CentOS - Feb 2017 - Serious attack vector on pkcheck ignored by Red Hat

On 02/09/2017 02:27 PM, Warren Young wrote:
> I?m with Gordon: someone certainly should fix this problem for its own
sake, but don?t try to strong-arm Red Hat into doing it for you because
Security.
>
> Way too many bad things are done Because Security.

My larger concern is that there *does* seem to be a security issue with 
pkexec that has at least two very simple fixes, and that issue isn't 
being addressed because of the noise involved in arguing about pkcheck.  
There's no security problem in pkcheck, and all of the time spent 
insisting that there is serves to further delay fixing pkexec.

On 2/9/2017 2:40 PM, Gordon Messmer wrote:
>
> My larger concern is that there *does* seem to be a security issue 
> with pkexec that has at least two very simple fixes, and that issue 
> isn't being addressed because of the noise involved in arguing about 
> pkcheck.  There's no security problem in pkcheck, and all of the time 
> spent insisting that there is serves to further delay fixing pkexec.
you realize noone on this email list has anything to do with the source 
code for this pkcheck thing?    CentOS uses the code exactly as is that 
Red Hat releases.    You're tilting at windmills in the wrong country here.


-- 
john r pierce, recycling bits in santa cruz

On 02/09/2017 02:55 PM, John R Pierce wrote:
>
> you realize noone on this email list has anything to do with the 
> source code for this pkcheck thing?    CentOS uses the code exactly as 
> is that Red Hat releases.    You're tilting at windmills in the wrong 
> country here. 

Yes, I do.  And I tried to help OP file a bug report with Red Hat so 
that pkexec could be fixed.  His original bugs wasted a lot of time 
arguing about pkcheck, and were closed WONTFIX.  He has since filed new 
bug reports which are currently ASSIGNED.  I'm hopeful that those will 
be fixed, because there does appear to be a security flaw in a SUID 
binary installed by default on CentOS 6 and 7.