Bug 1195542 - (CVE-2021-4115) VUL-0: CVE-2021-4115: polkit: denial of service via file descriptor leak
(CVE-2021-4115)
VUL-0: CVE-2021-4115: polkit: denial of service via file descriptor leak
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/322591/
CVSSv3.1:SUSE:CVE-2021-4115:3.3:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-02-04 08:25 UTC by Robert Frohl
Modified: 2022-02-22 11:30 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 5 Marcus Meissner 2022-02-18 10:29:50 UTC
public now

From: Devon Thompson <devthomp@redhat.com>
To: oss-security@lists.openwall.com
Subject: [oss-security] CVE-2021-4115: polkit: file descriptor leak allows an unprivileged user to cause a crash.

Description:
There is an error handing flaw in polkit which can allow an unprivileged user to cause polkit to crash.
The crash happens due to process file descriptor exhaustion.
NOTE: Polkit process outage duration is tied to the failing process being reaped and a new one being spawned.


References:
https://access.redhat.com/security/cve/cve-2021-4115
https://bugzilla.redhat.com/show_bug.cgi?id=2054127
https://pkgs.devel.redhat.com/cgit/rpms/polkit/commit/?h=rhel-8.6.0&id=a71b0b5bb6624858a16bfbc1e721757b243709c6
Comment 6 Swamp Workflow Management 2022-02-21 08:17:00 UTC
openSUSE-SU-2022:0525-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1195542
CVE References: CVE-2021-4115
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    polkit-0.116-3.9.1
openSUSE Leap 15.3 (src):    polkit-0.116-3.9.1
Comment 7 Swamp Workflow Management 2022-02-21 08:21:38 UTC
SUSE-SU-2022:0525-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1195542
CVE References: CVE-2021-4115
JIRA References: 
Sources used:
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    polkit-0.116-3.9.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    polkit-0.116-3.9.1
SUSE Linux Enterprise Micro 5.1 (src):    polkit-0.116-3.9.1
SUSE Linux Enterprise Micro 5.0 (src):    polkit-0.116-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-02-21 08:22:43 UTC
SUSE-SU-2022:0524-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1195542
CVE References: CVE-2021-4115
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    polkit-0.113-5.27.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    polkit-0.113-5.27.1
SUSE Linux Enterprise Server 12-SP5 (src):    polkit-0.113-5.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 OBSbugzilla Bot 2022-02-22 11:30:03 UTC
This is an autogenerated message for OBS integration:
This bug (1195542) was mentioned in
https://build.opensuse.org/request/show/956662 Factory / polkit