PolicyKit Authorization Framework
PolicyKit is a toolkit for defining and handling authorizations.
It is used for allowing unprivileged processes to speak to privileged
processes.
- Download package
-
Checkout Package
osc -A https://api.opensuse.org checkout SUSE:SLE-15-SP2:GA/polkit && cd $_ - Create Badge
Refresh
Refresh
Source Files
| Filename | Size | Changed |
|---|---|---|
| baselibs.conf | 0000000011 11 Bytes | |
| pkexec.patch | 0000002118 2.07 KB | |
| polkit-0.116.tar.gz | 0001548311 1.48 MB | |
| polkit-0.116.tar.gz.sign | 0000000455 455 Bytes | |
| polkit-gettext.patch | 0000001988 1.94 KB | |
| polkit-keyinit.patch | 0000000447 447 Bytes | |
| polkit-no-wheel-group.patch | 0000000469 469 Bytes | |
| polkit.changes | 0000025156 24.6 KB | |
| polkit.keyring | 0000041710 40.7 KB | |
| polkit.spec | 0000007560 7.38 KB |
Latest Revision
Gustavo Yokoyama Ribeiro (gyribeiro)
committed
(revision 2)
GNOME 3.34 update (allow to drop old mozjs52 in SLE15 SP2)
jsc#SLE-8245
Dropped SLE patches:
CVE-2019-6133.patch
0001-Fix-CVE-FIXME-Trusting-client-supplied-UID.patch
both CVE and bug numbers are preserved and handled by version update
old: SUSE:SLE-15-SP2:GA/polkit
new: openSUSE.org:openSUSE:Factory/polkit rev 69
Index: pkexec.patch
===================================================================
--- pkexec.patch (revision 3)
+++ pkexec.patch (revision 69)
@@ -6,10 +6,10 @@
building packages that want to check for pkexec in an emulated environment
that does not support setuid invocation (eg. QEMU linux-user).
-Index: polkit-0.114/src/programs/pkexec.c
+Index: polkit-0.116/src/programs/pkexec.c
===================================================================
---- polkit-0.114.orig/src/programs/pkexec.c 2018-04-03 20:16:17.000000000 +0200
-+++ polkit-0.114/src/programs/pkexec.c 2018-04-10 02:48:03.031508016 +0200
+--- polkit-0.116.orig/src/programs/pkexec.c 2018-05-31 13:52:53.000000000 +0200
++++ polkit-0.116/src/programs/pkexec.c 2019-05-31 22:55:58.014504104 +0200
@@ -504,27 +504,6 @@ main (int argc, char *argv[])
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
Index: polkit-no-wheel-group.patch
===================================================================
--- polkit-no-wheel-group.patch (revision 3)
+++ polkit-no-wheel-group.patch (revision 69)
@@ -1,7 +1,7 @@
-Index: polkit-0.107/src/polkitbackend/50-default.rules
+Index: polkit-0.116/src/polkitbackend/50-default.rules
===================================================================
---- polkit-0.107.orig/src/polkitbackend/50-default.rules
-+++ polkit-0.107/src/polkitbackend/50-default.rules
+--- polkit-0.116.orig/src/polkitbackend/50-default.rules 2018-03-27 13:46:06.000000000 +0200
++++ polkit-0.116/src/polkitbackend/50-default.rules 2019-05-31 22:55:57.990503876 +0200
@@ -8,5 +8,5 @@
// about configuring polkit.
Index: polkit.changes
===================================================================
--- polkit.changes (revision 3)
+++ polkit.changes (revision 69)
@@ -1,9 +1,55 @@
-------------------------------------------------------------------
-Tue Jul 23 06:29:16 UTC 2019 - Marcus Meissner <meissner@suse.com>
+Fri Nov 29 10:36:53 UTC 2019 - Bjørn Lie <bjorn.lie@gmail.com>
-- CVE-2019-6133.patch: Fixed improper caching of auth decisions,
- which could bypass uid checking in the interactive backend.
- (bsc#1121826 CVE-2019-6133)
+- Fix usage of libexecdir instead of prefix/lib where applicable.
+
+-------------------------------------------------------------------
+Tue Oct 8 12:41:44 UTC 2019 - Marcus Meissner <meissner@suse.com>
+
+- polkit-keyinit.patch: add pam_keyinit to the polkit configuration (bsc#1144053)
+
+-------------------------------------------------------------------
+Wed May 29 07:57:26 UTC 2019 - Bjørn Lie <bjorn.lie@gmail.com>
+
+- Update to version 0.116:
+ + Leaking zombie child processes.
