There is a new vulnerability(CVE-2021-4034) for polkit and the exploit allows the spawn a root shell. The package has been updated yesterday on Arch. Make sure you update that one!
It’s kind of crazy to think it has been there since 2009, but only found out recently. The following article also shows the exploit in action for those interested.
It seems to be only a local exploit, so unless you have other users without sudo privileges using your computer, it does not seem to be something that you need to be worried about.
It does indeed feel like a local exploit. Those are often used for privilege escalation once you’ve obtained a shell through a service account. I agree most people here should not be worried about it, but might be useful for those who have servers.
This really isn’t a fair interpretation of “local exploit” in today’s world. A local exploit isn’t only a vulnerability to people who have local accounts. The most common way a local exploit is used, is in conjunction with another exploit. The first exploit gets you access and the second gets you privilege escalation.
There are tons of real-world cases where this can happen. For example, a vulnerability in almost an internet facing client, most commonly a web browser. They use that exploit to get local access and then look for other exploits to get even more. Although, frankly, in a single user workstation, you can do a lot without privileged access.
FYI, if your system is up to date, and using Polkit v 0.120-4 then you have the latest patched version from the Arch devs that addresses this and should be good now, just make sure to do a reboot after you’ve updated so you know everything works.