{"id":"MGASA-2022-0037","summary":"Updated polkit packages fix security vulnerability","details":"A local privilege escalation vulnerability was found on polkit's pkexec\nutility. The pkexec application is a setuid tool designed to allow unprivileged\nusers to run commands as privileged users according predefined policies. The\ncurrent version of pkexec doesn't handle the calling parameters count correctly\nand ends trying to execute environment variables as commands. An attacker can\nleverage this by crafting environment variables in such a way it'll induce\npkexec to execute arbitrary code. When successfully executed the attack can\ncause a local privilege escalation given unprivileged users administrative\nrights on the target machine (CVE-2021-4034).\n","modified":"2026-04-16T00:10:51.766258235Z","published":"2022-01-26T10:30:04Z","upstream":["CVE-2021-4034"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2022-0037.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=29944"},{"type":"WEB","url":"https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2022:0267"}],"affected":[{"package":{"name":"polkit","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/polkit?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.118-1.2.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0037.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}