mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 21:38:07 -05:00
gnu: polkit: Fix CVE-2021-4034.
* gnu/packages/patches/polkit-CVE-2021-4034.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/polkit.scm (polkit-mozjs)[replacement]: New field. * gnu/packages/polkit.scm (polkit-mozjs/fixed): New variable.
This commit is contained in:
parent
73d775f518
commit
3993d33d1c
3 changed files with 95 additions and 1 deletions
|
@ -1645,6 +1645,7 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/plib-CVE-2011-4620.patch \
|
||||
%D%/packages/patches/plib-CVE-2012-4552.patch \
|
||||
%D%/packages/patches/plotutils-spline-test.patch \
|
||||
%D%/packages/patches/polkit-CVE-2021-4034.patch \
|
||||
%D%/packages/patches/polkit-configure-elogind.patch \
|
||||
%D%/packages/patches/polkit-use-duktape.patch \
|
||||
%D%/packages/patches/portaudio-audacity-compat.patch \
|
||||
|
|
82
gnu/packages/patches/polkit-CVE-2021-4034.patch
Normal file
82
gnu/packages/patches/polkit-CVE-2021-4034.patch
Normal file
|
@ -0,0 +1,82 @@
|
|||
Fixes CVE-2021-4034, local privilege escalation with 'pkexec':
|
||||
|
||||
https://www.openwall.com/lists/oss-security/2022/01/25/11
|
||||
|
||||
Patch from <https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683>.
|
||||
|
||||
From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Rybar <jrybar@redhat.com>
|
||||
Date: Tue, 25 Jan 2022 17:21:46 +0000
|
||||
Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
|
||||
|
||||
---
|
||||
src/programs/pkcheck.c | 5 +++++
|
||||
src/programs/pkexec.c | 23 ++++++++++++++++++++---
|
||||
2 files changed, 25 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
|
||||
index f1bb4e1..768525c 100644
|
||||
--- a/src/programs/pkcheck.c
|
||||
+++ b/src/programs/pkcheck.c
|
||||
@@ -363,6 +363,11 @@ main (int argc, char *argv[])
|
||||
local_agent_handle = NULL;
|
||||
ret = 126;
|
||||
|
||||
+ if (argc < 1)
|
||||
+ {
|
||||
+ exit(126);
|
||||
+ }
|
||||
+
|
||||
/* Disable remote file access from GIO. */
|
||||
setenv ("GIO_USE_VFS", "local", 1);
|
||||
|
||||
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
|
||||
index 7698c5c..84e5ef6 100644
|
||||
--- a/src/programs/pkexec.c
|
||||
+++ b/src/programs/pkexec.c
|
||||
@@ -488,6 +488,15 @@ main (int argc, char *argv[])
|
||||
pid_t pid_of_caller;
|
||||
gpointer local_agent_handle;
|
||||
|
||||
+
|
||||
+ /*
|
||||
+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
|
||||
+ */
|
||||
+ if (argc<1)
|
||||
+ {
|
||||
+ exit(127);
|
||||
+ }
|
||||
+
|
||||
ret = 127;
|
||||
authority = NULL;
|
||||
subject = NULL;
|
||||
@@ -614,10 +623,10 @@ main (int argc, char *argv[])
|
||||
|
||||
path = g_strdup (pwstruct.pw_shell);
|
||||
if (!path)
|
||||
- {
|
||||
+ {
|
||||
g_printerr ("No shell configured or error retrieving pw_shell\n");
|
||||
goto out;
|
||||
- }
|
||||
+ }
|
||||
/* If you change this, be sure to change the if (!command_line)
|
||||
case below too */
|
||||
command_line = g_strdup (path);
|
||||
@@ -636,7 +645,15 @@ main (int argc, char *argv[])
|
||||
goto out;
|
||||
}
|
||||
g_free (path);
|
||||
- argv[n] = path = s;
|
||||
+ path = s;
|
||||
+
|
||||
+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
|
||||
+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
|
||||
+ */
|
||||
+ if (argv[n] != NULL)
|
||||
+ {
|
||||
+ argv[n] = path;
|
||||
+ }
|
||||
}
|
||||
if (access (path, F_OK) != 0)
|
||||
{
|
|
@ -1,7 +1,7 @@
|
|||
;;; GNU Guix --- Functional package management for GNU
|
||||
;;; Copyright © 2014 Andreas Enge <andreas@enge.fr>
|
||||
;;; Copyright © 2015 Andy Wingo <wingo@igalia.com>
|
||||
;;; Copyright © 2015, 2021 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2015, 2021-2022 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
|
||||
;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
|
||||
;;; Copyright © 2017 Huang Ying <huang.ying.caritas@gmail.com>
|
||||
|
@ -54,6 +54,7 @@ (define-public polkit-mozjs
|
|||
(package
|
||||
(name "polkit")
|
||||
(version "0.120")
|
||||
(replacement polkit-mozjs/fixed)
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
(uri (string-append
|
||||
|
@ -146,6 +147,16 @@ (define-public polkit-mozjs
|
|||
for unprivileged applications.")
|
||||
(license lgpl2.0+)))
|
||||
|
||||
(define-public polkit-mozjs/fixed
|
||||
(package
|
||||
(inherit polkit-mozjs)
|
||||
(version "0.121")
|
||||
(source (origin
|
||||
(inherit (package-source polkit-mozjs))
|
||||
(patches (cons (search-patch "polkit-CVE-2021-4034.patch")
|
||||
(origin-patches
|
||||
(package-source polkit-mozjs))))))))
|
||||
|
||||
;;; Variant of polkit built with Duktape, a lighter JavaScript engine compared
|
||||
;;; to mozjs.
|
||||
(define-public polkit-duktape
|
||||
|
|
Loading…
Reference in a new issue