Am 29.03.26 um 20:46 schrieb Salvatore Bonaccorso:
Hi,On Sun, Mar 29, 2026 at 06:28:57PM +0200, Michael Biebl wrote:Hi Salvatore, if I read https://bugzilla.redhat.com/show_bug.cgi?id=2451739 correctly, only versions newer than 0.113 are affected. Could you update the info in the security tracker accordingly? And for unstable/testing: there we use systemd socket activation (for systemd users), so those users should not be affected, right?But still versions are affected, because the commit https://github.com/polkit-org/polkit/commit/ea544ffc18405237ccd95d28d7f45afef49aca17 which introduces the codepath as far I can see is the fix for CVE-2015-4625, or let's say part of it, which we have picked up as well. But I will make clear the relation to the above commit and the fix for CVE-2015-4625.
Ah, you are right. This change was applied in 0.105-12.
The CVE is still bit confusing, and with reaching out to you with a bug report was in hope we can properly assess it. I think to understand it does not need a DSA, but it is still not clear to me when the issue can be triggered, in particular given it is still setuid in trixie. Sourcewise it is still as well present in unstable, bu we have no easy way to mark soemthing "unimportant" just for unstable and not for the older suites. For unstable/trixie i right now do not see an urgency either (given we do not ship it anymore setuid and as you say we have systemd socket activation), but mark it fixed once the source-wise fix is applied. But we still need to properly assess the issue. I was neither able to directly trigger the problem on a trixie host. Again, that said need to look closer yet.
I needed to increase 200000000 to trigger anything and this lead to the python process being OOM killed.
See attached journal
Mär 29 21:22:17 debian polkit-agent-helper-1[819]: pam_unix(polkit-1:auth):
auth could not identify password for [michael]
Mär 29 21:22:17 debian polkit-agent-helper-1[819]: pam_unix(polkit-1:auth):
conversation failed
Mär 29 21:22:15 debian systemd[1]: session-3.scope: A process of this unit has
been killed by the OOM killer.
Mär 29 21:22:15 debian kernel: Out of memory: Killed process 818 (python3)
total-vm:993056kB, anon-rss:191884kB, file-rss:4kB, shmem-rss:0kB, UID:1000
pgtables:1976kB oom_score_adj:0
Mär 29 21:22:15 debian kernel:
oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/user.slice/user-1000.slice/session-3.scope,task=python3,pid=818,uid=1000
Mär 29 21:22:15 debian kernel: [ 819] 1000 819 134244 48106 843776
47327 0 polkit-agent-he
Mär 29 21:22:15 debian kernel: [ 818] 1000 818 248264 47972 2023424
196829 0 python3
Mär 29 21:22:15 debian kernel: [ 814] 0 814 2944 39 65536
507 0 top
Mär 29 21:22:15 debian kernel: [ 808] 1000 808 1995 1 61440
355 0 bash
Mär 29 21:22:15 debian kernel: [ 802] 1000 802 42247 10 94208
793 100 (sd-pam)
Mär 29 21:22:15 debian kernel: [ 801] 1000 801 4729 4 81920
410 100 systemd
Mär 29 21:22:15 debian kernel: [ 554] 0 554 1533 1 49152
125 0 login
Mär 29 21:22:15 debian kernel: [ 546] 0 546 2001 1 53248
330 0 bash
