#1093276 polkit: When entering (correct) password, then waiting for timeout, password gets copied on CLI!

Package:
polkitd
Source:
polkitd
Description:
framework for managing administrative policies and privileges
Submitter:
li ar
Date:
2025-02-02 08:09:01 UTC
Severity:
normal
Tags:
#1093276#5
Date:
2025-01-17 10:23:27 UTC
From:
To:
Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

Hello,

I'm using LMDE6 (Linux Mint based on Debian 12).

When, as a normal user, I call a command that requires root privileges on the command line, instead of getting rejected, I'm asked for root/sudo password. I think the tool used to do that is polkit. That's why I post here.

When I enter my (correct) password, but then DO NOT validate it by hitting return, then let the login/sudo TIMEOUT trigger, then my actual password get copy-pasted on the command line!!!!

When I use "sudo" directly, there is no timeout, thus it does not happen.

Example:
```
[✘] user@localmachine:~$ service ollama stop
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ====  ## <- I think it is polkit/pkexec that's called here?
Authentication is required to stop 'ollama.service'.
Authenticating as: USER,,, (user)
Password: Failed to stop ollama.service: Connection timed out       ## <- I just wait for timeout here
See system logs and 'systemctl status ollama.service' for details.
polkit-agent-helper-1: pam_authenticate failed: Authentication failure
[✘] user@localmachine:~$ MyPassw0rd!                                ## My password is pasted on the CLI!!!!
```


*** End of the template - remove these template lines ***

#1093276#10
Date:
2025-01-17 12:48:33 UTC
From:
To:
Hi,

thanks for your bug report. I can confirm/reproduce this issue.
So I've forwarded it to upstream accordingly.

Am 17.01.25 um 11:23 schrieb li ar:

#1093276#17
Date:
2025-01-17 20:00:22 UTC
From:
To:
Hi,

looping in the Debian security team as I consider this a security
sensitive issue, simply to make them aware of it.

We do have an upstream issue now but no CVE number ttbomk.

Regards,
Michael

Am 17.01.25 um 13:48 schrieb Michael Biebl:

#1093276#24
Date:
2025-01-22 21:26:12 UTC
From:
To:
Hello o/

I have not been able to reproduce this issue on a non-Debian based
distro. So far, we do not have evidence that upstream is affected.

I left some testing comments upsteam:
https://github.com/polkit-org/polkit/issues/545

This issue affects Ubuntu 24.04+ Desktop and Server. Ubuntu 22.04 is
unaffected, which uses policykit-1 version 0.105-33.

My personal laptop runs 24.04 server without policykit-1 (or gdm) and I
am not affected.

If this is verified as a Debian introduced vulnerability, I can assign a
CVE.

Cheers,
Mark

#1093276#29
Date:
2025-01-23 06:30:35 UTC
From:
To:
Hi

Thansk for the heads-up, adding the security tag and including the
security team alias.

My understanding from what followed later on the upstream issue is
that Michael is able to reproduce it as well on non-Debian distros.
And there seems to be confirmation as well that it's a known issue
upstream.

Regards,
Salvatore