Hopefully PureOS devs have plans to get this patched ASAP. Being as PureOS is based on Debian and uses systemd, I have to assume PureOS also has this vulnerability.
As always with a privilege escalation vulnerability,
- for a personal computer, it will be difficult to exploit, unless used as a blended attack
- for most of my computers, if there is an untrusted “unprivileged local user” accessing my computer then I already have a major security problem
Anyway, keep an eye on the package version of
For Debian: https://security-tracker.debian.org/tracker/CVE-2021-4034
For Ubuntu: https://ubuntu.com/security/CVE-2021-4034
The update is already available in PureOS
Don’t suppose you can post the package version that contains the fix? (for both
byzantium and, if relevant, for both Librem 5 and x-86 devices)
it’s this one:
policykit-1 - 0.105-31+deb11u1
Got fixed the other day in Linux Mint.
I’m confused about one thing. According to security reports on the internet pkexec should be at version 0.120 to be protected. Am I to understand on debian system 0.105 is a patched version?
The Debian security team often backports patches to the version the current Debian releases shipped with to minimize the risk of the update breaking stuff. So for systems that closely track Debian, you’re probably better off checking https://security-tracker.debian.org/tracker/ if your version is vulnerable. @irvinewade kindly already provided the link for this CVE (https://security-tracker.debian.org/tracker/CVE-2021-4034).