+ + Possible resource leak found by static analyzer.
+ + Output messages tuneup.
+ + Sanity fixes.
+ + pkttyagent tty echo disabled on SIGINT.
+ + HACKING: add link to Code of Conduct.
+ + polkitbackend: comment typos fix.
+ + configure.ac: fix detection of systemd with cgroups v2.
+ + CVE-2018-19788 High UIDs overflow fix.
+ + CVE-2019-6133 Slowfork vulnerability fix.
+ + Allow unset process-uid.
+ + Port the JS authority to mozjs-60.
+ + Use JS_EncodeStringToUTF8.
+ + Updated translations.
+- Replace pkgconfig(mozjs-52) with pkgconfig(mozjs-60)
+ BuildRequires following upstreams changes.
+- Drop patches fixed upstream:
+ + polkit-fix-possible-resource-leak.patch
+ + polkit-fix-leaking-zombie-child-processes.patch
+ + polkit-CVE-2018-19788.patch
+- Refresh patches with quilt.
+
+-------------------------------------------------------------------
+Fri May 10 14:44:20 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Use systemd_ordering instead of systemd_requires: strictly
+ speaking, polkit does not require systemd to be present. Just
+ that when we install on a system with systemd (e.g outside
+ containers) we would want systemd to be present before
+ installing polkit. Help also reduce a cycle without special hacks
+ in systemd.spec.
+
+-------------------------------------------------------------------
+Fri Apr 26 11:06:05 UTC 2019 - mvetter@suse.com
+
+- bsc#1130588: Require shadow instead of old pwdutils
+- User proper Requires(pre)/Requires(post) for permissions and
+ shadow
-------------------------------------------------------------------
Thu Dec 20 17:29:58 UTC 2018 - meissner@suse.com
@@ -12,10 +58,20 @@
(bsc#1118277 CVE-2018-19788)
-------------------------------------------------------------------
-Wed Jul 4 12:00:12 UTC 2018 - meissner@suse.com
+Fri Aug 17 07:56:08 UTC 2018 - bjorn.lie@gmail.com
+
+- Add polkit-fix-possible-resource-leak.patch: Fix possible
+ resource leak found by static analyzer.
+- Add polkit-fix-leaking-zombie-child-processes.patch: polkitd: fix
+ zombie not reaped when js spawned process timed out (fdo#106021).
+
+-------------------------------------------------------------------
+Wed Jul 11 10:48:37 UTC 2018 - meissner@suse.com
-- 0001-Fix-CVE-FIXME-Trusting-client-supplied-UID.patch:
- Fixed trusting the client-supplied UID (CVE-2018-1116 bsc#1099031)
+- Update to version 0.115:
+ - Fix CVE-2018-1116: Trusting client-supplied UID (bsc#1099031)
+ - jsauthority: pass "%s" format string to remaining report function
+ (obsoletes polkit-jsauthority-pass-format-string.patch)
-------------------------------------------------------------------
Mon Apr 9 22:38:39 UTC 2018 - bjorn.lie@gmail.com
Index: polkit.keyring
===================================================================
--- polkit.keyring (revision 3)
+++ polkit.keyring (revision 69)
@@ -624,3 +624,33 @@
xswOcJBwoxssbQmiBaFp13Frzhjwjwqer+npV6FuOLjRsnMd7h9EgiGYGqH385w0
=DnDa
-----END PGP PUBLIC KEY BLOCK-----
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: SKS 1.1.6
+Comment: Hostname: fks.pgpkeys.eu
+
+mQENBFtkaE8BCADL6NFIHYl5RDKRyDm2/igDWiveVFWzUZGJeBBkAcpZcstJK0mDxwWbcOwE
++XvMUux4HwZCymZb+5SctrHyQvS629BTbynfZv5JOIAKl1Hg24yklBGYJ1LX/4H140Y2cGTN
+3xymGisSYMNF11Cngsw1qND8NJ6fqadHafn8s1gvphFkCs8LpoJgTBrLEUQZpnpSRcIP+/UR
+2R/ErCkwE9erPHfksj+B+hGD6PKqeLPSvLq5F9L+axnMgH784QQADn3BaM2ZePtC+gbUYgsY
+ra6jwsEsjZmd/nauVex2rB3MaRgiwTg6+cmDXgd5a0w2CPMFlQiWiamb7/UfCxsFRgs3ABEB
+AAG0J0phbiBSeWJhciAoUmVkIEhhdCkgPGpyeWJhckByZWRoYXQuY29tPokBOAQTAQIAIgUC
