From 7a2994761b1b0c34f270a808330d297dfd0d5eb2 Mon Sep 17 00:00:00 2001 From: "A. Wilcox" Date: Mon, 4 Dec 2023 05:54:52 -0600 Subject: user/polkit: Update to 123 * Uses duktape instead of SpiderMonkey/MozJS as JavaScript engine. * Lots of important CVEs fixes. * Uses Meson instead of autotools. * Most patches integrated upstream! Ref: #1100, #1104 Suggested-by: Sam James --- .../0001-make-netgroup-support-optional.patch | 250 --------------------- user/polkit/APKBUILD | 55 ++--- user/polkit/fix-consolekit-db-stat.patch | 6 +- user/polkit/polkit-0.115-elogind.patch | 28 --- 4 files changed, 20 insertions(+), 319 deletions(-) delete mode 100644 user/polkit/0001-make-netgroup-support-optional.patch delete mode 100644 user/polkit/polkit-0.115-elogind.patch (limited to 'user') diff --git a/user/polkit/0001-make-netgroup-support-optional.patch b/user/polkit/0001-make-netgroup-support-optional.patch deleted file mode 100644 index 6387974be..000000000 --- a/user/polkit/0001-make-netgroup-support-optional.patch +++ /dev/null @@ -1,250 +0,0 @@ -From 778bb45e0e0cbabe2b04adf67a500af1dab09768 Mon Sep 17 00:00:00 2001 -From: "A. Wilcox" -Date: Wed, 11 Jul 2018 04:54:26 -0500 -Subject: [PATCH] make netgroup support optional - -On at least Linux/musl and Linux/uclibc, netgroup support is not -available. PolKit fails to compile on these systems for that reason. - -This change makes netgroup support conditional on the presence of the -setnetgrent(3) function which is required for the support to work. If -that function is not available on the system, an error will be returned -to the administrator if unix-netgroup: is specified in configuration. - -Fixes bug 50145. - -Closes polkit/polkit#14. - -Signed-off-by: A. Wilcox ---- - configure.ac | 2 +- - src/polkit/polkitidentity.c | 16 ++++++++++++++++ - src/polkit/polkitunixnetgroup.c | 3 +++ - .../polkitbackendinteractiveauthority.c | 14 ++++++++------ - src/polkitbackend/polkitbackendjsauthority.cpp | 2 ++ - test/polkit/polkitidentitytest.c | 9 ++++++++- - test/polkit/polkitunixnetgrouptest.c | 3 +++ - .../test-polkitbackendjsauthority.c | 2 ++ - 8 files changed, 43 insertions(+), 8 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 5cedb4e..87aa0ad 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -99,7 +99,7 @@ AC_CHECK_LIB(expat,XML_ParserCreate,[EXPAT_LIBS="-lexpat"], - [AC_MSG_ERROR([Can't find expat library. Please install expat.])]) - AC_SUBST(EXPAT_LIBS) - --AC_CHECK_FUNCS(clearenv fdatasync) -+AC_CHECK_FUNCS(clearenv fdatasync setnetgrent) - - if test "x$GCC" = "xyes"; then - LDFLAGS="-Wl,--as-needed $LDFLAGS" -diff --git a/src/polkit/polkitidentity.c b/src/polkit/polkitidentity.c -index 3aa1f7f..10e9c17 100644 ---- a/src/polkit/polkitidentity.c -+++ b/src/polkit/polkitidentity.c -@@ -182,7 +182,15 @@ polkit_identity_from_string (const gchar *str, - } - else if (g_str_has_prefix (str, "unix-netgroup:")) - { -+#ifndef HAVE_SETNETGRENT -+ g_set_error (error, -+ POLKIT_ERROR, -+ POLKIT_ERROR_FAILED, -+ "Netgroups are not available on this machine ('%s')", -+ str); -+#else - identity = polkit_unix_netgroup_new (str + sizeof "unix-netgroup:" - 1); -+#endif - } - - if (identity == NULL && (error != NULL && *error == NULL)) -@@ -344,6 +352,13 @@ polkit_identity_new_for_gvariant (GVariant *variant, - GVariant *v; - const char *name; - -+#ifndef HAVE_SETNETGRENT -+ g_set_error (error, -+ POLKIT_ERROR, -+ POLKIT_ERROR_FAILED, -+ "Netgroups are not available on this machine"); -+ goto out; -+#else - v = lookup_asv (details_gvariant, "name", G_VARIANT_TYPE_STRING, error); - if (v == NULL) - { -@@ -353,6 +368,7 @@ polkit_identity_new_for_gvariant (GVariant *variant, - name = g_variant_get_string (v, NULL); - ret = polkit_unix_netgroup_new (name); - g_variant_unref (v); -+#endif - } - else - { -diff --git a/src/polkit/polkitunixnetgroup.c b/src/polkit/polkitunixnetgroup.c -index 8a2b369..83f8d4a 100644 ---- a/src/polkit/polkitunixnetgroup.c -+++ b/src/polkit/polkitunixnetgroup.c -@@ -194,6 +194,9 @@ polkit_unix_netgroup_set_name (PolkitUnixNetgroup *group, - PolkitIdentity * - polkit_unix_netgroup_new (const gchar *name) - { -+#ifndef HAVE_SETNETGRENT -+ g_assert_not_reached(); -+#endif - g_return_val_if_fail (name != NULL, NULL); - return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_NETGROUP, - "name", name, -diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c -index 056d9a8..36c2f3d 100644 ---- a/src/polkitbackend/polkitbackendinteractiveauthority.c -+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c -@@ -2233,25 +2233,26 @@ get_users_in_net_group (PolkitIdentity *group, - GList *ret; - - ret = NULL; -+#ifdef HAVE_SETNETGRENT - name = polkit_unix_netgroup_get_name (POLKIT_UNIX_NETGROUP (group)); - --#ifdef HAVE_SETNETGRENT_RETURN -+# ifdef HAVE_SETNETGRENT_RETURN - if (setnetgrent (name) == 0) - { - g_warning ("Error looking up net group with name %s: %s", name, g_strerror (errno)); - goto out; - } --#else -+# else - setnetgrent (name); --#endif -+# endif /* HAVE_SETNETGRENT_RETURN */ - - for (;;) - { --#if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) -+# if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) - const char *hostname, *username, *domainname; --#else -+# else - char *hostname, *username, *domainname; --#endif -+# endif /* defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) */ - PolkitIdentity *user; - GError *error = NULL; - -@@ -2282,6 +2283,7 @@ get_users_in_net_group (PolkitIdentity *group, - - out: - endnetgrent (); -+#endif /* HAVE_SETNETGRENT */ - return ret; - } - -diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp -index 9b752d1..09b2878 100644 ---- a/src/polkitbackend/polkitbackendjsauthority.cpp -+++ b/src/polkitbackend/polkitbackendjsauthority.cpp -@@ -1502,6 +1502,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx, - - JS::CallArgs args = JS::CallArgsFromVp (argc, vp); - -+#ifdef HAVE_SETNETGRENT - JS::RootedString usrstr (authority->priv->cx); - usrstr = args[0].toString(); - user = JS_EncodeStringToUTF8 (cx, usrstr); -@@ -1519,6 +1520,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx, - - JS_free (cx, netgroup); - JS_free (cx, user); -+#endif - - ret = true; - -diff --git a/test/polkit/polkitidentitytest.c b/test/polkit/polkitidentitytest.c -index e91967b..e829aaa 100644 ---- a/test/polkit/polkitidentitytest.c -+++ b/test/polkit/polkitidentitytest.c -@@ -19,6 +19,7 @@ - * Author: Nikki VonHollen - */ - -+#include "config.h" - #include "glib.h" - #include - #include -@@ -145,11 +146,15 @@ struct ComparisonTestData comparison_test_data [] = { - {"unix-group:root", "unix-group:jane", FALSE}, - {"unix-group:jane", "unix-group:jane", TRUE}, - -+#ifdef HAVE_SETNETGRENT - {"unix-netgroup:foo", "unix-netgroup:foo", TRUE}, - {"unix-netgroup:foo", "unix-netgroup:bar", FALSE}, -+#endif - - {"unix-user:root", "unix-group:root", FALSE}, -+#ifdef HAVE_SETNETGRENT - {"unix-user:jane", "unix-netgroup:foo", FALSE}, -+#endif - - {NULL}, - }; -@@ -181,11 +186,13 @@ main (int argc, char *argv[]) - g_test_add_data_func ("/PolkitIdentity/group_string_2", "unix-group:jane", test_string); - g_test_add_data_func ("/PolkitIdentity/group_string_3", "unix-group:users", test_string); - -+#ifdef