libpolkit-agent-1-0-0.120-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11780 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libpolkit-agent-1-0-0.120-2.1 on GA media These are all security issues fixed in the libpolkit-agent-1-0-0.120-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11780 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11780 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2021-4034/ SUSE CVE CVE-2021-4034 page openSUSE Tumbleweed libpolkit-agent-1-0-0.120-2.1 libpolkit-agent-1-0-32bit-0.120-2.1 libpolkit-gobject-1-0-0.120-2.1 libpolkit-gobject-1-0-32bit-0.120-2.1 polkit-0.120-2.1 polkit-devel-0.120-2.1 polkit-doc-0.120-2.1 typelib-1_0-Polkit-1_0-0.120-2.1 libpolkit-agent-1-0-0.120-2.1 as a component of openSUSE Tumbleweed libpolkit-agent-1-0-32bit-0.120-2.1 as a component of openSUSE Tumbleweed libpolkit-gobject-1-0-0.120-2.1 as a component of openSUSE Tumbleweed libpolkit-gobject-1-0-32bit-0.120-2.1 as a component of openSUSE Tumbleweed polkit-0.120-2.1 as a component of openSUSE Tumbleweed polkit-devel-0.120-2.1 as a component of openSUSE Tumbleweed polkit-doc-0.120-2.1 as a component of openSUSE Tumbleweed typelib-1_0-Polkit-1_0-0.120-2.1 as a component of openSUSE Tumbleweed A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine. CVE-2021-4034 openSUSE Tumbleweed:libpolkit-agent-1-0-0.120-2.1 openSUSE Tumbleweed:libpolkit-agent-1-0-32bit-0.120-2.1 openSUSE Tumbleweed:libpolkit-gobject-1-0-0.120-2.1 openSUSE Tumbleweed:libpolkit-gobject-1-0-32bit-0.120-2.1 openSUSE Tumbleweed:polkit-0.120-2.1 openSUSE Tumbleweed:polkit-devel-0.120-2.1 openSUSE Tumbleweed:polkit-doc-0.120-2.1 openSUSE Tumbleweed:typelib-1_0-Polkit-1_0-0.120-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-4034.html CVE-2021-4034 https://bugzilla.suse.com/1194568 SUSE Bug 1194568 https://bugzilla.suse.com/1195125 SUSE Bug 1195125 https://bugzilla.suse.com/1195136 SUSE Bug 1195136 https://bugzilla.suse.com/1195246 SUSE Bug 1195246 https://bugzilla.suse.com/1195265 SUSE Bug 1195265 https://bugzilla.suse.com/1195278 SUSE Bug 1195278 https://bugzilla.suse.com/1195528 SUSE Bug 1195528 https://bugzilla.suse.com/1195541 SUSE Bug 1195541 https://bugzilla.suse.com/1196165 SUSE Bug 1196165 https://bugzilla.suse.com/1196388 SUSE Bug 1196388