An update for polkit is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1502 Final 1.0 1.0 2022-01-27 Initial 2022-01-27 2022-01-27 openEuler SA Tool V1.0 2022-01-27 polkit security update An update for polkit is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3. Define and Handle authorizations tool. Security Fix(es): A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.(CVE-2021-4034) An update for polkit is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High polkit https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1502 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-4034 https://nvd.nist.gov/vuln/detail/CVE-2021-4034 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 polkit-debugsource-0.116-8.oe1.aarch64.rpm polkit-libs-0.116-8.oe1.aarch64.rpm polkit-devel-0.116-8.oe1.aarch64.rpm polkit-debuginfo-0.116-8.oe1.aarch64.rpm polkit-0.116-8.oe1.aarch64.rpm polkit-debuginfo-0.116-9.oe1.aarch64.rpm polkit-devel-0.116-9.oe1.aarch64.rpm polkit-0.116-9.oe1.aarch64.rpm polkit-debugsource-0.116-9.oe1.aarch64.rpm polkit-libs-0.116-9.oe1.aarch64.rpm polkit-0.116-9.oe1.aarch64.rpm polkit-devel-0.116-9.oe1.aarch64.rpm polkit-debuginfo-0.116-9.oe1.aarch64.rpm polkit-libs-0.116-9.oe1.aarch64.rpm polkit-debugsource-0.116-9.oe1.aarch64.rpm polkit-help-0.116-8.oe1.noarch.rpm polkit-help-0.116-9.oe1.noarch.rpm polkit-help-0.116-9.oe1.noarch.rpm polkit-0.116-8.oe1.src.rpm polkit-0.116-9.oe1.src.rpm polkit-0.116-9.oe1.src.rpm polkit-0.116-8.oe1.x86_64.rpm polkit-debuginfo-0.116-8.oe1.x86_64.rpm polkit-debugsource-0.116-8.oe1.x86_64.rpm polkit-libs-0.116-8.oe1.x86_64.rpm polkit-devel-0.116-8.oe1.x86_64.rpm polkit-libs-0.116-9.oe1.x86_64.rpm polkit-devel-0.116-9.oe1.x86_64.rpm polkit-debuginfo-0.116-9.oe1.x86_64.rpm polkit-0.116-9.oe1.x86_64.rpm polkit-debugsource-0.116-9.oe1.x86_64.rpm polkit-0.116-9.oe1.x86_64.rpm polkit-debuginfo-0.116-9.oe1.x86_64.rpm polkit-debugsource-0.116-9.oe1.x86_64.rpm polkit-libs-0.116-9.oe1.x86_64.rpm polkit-devel-0.116-9.oe1.x86_64.rpm A local privilege escalation vulnerability was found on polkit s pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn t handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it ll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine. 2022-01-27 CVE-2021-4034 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP2 openEuler-20.03-LTS-SP3 High 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H polkit security update 2022-01-27 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1502