diff options
Diffstat (limited to 'user')
-rw-r--r-- | user/polkit/APKBUILD | 8 | ||||
-rw-r--r-- | user/polkit/CVE-2018-19788.patch | 183 |
2 files changed, 190 insertions, 1 deletions
diff --git a/user/polkit/APKBUILD b/user/polkit/APKBUILD index ea5cb0c02..05976199d 100644 --- a/user/polkit/APKBUILD +++ b/user/polkit/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=polkit pkgver=0.115 -pkgrel=1 +pkgrel=2 pkgdesc="Toolkit for controlling system-wide privileges" url="https://www.freedesktop.org/wiki/Software/polkit/" arch="all" @@ -17,10 +17,15 @@ pkggroups="polkitd" install="$pkgname.pre-install" source="https://www.freedesktop.org/software/polkit/releases/polkit-$pkgver.tar.gz 0001-make-netgroup-support-optional.patch + CVE-2018-19788.patch fix-consolekit-db-stat.patch fix-test-fgetpwent.patch " +# secfixes: +# 0.115-r2: +# - CVE-2018-19788 + prepare() { cd "$builddir" default_prepare @@ -63,5 +68,6 @@ package() { sha512sums="1153011fa93145b2c184e6b3446d3ca21b38918641aeccd8fac3985ac3e30ec6bc75be6973985fde90f2a24236592f1595be259155061c2d33358dd17c4ee4fc polkit-0.115.tar.gz 6d68d90e6dc9594175631c99699d4d949fba6d2d1ad66680897f9a17e9dc3c17b44f2bc06ed4f6149931e17a96baaf481981fb0698aace7c81a67c06c2806c29 0001-make-netgroup-support-optional.patch +4a2a11c1de8ef11def9c32b4b595fd45066aeaeb0cb42665846e3c7b8c6f5b7d3a782d722a25889afdb6a4414abed0837a359692342baaeb770d0e9712818ce1 CVE-2018-19788.patch 95493ef842b46ce9e724933a5d86083589075fb452435057b8f629643cac7c7eff67a24fd188087987e98057f0130757fad546d0c090767da3d71ebaf8485a24 fix-consolekit-db-stat.patch 966825aded565432f4fda9e54113a773b514ebf7ee7faa83bcb8b97d218ae84a8707d6747bbc3cb8a828638d692fdef34c05038f150ad38e02a29f2c782aba5b fix-test-fgetpwent.patch" diff --git a/user/polkit/CVE-2018-19788.patch b/user/polkit/CVE-2018-19788.patch new file mode 100644 index 000000000..6a2845aca --- /dev/null +++ b/user/polkit/CVE-2018-19788.patch @@ -0,0 +1,183 @@ +From 35af308b530f36c1a0a912387106a59b3ab92027 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> +Date: Mon, 3 Dec 2018 10:28:58 +0100 +Subject: [PATCH 1/2] Use default of -1 for uid/gid in class initialization + +This doesn't seem to change anything in polkitd behaviour, but it +seems cleaner to default to -1 which here means "unset". +--- + src/polkit/polkitunixgroup.c | 4 ++-- + src/polkit/polkitunixuser.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/polkit/polkitunixgroup.c b/src/polkit/polkitunixgroup.c +index c57a1aa..095cca0 100644 +--- a/src/polkit/polkitunixgroup.c ++++ b/src/polkit/polkitunixgroup.c +@@ -131,9 +131,9 @@ polkit_unix_group_class_init (PolkitUnixGroupClass *klass) + g_param_spec_int ("gid", + "Group ID", + "The UNIX group ID", +- 0, ++ -1, + G_MAXINT, +- 0, ++ -1, + G_PARAM_CONSTRUCT | + G_PARAM_READWRITE | + G_PARAM_STATIC_NAME | +diff --git a/src/polkit/polkitunixuser.c b/src/polkit/polkitunixuser.c +index 8bfd3a1..a5285f4 100644 +--- a/src/polkit/polkitunixuser.c ++++ b/src/polkit/polkitunixuser.c +@@ -144,9 +144,9 @@ polkit_unix_user_class_init (PolkitUnixUserClass *klass) + g_param_spec_int ("uid", + "User ID", + "The UNIX user ID", +- 0, ++ -1, + G_MAXINT, +- 0, ++ -1, + G_PARAM_CONSTRUCT | + G_PARAM_READWRITE | + G_PARAM_STATIC_NAME | +-- +2.18.1 + + +From fbaab32cb4ed9ed5f1e3eea6cd317d443aa427dc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> +Date: Mon, 3 Dec 2018 12:51:26 +0100 +Subject: [PATCH 2/2] Check gid and uid initalization in PolkitUnixUser and + Group objects + +When a user or group above INT32_MAX is created, the numeric uid or +gid wraps around to negative when the value is assigned to gint, and +polkit gets confused. Let's refuse such uids and gids. + +This patch just refuses to initialize uid and gid values to negative. +A nicer fix is to change the underlying type to e.g. gint64 to allow +the full range of values in uid_t and gid_t to be represented. But +this cannot be done without breaking the API, so likely new functions +will have to be added (a polkit_unix_user_new variant that takes a +gint64, and the same for _group_new, _set_uid, _get_uid, _set_gid, +_get_gid, etc.). This will require a bigger patch. + +Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74. + +Example sessions from uid=4000000000: + +Dec 03 14:35:08 krowka polkitd[21432]: system-bus-name::1.41869 