+W2RoTwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQjOswMP/c4lha5wf8C7+FoCIU
+NE83GgnG4Vp7jJFgn1B8ea7Jvya0X37kHWBUueQv7F0M+3qUtVQNHDSIfehysiAtNncWh58V
+n9JWohzvWTGnZ1bY8IeU/MxCrBrWaxqsjsWOPq1smtnIas7LLkn44oOlyOXDVOp/JOk4QxoO
+gf6GIERpit/0dBNjFSkeL037ocB/f6WekG4MpYtp/U4gy3MAWhBKXxJUTgJFRSiLtGEdnUGW
+wG8ZbulGRRO79rWg9ThvpPEEqZG/2bm4kWMlaaaDsJ9lbPA4rN0uU0ny3/2COwqKtpwrLvRE
+duRcVG9vpnCl5zkFtNc00p2RRBrQJ/PLq2OdSrGMf0skhbkBDQRbZGhPAQgAxaVnvy+O0sUR
+/P1e7CAQKg7jSXFoUIHVpT/F7Q2t3hs2I3wmQTAy92CVWDXJDDpN93VR6IJQzws0F7IV9+Js
+xl4Hu6ELyaOpMD0QVb09s9C0s2nz88rn6WMoy0wuVJcB0h8aNzUBjRsgi94XTH44tlcVZj4q
+/GbQaJy8kBNu5V6sAQg64h5xuU4tow8tkzL78bNOLeYXyEYOO+Dlt/879oxQca+dTHXr13NV
+wKFqcduBIcsQZd5JnQFeXo+8XWpmeS/wwX0RW+J0mSYWvjP/fMeE7BIftbbolqr+HwwppVNP
+ouFDPq/9bKmQs7USen6rOJ6uIqMhPkopgXXOle3EEQARAQABiQEfBBgBAgAJBQJbZGhPAhsM
+AAoJEIzrMDD/3OJYmlMH/0NTd/lZ0jh0djRYlRcz0OIT9B/2gYmNoekEsciEliPS3WEN+M2s
+kZM/L/lLFCbD4dOqlXqb84Yvch9iC/VzCEYCEs8Kz647H2mBnyHxxOKtgrXJpWhZoRzs9pzb
+AVCEkl5+PjFRwhn7Nwpm/EG+02VgR9JC1ZdX28iN3a3axbLuI9RIZznRRL5Jr5ePMJ0nRvWY
+HX4K+Wt5UhHuo1Kaj9Yn0UcTCj7WKznRjNtL6S4N4mS8OJwi8jZ8Rvb3GFCViEaVz/+ZNBaW
+HGJO/6RB1aNr3SlD155eTM6H6v2lsNn4gpc7T3GL9AzEsuUef5mqo1EsO+OJeBrQv8vVybJx
+GJ8=
+=QrX7
+-----END PGP PUBLIC KEY BLOCK-----
Index: polkit.spec
===================================================================
--- polkit.spec (revision 3)
+++ polkit.spec (revision 69)
@@ -1,7 +1,7 @@
#
# spec file for package polkit
#
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,12 +17,12 @@
Name: polkit
-Version: 0.114
+Version: 0.116
Release: 0
Summary: PolicyKit Authorization Framework
License: LGPL-2.1-or-later
Group: System/Libraries
-URL: http://www.freedesktop.org/wiki/Software/polkit/
+Url: http://www.freedesktop.org/wiki/Software/polkit/
Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz
Source1: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz.sign
Source2: %{name}.keyring
@@ -34,14 +34,8 @@
Patch1: polkit-gettext.patch
# PATCH-FIX-UPSTREAM pkexec.patch schwab@suse.de -- pkexec: allow --version and --help even if not setuid
Patch2: pkexec.patch
-# PATCH-FIX-UPSTREAM polkit-jsauthority-pass-format-string.patch bgo#105865 bjorn.lie@gmail.com -- jsauthority: pass "%s" format string to remaining report function
-Patch3: polkit-jsauthority-pass-format-string.patch
-# PATCH-FIX-UPSTREAM 0001-Fix-CVE-FIXME-Trusting-client-supplied-UID.patch bsc#1099031 mgerstner@suse.com -- security fix
-Patch4: 0001-Fix-CVE-FIXME-Trusting-client-supplied-UID.patch
-# PATCH-FIX-UPSTREAM polkit-CVE-2018-19788.patch bsc#1118277 meissner@suse.com -- 2cb40c4d5feeaa09325522bd7d97910f1b59e379
-Patch5: polkit-CVE-2018-19788.patch
-# PATCH-FIX-UPSTREAM CVE-2019-6133.patch bsc#1121826 meissner@suse.com -- c898fdf4b1aafaa04f8ada9d73d77c8bb76e2f81
-Patch6: CVE-2019-6133.patch
+# PATCH-FIX-OPENSUSE polkit-keyinit.patch meissner@ -- bsc#1144053 Please add "pam_keyinit.so" to the /etc/pam.d/polkit-1 configuration file
+Patch3: polkit-keyinit.patch
BuildRequires: gcc-c++
BuildRequires: gtk-doc
@@ -51,20 +45,19 @@
BuildRequires: libtool
BuildRequires: pam-devel
BuildRequires: systemd-rpm-macros
-BuildRequires: pkgconfig(gio-unix-2.0) >= 2.30.0
-BuildRequires: pkgconfig(gmodule-2.0) >= 2.30.0
+BuildRequires: pkgconfig(gio-unix-2.0) >= 2.32.0
+BuildRequires: pkgconfig(gmodule-2.0) >= 2.32.0
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 0.6.2
BuildRequires: pkgconfig(libsystemd)
-BuildRequires: pkgconfig(mozjs-52)
+BuildRequires: pkgconfig(mozjs-60)
BuildRequires: pkgconfig(systemd)