HAVE_SETNETGRENT - g_test_add_data_func ("/PolkitIdentity/netgroup_string", "unix-netgroup:foo", test_string); -+ g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant); -+#endif - - g_test_add_data_func ("/PolkitIdentity/user_gvariant", "unix-user:root", test_gvariant); - g_test_add_data_func ("/PolkitIdentity/group_gvariant", "unix-group:root", test_gvariant); -- g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant); - - add_comparison_tests (); - -diff --git a/test/polkit/polkitunixnetgrouptest.c b/test/polkit/polkitunixnetgrouptest.c -index 3701ba1..e3352eb 100644 ---- a/test/polkit/polkitunixnetgrouptest.c -+++ b/test/polkit/polkitunixnetgrouptest.c -@@ -19,6 +19,7 @@ - * Author: Nikki VonHollen - */ - -+#include "config.h" - #include "glib.h" - #include - #include -@@ -69,7 +70,9 @@ int - main (int argc, char *argv[]) - { - g_test_init (&argc, &argv, NULL); -+#ifdef HAVE_SETNETGRENT - g_test_add_func ("/PolkitUnixNetgroup/new", test_new); - g_test_add_func ("/PolkitUnixNetgroup/set_name", test_set_name); -+#endif - return g_test_run (); - } -diff --git a/test/polkitbackend/test-polkitbackendjsauthority.c b/test/polkitbackend/test-polkitbackendjsauthority.c -index 71aad23..fdd28f3 100644 ---- a/test/polkitbackend/test-polkitbackendjsauthority.c -+++ b/test/polkitbackend/test-polkitbackendjsauthority.c -@@ -137,12 +137,14 @@ test_get_admin_identities (void) - "unix-group:users" - } - }, -+#ifdef HAVE_SETNETGRENT - { - "net.company.action3", - { - "unix-netgroup:foo" - } - }, -+#endif - }; - guint n; - --- -2.21.0 - diff --git a/user/polkit/APKBUILD b/user/polkit/APKBUILD index 8616b82d4..683571a77 100644 --- a/user/polkit/APKBUILD +++ b/user/polkit/APKBUILD @@ -1,68 +1,47 @@ # Contributor: Carlo Landmeter # Maintainer: A. Wilcox pkgname=polkit -pkgver=0.116 -pkgrel=1 +pkgver=123 +pkgrel=0 pkgdesc="Toolkit for controlling system-wide privileges" url="https://www.freedesktop.org/wiki/Software/polkit/" arch="all" options="!check suid" # Requires running ConsoleKit and PolKit for JS backend license="LGPL-2.0+" depends="" -makedepends="glib-dev gobject-introspection-dev gtk-doc intltool linux-pam-dev - mozjs-dev autoconf automake libtool elogind-dev" +makedepends="glib-dev gobject-introspection-dev gtk-doc linux-pam-dev meson + duktape-dev elogind-dev" pkgusers="polkitd" pkggroups="polkitd" install="$pkgname.pre-install $pkgname.pre-upgrade" subpackages="$pkgname-dev $pkgname-doc $pkgname-lang" -source="https://www.freedesktop.org/software/polkit/releases/polkit-$pkgver.tar.gz - 0001-make-netgroup-support-optional.patch +source="https://gitlab.freedesktop.org/polkit/polkit/-/archive/$pkgver/polkit-$pkgver.tar.bz2 fix-consolekit-db-stat.patch fix-test-fgetpwent.patch - polkit-0.115-elogind.patch " # secfixes: +# 0.123-r0: +# - CVE-2021-4034 # 0.115-r2: # - CVE-2018-19788 -prepare() { - default_prepare - autoreconf -vif -} - build() { - ./configure \ - --build=$CBUILD \ - --host=$CHOST \ - --prefix=/usr \ - --sysconfdir=/etc \ - --mandir=/usr/share/man \ - --infodir=/usr/share/info \ - --libexecdir=/usr/lib/polkit-1 \ - --localstatedir=/var \ - --disable-static \ - --enable-nls \ - --enable-introspection \ - --enable-man-pages \ - --with-pam-include=base-auth \ - --disable-gtk-doc-html \ - --disable-gtk-doc-pdf \ - --enable-libelogind=yes - - make + meson setup . build \ + -Dsession_tracking=libelogind \ + -Dman=true \ + -Dpam_include='base-auth' + meson compile -C build } check() { - make check + meson test -C build } package() { - make DESTDIR="$pkgdir" install + meson install -C build --destdir="$pkgdir" } -sha512sums="b66b01cc2bb4349de70147f41f161f0f6f41e7230b581dfb054058b48969ec57041ab05b51787c749ccfc36aa5f317952d7e7ba337b4f6f6c0a923ed5866c2d5 polkit-0.116.tar.gz -f13a350a040a80b705d28e2ce3fac183409f593dc360879ce1bc9ec85faa7796cf0f4e054098b737fb816369de6c9d598449f6908316484aac99a44a68102ae6 0001-make-netgroup-support-optional.patch -95493ef842b46ce9e724933a5d86083589075fb452435057b8f629643cac7c7eff67a24fd188087987e98057f0130757fad546d0c090767da3d71ebaf8485a24 fix-consolekit-db-stat.patch -966825aded565432f4fda9e54113a773b514ebf7ee7faa83bcb8b97d218ae84a8707d6747bbc3cb8a828638d692fdef34c05038f150ad38e02a29f2c782aba5b fix-test-fgetpwent.patch -06432fa56788699762c6978484640554f91728a1cb40679eb47b8514b3c7aa23aac5b9c26586eb4d7043a0af1b319bbe7f869d24844d9151317299b74a8e8f7f polkit-0.115-elogind.patch" +sha512sums="4306363d3ed7311243de462832199bd10ddda35e36449104daff0895725d8189b07a4c88340f28607846fdf761c23470da2d43288199c46aa816426384124bb6 polkit-123.tar.bz2 +bfefe2398f97138391ed34630e2994670dddaa0b13585e2e7cb101e7d11e3054dd491244ec84116b908d0f126a69032c467d83a0c52b0bb980d9b10290600745 fix-consolekit-db-stat.patch +966825aded565432f4fda9e54113a773b514ebf7ee7faa83bcb8b97d218ae84a8707d6747bbc3cb8a828638d692fdef34c05038f150ad38e02a29f2c782aba5b fix-test-fgetpwent.patch" diff --git a/user/polkit/fix-consolekit-db-stat.patch b/user/polkit/fix-consolekit-db-stat.patch index 3deceb639..d06ce7ae7 100644 --- a/user/polkit/fix-consolekit-db-stat.patch +++ b/user/polkit/fix-consolekit-db-stat.patch @@ -1,6 +1,6 @@ --- polkit-0.105.orig/src/polkitbackend/polkitbackendsessionmonitor.c 2012-04-24 19:05:34.000000000 +0300 +++ polkit-0.105/src/polkitbackend/polkitbackendsessionmonitor.c 2015-08-17 14:50:51.428580856 +0300 -@@ -47,7 +47,7 @@ struct _PolkitBackendSessionMonitor +@@ -48,7 +48,7 @@ struct _PolkitBackendSessionMonitor GKeyFile *database; GFileMonitor *database_monitor; @@ -9,7 +9,7 @@ }; struct _PolkitBackendSessionMonitorClass -@@ -95,7 +95,7 @@ reload_database (PolkitBackendSessionMon +@@ -96,7 +96,7 @@ reload_database (PolkitBackendSessionMon goto out; } @@ -18,7 +18,7 @@ monitor->database = g_key_file_new (); if (!g_key_file_load_from_file (monitor->database, -@@ -131,7 +131,8 @@ ensure_database (PolkitBackendSessionMon +@@ -132,7 +132,8 @@ ensure_database (PolkitBackendSessionMon strerror (errno)); goto out; } diff --git a/user/polkit/polkit-0.115-elogind.patch b/user/polkit/polkit-0.115-elogind.patch deleted file mode 100644 index 93d672015..000000000 --- a/user/polkit/polkit-0.115-elogind.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 08bb656496cd3d6213bbe9473f63f2d4a110da6e Mon Sep 17 00:00:00 2001 -From: Rasmus Thomsen -Date: Wed, 11 Apr 2018 13:14:14 +0200 -Subject: [PATCH] configure: fix elogind support - -HAVE_LIBSYSTEMD is used to determine which source files to use. -We have to check if either have_libsystemd or have_libelogind is -true, as both of these need the source files which are used when -HAVE_LIBSYSTEMD is true. ---- - configure.ac | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index 36df239..da47ecb 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -221,7 +221,7 @@ AS_IF([test "x$cross_compiling" != "xyes" ], [ - - AC_SUBST(LIBSYSTEMD_CFLAGS) - AC_SUBST(LIBSYSTEMD_LIBS) --AM_CONDITIONAL(HAVE_LIBSYSTEMD, [test "$have_libsystemd" = "yes"], [Using libsystemd]) -+AM_CONDITIONAL(HAVE_LIBSYSTEMD, [test "$have_libsystemd" = "yes" || test "$have_libelogind" = "yes" ], [Using libsystemd]) - - dnl --------------------------------------------------------------------------- - dnl - systemd unit / service files --- -2.17.0 -- cgit v1.2.3-70-g09d2