Kotsi (CVE-2021-3560) e khethiloe karolong ea Polkit, e sebelisoang ho arola batho ho lumella basebelisi ba se nang boiketlo ho etsa liketso tse hlokang litokelo tse phahameng tsa phihlello (mohlala, ho kenya USB drive), e lumellang mosebelisi oa lehae ho etsa joalo. fumana litokelo tsa metso tsamaisong. Kotsi e tsitsitsoe ho Polkit version 0.119.
Bothata bo bile teng ho tloha ha ho lokolloa 0.113, empa liphatlalatso tse ngata, ho kenyeletsoa RHEL, Ubuntu, Debian, le SUSE, li khutlisitse ts'ebetso e amehileng ka har'a liphutheloana tse ipapisitseng le litokollo tsa khale tsa Polkit (litokiso tsa liphutheloana li se li fumaneha kabong).
Bothata bo iponahatsa mosebetsing oa polkit_system_bus_name_get_creds_sync(), o fumanang li-identifiers (uid le pid) tsa ts'ebetso e kopang ho phahamisoa ha tokelo. Ts'ebetso e khetholloa ke Polkit ka ho fana ka lebitso le ikhethileng ho DBus, le sebelisoang ho netefatsa litokelo. Haeba ts'ebetso e khaoha ho tsoa ho dbus-daemon pejana feela ha polkit_system_bus_name_get_creds_sync handler e qala, motshwari o fumana khoutu ea phoso ho fapana le lebitso le ikhethileng.
Kotsi e bakoa ke taba ea hore khoutu ea phoso e khutlisitsoeng ha ea sebetsoa hantle 'me polkit_system_bus_name_get_creds_sync() mosebetsi o khutlisa TRUE sebakeng sa FALSE, leha e sa khone ho tsamaisana le ts'ebetso le uid/pid le ho netefatsa litokelo tse kopiloeng bakeng sa ts'ebetso. Khoutu eo polkit_system_bus_name_get_creds_sync() ts'ebetso e neng e bitsoa e nka hore cheke e atlehile mme kopo ea ho eketsa litokelo e tsoa ho motso eseng ho mosebelisi ea se nang tokelo, e leng se etsang hore ho khonehe ho etsa liketso tse khethehileng ntle le netefatso e eketsehileng le netefatso ea lintlha.
Source: opennet.ru