Post Syndicated from original https://lwn.net/Articles/882609/rss

Qualys has announced
the disclosure of a local-root vulnerability in Polkit. They are calling
it “PwnKit” and have even provided a proof-of-concept video.

Successful exploitation of this vulnerability allows any
unprivileged user to gain root privileges on the vulnerable
host. Qualys security researchers have been able to independently
verify the vulnerability, develop an exploit, and obtain full root
privileges on default installations of Ubuntu, Debian, Fedora, and
CentOS. Other Linux distributions are likely vulnerable and
probably exploitable. This vulnerability has been hiding in plain
sight for 12+ years and affects all versions of pkexec since its
first version in May 2009.

Updates from distributors are already rolling out.