Upstream has decided not to fix this vulnerability [1]. Apparently they're using a Linux kernel patch that makes TIOCSTI require CAP_SYS_ADMIN [2], making this vulnerability impossible to exploit, but the Debian kernel sources don't seem to contain such a capability check, so polkit on Debian is still vulnerable.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1300746 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1299955#c1
