# Polkit Lessons



## TheRaven (Apr 9, 2022)

Dangerous Code Hidden in Plain Sight for 12 years




_View: https://www.youtube.com/watch?v=eTcVLqKpZJc_


Don't know about the rest of you, but Polkit is starting to worry me.
Polkit devs. must be taking a page from Windows security.
Honestly, this is BS.

FBSD security/devs. need to check this video out.


----------



## _martin (Apr 9, 2022)

This was already discussed here. I'd be worried if FreeBSD devs need to watch this video to get the Qualys report.
It's already fixed. It was not possible to pull the exploit on FreeBSD though, not even via Linux ABI.

What is more troublesome is that the issue itself was reported almost 10 years ago. And after the Qualys report I've seen some other reports where this kind of argv handling took place. But those programs were not setuid so fuzz was not so high.


----------



## TheRaven (Apr 12, 2022)

_martin said:


> This was already discussed here. I'd be worried if FreeBSD devs need to watch this video to get the Qualys report.
> It's already fixed. It was not possible to pull the exploit on FreeBSD though, not even via Linux ABI.
> 
> What is more troublesome is that the issue itself was reported almost 10 years ago. And after the Qualys report I've seen some other reports where this kind of argv handling took place. But those programs were not setuid so fuzz was not so high.


Awesome that FBSD is insulated.
Also agree that an issue this long in the tooth and harboring such reach has not been actively addressed globally.
Thnx for the heads up _martin- it matters to me!


----------



## msplsh (Apr 12, 2022)

This one sat for 10 years.  Seems like the same sort of thing.  Polkit isn't special in this regard.

CVE-2021-3156


----------



## SirDice (Apr 12, 2022)

msplsh said:


> This one sat for 10 years. Seems like the same sort of thing. Polkit isn't special in this regard.


Yeah, it's not like BSD doesn't have old bugs.









						When seekdir() Won’t Seek to the Right Position
					

Back in 2008, I discovered a bug in the BSD filesystem that has been there for more than 25 years, in all of the major BSDs, read the…




					marcbalmer.ch


----------



## msplsh (Apr 12, 2022)

Nice story.  Good ending.


----------

