diff options
Diffstat (limited to 'system/polkit/CVE-2015-3218.patch')
-rw-r--r-- | system/polkit/CVE-2015-3218.patch | 115 |
1 files changed, 0 insertions, 115 deletions
diff --git a/system/polkit/CVE-2015-3218.patch b/system/polkit/CVE-2015-3218.patch deleted file mode 100644 index 977825102..000000000 --- a/system/polkit/CVE-2015-3218.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 48e646918efb2bf0b3b505747655726d7869f31c Mon Sep 17 00:00:00 2001 -From: Colin Walters <walters@redhat.com> -Date: Sat, 30 May 2015 09:06:23 -0400 -Subject: CVE-2015-3218: backend: Handle invalid object paths in - RegisterAuthenticationAgent -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Properly propagate the error, otherwise we dereference a `NULL` -pointer. This is a local, authenticated DoS. - -`RegisterAuthenticationAgentWithOptions` and -`UnregisterAuthentication` have been validated to not need changes for -this. - -http://lists.freedesktop.org/archives/polkit-devel/2015-May/000420.html -https://bugs.freedesktop.org/show_bug.cgi?id=90829 - -Reported-by: Tavis Ormandy <taviso@google.com> -Reviewed-by: Philip Withnall <philip@tecnocode.co.uk> -Reviewed-by: Miloslav Trmač <mitr@redhat.com> -Signed-off-by: Colin Walters <walters@redhat.com> - -diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c -index f6ea0fc..587f954 100644 ---- a/src/polkitbackend/polkitbackendinteractiveauthority.c -+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c -@@ -1566,36 +1566,42 @@ authentication_agent_new (PolkitSubject *scope, - const gchar *unique_system_bus_name, - const gchar *locale, - const gchar *object_path, -- GVariant *registration_options) -+ GVariant *registration_options, -+ GError **error) - { - AuthenticationAgent *agent; -- GError *error; -+ GDBusProxy *proxy; - -- agent = g_new0 (AuthenticationAgent, 1); -+ if (!g_variant_is_object_path (object_path)) -+ { -+ g_set_error (error, POLKIT_ERROR, POLKIT_ERROR_FAILED, -+ "Invalid object path '%s'", object_path); -+ return NULL; -+ } -+ -+ proxy = g_dbus_proxy_new_for_bus_sync (G_BUS_TYPE_SYSTEM, -+ G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES | -+ G_DBUS_PROXY_FLAGS_DO_NOT_CONNECT_SIGNALS, -+ NULL, /* GDBusInterfaceInfo* */ -+ unique_system_bus_name, -+ object_path, -+ "org.freedesktop.PolicyKit1.AuthenticationAgent", -+ NULL, /* GCancellable* */ -+ error); -+ if (proxy == NULL) -+ { -+ g_prefix_error (error, "Failed to construct proxy for agent: " ); -+ return NULL; -+ } - -+ agent = g_new0 (AuthenticationAgent, 1); - agent->ref_count = 1; - agent->scope = g_object_ref (scope); - agent->object_path = g_strdup (object_path); - agent->unique_system_bus_name = g_strdup (unique_system_bus_name); - agent->locale = g_strdup (locale); - agent->registration_options = registration_options != NULL ? g_variant_ref (registration_options) : NULL; -- -- error = NULL; -- agent->proxy = g_dbus_proxy_new_for_bus_sync (G_BUS_TYPE_SYSTEM, -- G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES | -- G_DBUS_PROXY_FLAGS_DO_NOT_CONNECT_SIGNALS, -- NULL, /* GDBusInterfaceInfo* */ -- agent->unique_system_bus_name, -- agent->object_path, -- "org.freedesktop.PolicyKit1.AuthenticationAgent", -- NULL, /* GCancellable* */ -- &error); -- if (agent->proxy == NULL) -- { -- g_warning ("Error constructing proxy for agent: %s", error->message); -- g_error_free (error); -- /* TODO: Make authentication_agent_new() return NULL and set a GError */ -- } -+ agent->proxy = proxy; - - return agent; - } -@@ -2398,8 +2404,6 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken - caller_cmdline = NULL; - agent = NULL; - -- /* TODO: validate that object path is well-formed */ -- - interactive_authority = POLKIT_BACKEND_INTERACTIVE_AUTHORITY (authority); - priv = POLKIT_BACKEND_INTERACTIVE_AUTHORITY_GET_PRIVATE (interactive_authority); - -@@ -2486,7 +2490,10 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken - polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (caller)), - locale, - object_path, -- options); -+ options, -+ error); -+ if (!agent) -+ goto out; - - g_hash_table_insert (priv->hash_scope_to_authentication_agent, - g_object_ref (subject), --- -cgit v0.10.2 - |