# gtk-doc drags indirectyly ruby in for one of the helpers. This in turn causes a build cycle.
#!BuildIgnore: ruby
Requires: dbus-1
Requires: libpolkit0 = %{version}-%{release}
-# FIXME: use proper Requires(pre/post/preun/...)
-PreReq: permissions
-PreReq: pwdutils
-%systemd_requires
+Requires(pre): shadow
+Requires(post): permissions
+%systemd_ordering
# Upstream First - Policy:
# Never add any patches to this package without the upstream commit id
@@ -121,31 +114,23 @@
This package provides the GObject Introspection bindings for PolicyKit.
%prep
-%setup -q
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
+%autosetup -p1
%build
-export V=1
-# needed for patch1 and patch2
+# Needed for patch1 and patch2
autoreconf -fi
export SUID_CFLAGS="-fPIE"
export SUID_LDFLAGS="-z now -pie"
%configure \
- --with-os-type=suse \
- --enable-gtk-doc \
- --with-pic \
- --disable-static \
- --enable-introspection \
- --enable-examples \
- --enable-libsystemd-login \
- --libexecdir=%{_libexecdir}/polkit-1
-make %{?_smp_mflags}
+ --with-os-type=suse \
+ --enable-gtk-doc \
+ --with-pic \
+ --disable-static \
+ --enable-introspection \
+ --enable-examples \
+ --enable-libsystemd-login \
+ %{nil}
+%make_build
%install
%make_install
@@ -213,8 +198,8 @@
%{_bindir}/pkcheck
%verify(not mode) %attr(4755,root,root) %{_bindir}/pkexec
%{_bindir}/pkttyagent
-%dir %{_libexecdir}/polkit-1
-%{_libexecdir}/polkit-1/polkitd
+%dir %{_prefix}/lib/polkit-1
+%{_prefix}/lib/polkit-1/polkitd
%verify(not mode) %attr(4755,root,root) %{_prefix}/lib/polkit-1/polkit-agent-helper-1
# $HOME for polkit user
%dir %{_localstatedir}/lib/polkit
Index: polkit-0.116.tar.gz
===================================================================
Binary file polkit-0.116.tar.gz (revision 69) added
Index: polkit-0.116.tar.gz.sign
===================================================================
--- polkit-0.116.tar.gz.sign (added)
+++ polkit-0.116.tar.gz.sign (revision 69)
@@ -0,0 +1,10 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEcBAABAgAGBQJcwtuMAAoJEIzrMDD/3OJYhGAH/27d2LGj6CaqWgSfJcL7LkKt
+gXlS/jG16GpgW4K38KRK5d/3z6SXz0rgsT8LBAOSWdtpil1MFQqO2cUcQGAv5IeF
+5vBVgWzCRTF2KPBDgWHuE0QEw0iRBtZL4cOsibj0IiF8JBZ5zCowrUvVF4V6XS7+
+4kPYZD24ydY/vz5k6hbwqZfxbqQIOe8vZODzPelfjIDW1E0Zrovp9+KtMCVmSEJz
+reUiUc1eY0NpP51NhmwykkZ9D4AZ8fB76uqfELtEd9Yec3I0pvwyvI03eLmD7liC
+yI1VEIezPUgJnrGRf8uaVdaLE5TGn7hSIFCGy3xpBd2ZjTKncoed5JtpVDO1WiY=
+=1bx+
+-----END PGP SIGNATURE-----
Index: polkit-keyinit.patch
===================================================================
--- polkit-keyinit.patch (added)
+++ polkit-keyinit.patch (revision 69)
@@ -0,0 +1,9 @@
+Index: polkit-0.116/data/polkit-1.in
+===================================================================
+--- polkit-0.116.orig/data/polkit-1.in
++++ polkit-0.116/data/polkit-1.in
+@@ -4,3 +4,4 @@ auth include @PAM_FILE_INCLUD
+ account include @PAM_FILE_INCLUDE_ACCOUNT@
+ password include @PAM_FILE_INCLUDE_PASSWORD@
+ session include @PAM_FILE_INCLUDE_SESSION@
++session optional pam_keyinit.so revoke [force]
Index: 0001-Fix-CVE-FIXME-Trusting-client-supplied-UID.patch
===================================================================
--- 0001-Fix-CVE-FIXME-Trusting-client-supplied-UID.patch (revision 3)
+++ 0001-Fix-CVE-FIXME-Trusting-client-supplied-UID.patch (deleted)