Mär 29 21:22:15 debian kernel: [ 540] 0 540 42163 9 94208
731 100 (sd-pam)
Mär 29 21:22:15 debian kernel: [ 539] 0 539 4722 25 77824
394 100 systemd
Mär 29 21:22:15 debian kernel: [ 522] 0 522 1533 10 53248
120 0 login
Mär 29 21:22:15 debian kernel: [ 519] 0 519 4308 42 69632
248 0 systemd-logind
Mär 29 21:22:15 debian kernel: [ 518] 0 518 20062 13 61440
57 0 qemu-ga
Mär 29 21:22:15 debian kernel: [ 516] 100 516 2342 38 61440
164 -900 dbus-daemon
Mär 29 21:22:15 debian kernel: [ 515] 0 515 1654 2 57344
60 0 cron
Mär 29 21:22:15 debian kernel: [ 337] 0 337 1469 12 49152
197 0 dhclient
Mär 29 21:22:15 debian kernel: [ 318] 997 318 22526 6 77824
230 0 systemd-timesyn
Mär 29 21:22:15 debian kernel: [ 260] 0 260 6859 0 77824
528 -1000 systemd-udevd
Mär 29 21:22:15 debian kernel: [ 231] 0 231 10309 30 90112
242 -250 systemd-journal
Mär 29 21:22:15 debian kernel: [ pid ] uid tgid total_vm rss
pgtables_bytes swapents oom_score_adj name
Mär 29 21:22:15 debian kernel: Tasks state (memory values in pages):
Mär 29 21:22:15 debian kernel: 0 pages hwpoisoned
Mär 29 21:22:15 debian kernel: 13898 pages reserved
Mär 29 21:22:15 debian kernel: 0 pages HighMem/MovableOnly
Mär 29 21:22:15 debian kernel: 130938 pages RAM
Mär 29 21:22:15 debian kernel: Total swap = 998396kB
Mär 29 21:22:15 debian kernel: Free swap = 0kB
Mär 29 21:22:15 debian kernel: 820 pages in swap cache
Mär 29 21:22:15 debian kernel: 1903 total pagecache pages
Mär 29 21:22:15 debian kernel: Node 0 hugepages_total=0 hugepages_free=0
hugepages_surp=0 hugepages_size=2048kB
Mär 29 21:22:15 debian kernel: Node 0 hugepages_total=0 hugepages_free=0
hugepages_surp=0 hugepages_size=1048576kB
Mär 29 21:22:15 debian kernel: Node 0 DMA32: 144*4kB (UME) 115*8kB (UME)
39*16kB (UME) 18*32kB (UME) 2*64kB (M) 0*128kB 0*256kB 0*512kB 0*1024kB
0*2048kB 0*4096kB = 2824kB
Mär 29 21:22:15 debian kernel: Node 0 DMA: 5*4kB (U) 7*8kB (UE) 2*16kB (U)
6*32kB (UME) 2*64kB (ME) 2*128kB (UE) 2*256kB (UE) 1*512kB (U) 0*1024kB
0*2048kB 0*4096kB = 1708kB
Mär 29 21:22:15 debian kernel: lowmem_reserve[]: 0 0 0 0 0
Mär 29 21:22:15 debian kernel: Node 0 DMA32 free:2512kB boost:0kB min:2524kB
low:3152kB high:3780kB reserved_highatomic:0KB active_anon:183256kB
inactive_anon:192436kB active_file:12kB inactive_file:248kB unevictable:4000kB
writepending:0kB present:507760kB managed:452800kB mlocked:0kB bounce:0kB
free_pcp:0kB local_pcp:0kB free_cma:0kB
Mär 29 21:22:15 debian kernel: lowmem_reserve[]: 0 404 404 404 404
Mär 29 21:22:15 debian kernel: Node 0 DMA free:1708kB boost:0kB min:92kB
low:112kB high:132kB reserved_highatomic:0KB active_anon:10240kB
inactive_anon:3200kB active_file:0kB inactive_file:0kB unevictable:0kB
writepending:0kB present:15992kB managed:15360kB mlocked:0kB bounce:0kB
free_pcp:0kB local_pcp:0kB free_cma:0kB
Mär 29 21:22:15 debian kernel: Node 0 active_anon:193340kB
inactive_anon:195676kB active_file:100kB inactive_file:96kB unevictable:4000kB
isolated(anon):0kB isolated(file):0kB mapped:40kB dirty:0kB writeback:0kB
shmem:4108kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 0kB
