[gnome-build-meta/abderrahim/polkit-cve] freedesktop-sdk.bst: add patch to fix polkit CVE

From: Abderrahim Kitouni <akitouni src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-build-meta/abderrahim/polkit-cve] freedesktop-sdk.bst: add patch to fix polkit CVE
Date: Sat, 29 Jan 2022 14:37:05 +0000 (UTC)

commit 0cf3792c7450d3eaa7996b6d094a5d8d7b71aa53
Author: Abderrahim Kitouni <akitouni gnome org>
Date:   Sat Jan 29 13:17:30 2022 +0100

    freedesktop-sdk.bst: add patch to fix polkit CVE

 elements/freedesktop-sdk.bst                       |   2 +
 ...polkit.bst-backport-patch-to-fix-CVE-2021.patch | 114 +++++++++++++++++++++
 files/polkit/sysusers.conf                         |   1 -
 3 files changed, 116 insertions(+), 1 deletion(-)
---
diff --git a/elements/freedesktop-sdk.bst b/elements/freedesktop-sdk.bst
index 2f8e879aa..6847336ae 100644
--- a/elements/freedesktop-sdk.bst
+++ b/elements/freedesktop-sdk.bst
@@ -4,6 +4,8 @@ sources:
   url: gitlab:freedesktop-sdk/freedesktop-sdk.git
   track: release/21.08
   track-tags: true
+- kind: patch
+  path: files/freedesktop-sdk/components-polkit.bst-backport-patch-to-fix-CVE-2021.patch
 config:
   options:
     target_arch: '%{arch}'
diff --git a/files/freedesktop-sdk/components-polkit.bst-backport-patch-to-fix-CVE-2021.patch 
b/files/freedesktop-sdk/components-polkit.bst-backport-patch-to-fix-CVE-2021.patch
new file mode 100644
index 000000000..05177405d
--- /dev/null
+++ b/files/freedesktop-sdk/components-polkit.bst-backport-patch-to-fix-CVE-2021.patch
@@ -0,0 +1,114 @@
+From eadef12904e37853d08e73dbbabc3e6358f0b66b Mon Sep 17 00:00:00 2001
+From: Abderrahim Kitouni <akitouni gnome org>
+Date: Sat, 29 Jan 2022 13:10:43 +0100
+Subject: [PATCH] components/polkit.bst: backport patch to fix CVE-2021-4034
+
+---
+ elements/components/polkit.bst                |  2 +
+ ...l-privilege-escalation-CVE-2021-4034.patch | 81 +++++++++++++++++++
+ 2 files changed, 83 insertions(+)
+ create mode 100644 patches/polkit/pkexec-local-privilege-escalation-CVE-2021-4034.patch
+
+diff --git a/elements/components/polkit.bst b/elements/components/polkit.bst
+index 18c77f444..41cb1a45a 100644
+--- a/elements/components/polkit.bst
++++ b/elements/components/polkit.bst
+@@ -46,6 +46,8 @@ sources:
+   url: freedesktop:polkit/polkit.git
+   track: master
+   ref: 0.120-0-g92b910ce2273daf6a76038f6bd764fa6958d4e8e
++- kind: patch
++  path: patches/polkit/pkexec-local-privilege-escalation-CVE-2021-4034.patch
+ - kind: local
+   path: files/polkit/sysusers.conf
+   directory: data
+diff --git a/patches/polkit/pkexec-local-privilege-escalation-CVE-2021-4034.patch 
b/patches/polkit/pkexec-local-privilege-escalation-CVE-2021-4034.patch
+new file mode 100644
+index 000000000..8a42184c4
+--- /dev/null
++++ b/patches/polkit/pkexec-local-privilege-escalation-CVE-2021-4034.patch
+@@ -0,0 +1,81 @@
++From 563ce1aaa6767045ef46202feb0ede53028e698c Mon Sep 17 00:00:00 2001
++From: Jan Rybar <jrybar redhat com>
++Date: Tue, 25 Jan 2022 18:10:22 +0100
++Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
++
++Local privilege escalation due to incorrect handling of argument vector
++Advisory by Qualys: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
++---
++ src/programs/pkcheck.c |  5 +++++
++ src/programs/pkexec.c  | 23 ++++++++++++++++++++---
++ 2 files changed, 25 insertions(+), 3 deletions(-)
++
++diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
++index f1bb4e1..768525c 100644
++--- a/src/programs/pkcheck.c
+++++ b/src/programs/pkcheck.c
++@@ -363,6 +363,11 @@ main (int argc, char *argv[])
++   local_agent_handle = NULL;
++   ret = 126;
++ 
+++  if (argc < 1)
+++    {
+++      exit(126);
+++    }
+++
++   /* Disable remote file access from GIO. */
++   setenv ("GIO_USE_VFS", "local", 1);
++ 
++diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
++index 7698c5c..84e5ef6 100644
++--- a/src/programs/pkexec.c
+++++ b/src/programs/pkexec.c
++@@ -488,6 +488,15 @@ main (int argc, char *argv[])
++   pid_t pid_of_caller;
++   gpointer local_agent_handle;
++ 
+++
+++  /*
+++   * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
+++   */
+++  if (argc<1)
+++    {
+++      exit(127);
+++    }
+++
++   ret = 127;
++   authority = NULL;
++   subject = NULL;
++@@ -614,10 +623,10 @@ main (int argc, char *argv[])
++ 
++       path = g_strdup (pwstruct.pw_shell);
++       if (!path)
++-     {
+++        {
++           g_printerr ("No shell configured or error retrieving pw_shell\n");
++           goto out;
++-     }
+++        }
++       /* If you change this, be sure to change the if (!command_line)
++       case below too */
++       command_line = g_strdup (path);
++@@ -636,7 +645,15 @@ main (int argc, char *argv[])
++           goto out;
++         }
++       g_free (path);
++-      argv[n] = path = s;
+++      path = s;
+++
+++      /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
+++       * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
+++       */
+++      if (argv[n] != NULL)
+++      {
+++        argv[n] = path;
+++      }
++     }
++   if (access (path, F_OK) != 0)
++     {
++-- 
++GitLab
++
+-- 
+2.34.1
+
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]