[CentOS] Serious attack vector on pkcheck ignored by Red Hat
Gordon Messmer
gordon.messmer at gmail.com
Thu Feb 9 23:35:31 UTC 2017
On 02/09/2017 02:55 PM, John R Pierce wrote:
>
> you realize noone on this email list has anything to do with the
> source code for this pkcheck thing? CentOS uses the code exactly as
> is that Red Hat releases. You're tilting at windmills in the wrong
> country here.
Yes, I do. And I tried to help OP file a bug report with Red Hat so
that pkexec could be fixed. His original bugs wasted a lot of time
arguing about pkcheck, and were closed WONTFIX. He has since filed new
bug reports which are currently ASSIGNED. I'm hopeful that those will
be fixed, because there does appear to be a security flaw in a SUID
binary installed by default on CentOS 6 and 7.
More information about the CentOS
mailing list