Hi Thansk for the heads-up, adding the security tag and including the security team alias.
On Wed, Jan 22, 2025 at 09:26:12PM +0000, Mark Esler wrote: > Hello o/ > > I have not been able to reproduce this issue on a non-Debian based > distro. So far, we do not have evidence that upstream is affected. > > I left some testing comments upsteam: > https://github.com/polkit-org/polkit/issues/545 > > This issue affects Ubuntu 24.04+ Desktop and Server. Ubuntu 22.04 is > unaffected, which uses policykit-1 version 0.105-33. > > My personal laptop runs 24.04 server without policykit-1 (or gdm) and I > am not affected. > > If this is verified as a Debian introduced vulnerability, I can assign a > CVE. My understanding from what followed later on the upstream issue is that Michael is able to reproduce it as well on non-Debian distros. And there seems to be confirmation as well that it's a known issue upstream. Regards, Salvatore
