Back to policykit-1 PTS page

Accepted policykit-1 0.105-32 (source) into unstable



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 18 Feb 2022 12:45:14 +0000
Source: policykit-1
Architecture: source
Version: 0.105-32
Distribution: unstable
Urgency: medium
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 1005784
Changes:
 policykit-1 (0.105-32) unstable; urgency=medium
 .
   * Use upstream patch for CVE-2021-3560.
     This patch was included in 0.119, so move it into the 0.119/ directory
     in the patch series.
   * d/patches: Use upstream's finalized patch for CVE-2021-4034.
     The patch that was provided to distributors under embargo was not the
     final version: it used a different exit status, and made an attempt to
     show help. The version that was actually committed after the embargo
     period ended interprets argc == 0 as an attack rather than a mistake,
     and does not attempt to show the help message.
   * Move some Debian-specific patches into d/p/debian/.
     This makes it more obvious that they are not intended to go upstream.
   * d/control: Split the package.
     pkexec is a setuid program, which makes it a higher security risk than
     the more typical IPC-based uses of polkit. If we separate out pkexec
     into its own package, then only packages that rely on being able to run
     pkexec will have to depend on it, reducing attack surface for users
     who are able to remove the pkexec package.
   * d/control: policykit-1 Provides polkitd-pkla.
     This will give us a migration path to the separate per-backend packages
     currently available in experimental.
   * Add patch from Fedora to fix denial of service via fd exhaustion.
     CVE-2021-4115 (Closes: #1005784)
   * Standards-Version: 4.6.0 (no changes required)
   * Build-depend on dbus-daemon instead of dbus.
     We only need dbus-run-session at build time; we don't need a
     fully-working system bus.
   * Use d/watch format version 4
   * d/rules: Create localauthority configuration with install(1), not
     echo(1). This aligns the packaging a bit more closely with experimental.
   * Always configure the sudo group as root-equivalent.
     This avoids Debian derivatives getting an unexpected change in behaviour
     when they switch from inheriting Debian's policykit-1 package to
     building their own policykit-1 package, perhaps as a result of wanting
     to apply an unrelated patch.
     The sudo group is defined to be root-equivalent in base-passwd, so this
     should be equally true for all Debian derivatives.
     Thanks to Arnaud Rebillout.
   * d/polkitd.links: Create more polkit-agent-helper-1 symlinks.
     This executable has moved several times, and its path gets compiled
     into the libpolkit-agent-1-0 shared library. Making the executable
     available in all the locations it has previously had is helpful when
     swapping between versions during testing.
   * Acknowledge CVE-2021-4034 NMU. Thanks to Salvatore Bonaccorso.
Checksums-Sha1:
 2838ea7dca62c5f62513c95cce41727bac26dc75 3020 policykit-1_0.105-32.dsc
 67fa0f77f91e29ee26b69dec274f6ffd2f9975a0 77748 policykit-1_0.105-32.debian.tar.xz
 c458148335c8a50b939784f5354e2ab50d5ccb50 8459 policykit-1_0.105-32_source.buildinfo
Checksums-Sha256:
 a097db01604f8bc15b6a0b2f1111e4f0ce00cdb07c7f63a945496aff8119def5 3020 policykit-1_0.105-32.dsc
 6774db88170fbf350aadd73a8bad2bdf29821f4cf70311e00cbf1cb27be9b8e6 77748 policykit-1_0.105-32.debian.tar.xz
 b56cb1c9cf41f4ccff438263aace0a7fee1dbe6c539dbe70e5424007f9c6eb59 8459 policykit-1_0.105-32_source.buildinfo
Files:
 c3e29a899406a90e97f5ae4051517955 3020 admin optional policykit-1_0.105-32.dsc
 02cd76f9e100921f2b5488f8c9888adb 77748 admin optional policykit-1_0.105-32.debian.tar.xz
 44b07a68db800db0beb8f1aca1848e51 8459 admin optional policykit-1_0.105-32_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmIQJbsACgkQ4FrhR4+B
TE8rEg/+IHDsIfmreWP+RdXozCYGxlFpjwRGKrDMCFO13hFMnFcTkhD5xZYjXuu1
KuWGnKZlu8FFvq188b3k3WimsvkmloV466wv8vtDSk2DhN3BJwSdCtrnj0r+OSjV
xJvO05PHBx+ZLC2d0B2q8PAIIQCOAURYDTSO+MXcwHMurqroRXSB4UZy3bDWQ7ZA
0FCK3XzLQBvRfDR6qVFwLgWgMP1015a0gpQCZeb7NEywgQjCwC7USXCq4inYyXgc
HlOo9Vwne0hF3JoTVrVXtOIlY8N5rA00CVqWQrd+Z2dJujLOVjJq9vDHLuyYCQCF
4wC/eSQbno4+LFVxrTQRtIBDcmyZze001ZPl/kwe9wfNYvtgqjr2+EB1iZEPQLw+
rpqfb6/ehtrHN66B60XWm7rjQSpKoYOeVusP4oGrgadq5u+kcxL93Ze0byYiwUFL
c8GfYrdfWYMWNCtg5UR+EEvI3ypc6NL3YZxV56nOVhUpyqrGDJ06dbDSK4jfa+HP
gZ8PElTEho0XiZysK3h3gGeGkxgmfnMfnGBDg4iDl12VxjtwqX+NOCK3AbUb6UKj
3mdhHfWxnWPjNENIGfZjqJzfRj0FkZKjnnOA9+6Vf87GTi6OtyYVQb3SicWnkhS6
EoTruHYlMdKGXa5ZDk2R5MbsJQqdepcVjp2Ouhuh5Jh5v9s0n4g=
=X3rN
-----END PGP SIGNATURE-----