"CVSS3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
|
|
"CWE": "CWE-125",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-4034",
|
|
"Impact": "High",
|
|
"Public": "20220128"
|
|
}
|
|
],
|
|
"AffectedCPEs": {
|
|
"CPEs": [
|
|
"cpe:/o:alt:spworkstation:8.4",
|
|
"cpe:/o:alt:spserver:8.4"
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"Criteria": {
|
|
"Operator": "AND",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:4001",
|
|
"Comment": "ALT Linux must be installed"
|
|
}
|
|
],
|
|
"Criterias": [
|
|
{
|
|
"Operator": "OR",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20221174001",
|
|
"Comment": "libpolkit is earlier than 0:0.116-alt2.M90P.4"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20221174002",
|
|
"Comment": "libpolkit-devel is earlier than 0:0.116-alt2.M90P.4"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20221174003",
|
|
"Comment": "libpolkit-gir is earlier than 0:0.116-alt2.M90P.4"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20221174004",
|
|
"Comment": "libpolkit-gir-devel is earlier than 0:0.116-alt2.M90P.4"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20221174005",
|
|
"Comment": "polkit is earlier than 0:0.116-alt2.M90P.4"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
} |