A new Polkit vulnerability

Qualys has announcedthe disclosure of a local-root vulnerability in Polkit. They are callingit "PwnKit" and have even provided a proof-of-concept video.

Successful exploitation of this vulnerability allows anyunprivileged user to gain root privileges on the vulnerablehost. Qualys security researchers have been able to independentlyverify the vulnerability, develop an exploit, and obtain full rootprivileges on default installations of Ubuntu, Debian, Fedora, andCentOS. Other Linux distributions are likely vulnerable andprobably exploitable. This vulnerability has been hiding in plainsight for 12+ years and affects all versions of pkexec since itsfirst version in May 2009.

Updates from distributors are already rolling out.