is inquiring whether system-bus-name::1.79432 is authorized for org.freedesktop.systemd1.manage-units +Dec 03 14:35:08 krowka polkitd[21432]: user of caller is unix-user:root +Dec 03 14:35:08 krowka polkitd[21432]: polkit_unix_user_new: assertion 'uid >= 0' failed +Dec 03 14:35:08 krowka polkitd[21432]: polkit_identity_to_string: assertion 'POLKIT_IS_IDENTITY (identity)' failed +Dec 03 14:35:08 krowka polkitd[21432]: user of subject is (null) +Dec 03 14:35:08 krowka polkitd[21432]: polkit_identity_equal: assertion 'POLKIT_IS_IDENTITY (b)' failed +Dec 03 14:35:08 krowka polkitd[21432]: checking whether system-bus-name::1.79432 is authorized for org.freedesktop.systemd1.manage-units +Dec 03 14:35:08 krowka polkitd[21432]: polkit_unix_user_new: assertion 'uid >= 0' failed +Dec 03 14:35:08 krowka polkitd[21432]: +Dec 03 14:35:08 krowka polkitd[21432]: polkit_authorization_result_get_is_challenge: assertion 'POLKIT_IS_AUTHORIZATION_RESULT (result)' failed +Dec 03 14:35:08 krowka polkitd[21432]: g_object_ref: assertion 'G_IS_OBJECT (object)' failed +Dec 03 14:35:08 krowka polkitd[21432]: g_object_ref: assertion 'G_IS_OBJECT (object)' failed +Dec 03 14:35:08 krowka polkitd[21432]: polkit_authorization_result_get_details: assertion 'POLKIT_IS_AUTHORIZATION_RESULT (result)' failed +Dec 03 14:35:08 krowka polkitd[21432]: polkit_authorization_result_get_is_challenge: assertion 'POLKIT_IS_AUTHORIZATION_RESULT (result)' failed +Dec 03 14:35:08 krowka polkitd[21432]: polkit_authorization_result_get_is_authorized: assertion 'POLKIT_IS_AUTHORIZATION_RESULT (result)' failed +Dec 03 14:35:08 krowka polkitd[21432]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed +Dec 03 14:35:08 krowka polkitd[21432]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed +--- + src/polkit/polkitunixgroup.c | 9 ++++++++- + src/polkit/polkitunixuser.c | 7 +++++++ + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/src/polkit/polkitunixgroup.c b/src/polkit/polkitunixgroup.c +index 095cca0..53db862 100644 +--- a/src/polkit/polkitunixgroup.c ++++ b/src/polkit/polkitunixgroup.c +@@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup, polkit_unix_group, G_TYPE_OBJECT, + static void + polkit_unix_group_init (PolkitUnixGroup *unix_group) + { ++ unix_group->gid = -1; + } + + static void +@@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject *object, + GParamSpec *pspec) + { + PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object); ++ gint val; + + switch (prop_id) + { + case PROP_GID: +- unix_group->gid = g_value_get_int (value); ++ val = g_value_get_int (value); ++ g_return_if_fail (val >= 0); ++ unix_group->gid = val; + break; + + default: +@@ -169,6 +173,7 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group, + gint gid) + { + g_return_if_fail (POLKIT_IS_UNIX_GROUP (group)); ++ g_return_if_fail (gid >= 0); + group->gid = gid; + } + +@@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group, + PolkitIdentity * + polkit_unix_group_new (gint gid) + { ++ g_return_val_if_fail (gid >= 0, NULL); ++ + return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP, + "gid", gid, + NULL)); +diff --git a/src/polkit/polkitunixuser.c b/src/polkit/polkitunixuser.c +index a5285f4..ef6403e 100644 +--- a/src/polkit/polkitunixuser.c ++++ b/src/polkit/polkitunixuser.c +@@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, polkit_unix_user, G_TYPE_OBJECT, + static void + polkit_unix_user_init (PolkitUnixUser *unix_user) + { ++ unix_user->uid = -1; + unix_user->name = NULL; + } + +@@ -112,10 +113,13 @@ polkit_unix_user_set_property (GObject *object, + GParamSpec *pspec) + { + PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object); ++ gint val; + + switch (prop_id) + { + case PROP_UID: ++ val = g_value_get_int (value); ++ g_return_if_fail (val >= 0); + unix_user->uid = g_value_get_int (value); + break; + +@@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser *user, + gint uid) + { + g_return_if_fail (POLKIT_IS_UNIX_USER (user)); ++ g_return_if_fail (uid >= 0); + user->uid = uid; + } + +@@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser *user, + PolkitIdentity * + polkit_unix_user_new (gint uid) + { ++ g_return_val_if_fail (uid >= 0, NULL); ++ + return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER, + "uid", uid, + NULL)); +-- +2.18.1 + |