1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109334: policykit-1: CVE-2025-7519

    From =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=@21:1/5 to All on Tue Jul 15 14:40:01 2025
    Package: policykit-1
    X-Debbugs-CC: [email protected]
    Severity: normal
    Tags: security

    Hi,

    The following vulnerability was published for policykit-1.

    CVE-2025-7519[0]:
    | A flaw was found in polkit. When processing an XML policy with 32 or
    | more nested elements in depth, an out-of-bounds write can be
    | triggered. This issue can lead to a crash or other unexpected
    | behavior, and arbitrary code execution is not discarded. To exploit
    | this flaw, a high-privilege account is needed as it's required to
    | place the malicious policy file properly.

    Labelling this a security issue seems to be a bit of a stretch...

    https://bugzilla.redhat.com/show_bug.cgi?id=2379675
    Fixed by: https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-7519
    https://www.cve.org/CVERecord?id=CVE-2025-7519

    Please adjust the affected versions in the BTS as needed.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Simon McVittie@21:1/5 to All on Tue Jul 15 16:30:01 2025
    On Tue, 15 Jul 2025 at 14:29:13 +0200, Moritz M�hlenhoff wrote:
    The following vulnerability was published for policykit-1.

    CVE-2025-7519[0]:
    | When processing an XML policy with 32 or
    | more nested elements in depth
    [...]
    |
    | To exploit
    | this flaw, a high-privilege account is needed

    Honestly, I don't think this is a security vulnerability and I think the
    CVE should have been rejected. I think it's just a bug.

    If an attacker can install XML policy files for polkit, then the
    defender has already lost, because write access to /usr provides
    arbitrary root code execution; the attacker is already on the protected
    side of the airtight hatchway[1].

    The clue is in the name: "policy" is exactly the thing that a sysadmin
    or distro integrator, with unlimited privileges, uses to control what privileges are given to users and system processes.

    smcv

    [1] https://devblogs.microsoft.com/oldnewthing/20240102-00/?p=109217

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Moritz =?iso-8859-1?Q?M=FChlenhoff?@21:1/5 to Simon McVittie on Wed Jul 16 20:40:01 2025
    On Tue, Jul 15, 2025 at 02:49:55PM +0100, Simon McVittie wrote:
    On Tue, 15 Jul 2025 at 14:29:13 +0200, Moritz M�hlenhoff wrote:
    The following vulnerability was published for policykit-1.

    CVE-2025-7519[0]:
    | When processing an XML policy with 32 or
    | more nested elements in depth
    [...]
    | | To exploit
    | this flaw, a high-privilege account is needed

    Honestly, I don't think this is a security vulnerability and I think the CVE should have been rejected. I think it's just a bug.

    Hence my "Labelling this a security issue seems to be a bit of a stretch..."
    in the report, since you concur I've marked it as a non issue in the Security Tracker. For unstable we can simply close the bug when it reaches sid after
    the next rebase post trixie release.

    Cheers,
    Moritz

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)