writeback_tmp:0kB kernel_stack:1856kB pagetables:3860kB sec_pagetables:0kB
all_unreclaimable? yes
Mär 29 21:22:15 debian kernel: active_anon:48335 inactive_anon:48919
isolated_anon:0
active_file:25 inactive_file:24 isolated_file:0
unevictable:1000 dirty:0 writeback:0
slab_reclaimable:4502 slab_unreclaimable:5456
mapped:10 shmem:1027 pagetables:965
sec_pagetables:0 bounce:0
kernel_misc_reclaimable:0
free:1055 free_pcp:0 free_cma:0
Mär 29 21:22:15 debian kernel: Mem-Info:
Mär 29 21:22:15 debian kernel: </TASK>
Mär 29 21:22:15 debian kernel: R13: 0000000000000000 R14: 0000000017440000 R15:
0000000000001000
Mär 29 21:22:15 debian kernel: R10: 0000000000000001 R11: 0000000000000246 R12:
00007ffd30f14b38
Mär 29 21:22:15 debian kernel: RBP: 0000000017440000 R08: 000056474c6203a0 R09:
0000000000000000
Mär 29 21:22:15 debian kernel: RDX: 0000000000001000 RSI: 000000000000000a RDI:
000056474c6203a0
Mär 29 21:22:15 debian kernel: RAX: 0000000000000041 RBX: 00007f7b41844a80 RCX:
00007f7b4176929d
Mär 29 21:22:15 debian kernel: RSP: 002b:00007ffd30f14ac8 EFLAGS: 00010206
Mär 29 21:22:15 debian kernel: Code: Unable to access opcode bytes at
0x7f7b417d4596.
Mär 29 21:22:15 debian kernel: RIP: 0033:0x7f7b417d45c0
Mär 29 21:22:15 debian kernel: asm_exc_page_fault+0x22/0x30
Mär 29 21:22:15 debian kernel: exc_page_fault+0x70/0x170
Mär 29 21:22:15 debian kernel: do_user_addr_fault+0x191/0x550
Mär 29 21:22:15 debian kernel: handle_mm_fault+0xdb/0x2d0
Mär 29 21:22:15 debian kernel: __handle_mm_fault+0x660/0xfa0
Mär 29 21:22:15 debian kernel: do_fault+0x1b9/0x410
Mär 29 21:22:15 debian kernel: __do_fault+0x30/0x110
Mär 29 21:22:15 debian kernel: ? filemap_map_pages+0x153/0x720
Mär 29 21:22:15 debian kernel: filemap_fault+0x139/0x910
Mär 29 21:22:15 debian kernel: __filemap_get_folio+0x155/0x340
Mär 29 21:22:15 debian kernel: folio_alloc+0x17/0x50
Mär 29 21:22:15 debian kernel: __alloc_pages+0x305/0x330
Mär 29 21:22:15 debian kernel: __alloc_pages_slowpath.constprop.0+0x6fe/0xe60
Mär 29 21:22:15 debian kernel: out_of_memory+0x1fd/0x4c0
Mär 29 21:22:15 debian kernel: oom_kill_process.cold+0xb/0x10
Mär 29 21:22:15 debian kernel: dump_header+0x4c/0x22b
Mär 29 21:22:15 debian kernel: dump_stack_lvl+0x44/0x5c
Mär 29 21:22:15 debian kernel: <TASK>
Mär 29 21:22:15 debian kernel: Call Trace:
Mär 29 21:22:15 debian kernel: Hardware name: QEMU Standard PC (Q35 + ICH9,
2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
Mär 29 21:22:15 debian kernel: CPU: 0 PID: 819 Comm: polkit-agent-he Not
tainted 6.1.0-42-amd64 #1 Debian 6.1.159-1
Mär 29 21:22:15 debian kernel: polkit-agent-he invoked oom-killer:
gfp_mask=0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), order=0, oom_score_adj=0
Mär 29 21:21:58 debian polkit-agent-helper-1[816]: pam_unix(polkit-1:auth):
auth could not identify password for [michael]
Mär 29 21:21:58 debian polkit-agent-helper-1[816]: pam_unix(polkit-1:auth):
conversation failed
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pkg-utopia-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