@@ -1,577 +0,0 @@
-From b77e3f0c13ac008905ad2a867c63f766af43ea95 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= <mitr@redhat.com>
-Date: Mon, 25 Jun 2018 19:24:06 +0200
-Subject: [PATCH] Fix CVE-FIXME: Trusting client-supplied UID
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-As part of CVE-2013-4288, the D-Bus clients were allowed (and
-encouraged) to submit the UID of the subject of authorization checks
-to avoid races against UID changes (notably using executables
-set-UID to root).
-
-However, that also allowed any client to submit an arbitrary UID, and
-that could be used to bypass "can only ask about / affect the same UID"
-checks in CheckAuthorization / RegisterAuthenticationAgent /
-UnregisterAuthenticationAgent. This allowed an attacker:
-
-- With CheckAuthorization, to cause the registered authentication
- agent in victim's session to pop up a dialog, or to determine whether
- the victim currently has a temporary authorization to perform an
- operation.
-
- (In principle, the attacker can also determine whether JavaScript
- rules allow the victim process to perform an operatin; however,
- usually rules base their decisions on information deterined from
- the supplied UID, so the attacker usually won't learn anything new.)
-
-- With RegisterAuthenticationAgent, to prevent the victim's
- authentication agent to work (for a specific victim process),
- or to learn about which operations requiring authorization
- the victim is attempting.
-
-To fix this, expose internal _polkit_unix_process_get_owner() /
-obsolete polkit_unix_process_get_owner() as a private
-polkit_unix_process_get_racy_uid__() (being more explicit about the
-dangers on relying on it), and use it in
-polkit_backend_session_monitor_get_user_for_subject() to return
-a boolean indicating whether the subject UID may be caller-chosen.
-
-Then, in the permission checks that require the subject to be
-equal to the caller, fail on caller-chosen UIDs (and continue
-through the pre-existing code paths which allow root, or root-designated
-server processes, to ask about arbitrary subjects.)
-
-Signed-off-by: Miloslav Trmač <mitr@redhat.com>
----
- src/polkit/polkitprivate.h | 2 +
- src/polkit/polkitunixprocess.c | 61 ++++++++++++++++---
- .../polkitbackendinteractiveauthority.c | 39 +++++++-----
- .../polkitbackendsessionmonitor-systemd.c | 38 ++++++++++--
- .../polkitbackendsessionmonitor.c | 40 ++++++++++--
- .../polkitbackendsessionmonitor.h | 1 +
- 6 files changed, 148 insertions(+), 33 deletions(-)
-
-diff --git a/src/polkit/polkitprivate.h b/src/polkit/polkitprivate.h
-index 9f07063..c80142d 100644
---- a/src/polkit/polkitprivate.h
-+++ b/src/polkit/polkitprivate.h
-@@ -44,6 +44,8 @@ GVariant *polkit_action_description_to_gvariant (PolkitActionDescription *action
- GVariant *polkit_subject_to_gvariant (PolkitSubject *subject);
- GVariant *polkit_identity_to_gvariant (PolkitIdentity *identity);
-
-+gint polkit_unix_process_get_racy_uid__ (PolkitUnixProcess *process, GError **error);
-+
- PolkitSubject *polkit_subject_new_for_gvariant (GVariant *variant, GError **error);
- PolkitIdentity *polkit_identity_new_for_gvariant (GVariant *variant, GError **error);
-
-diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
-index d4ebf50..972b777 100644
---- a/src/polkit/polkitunixprocess.c
-+++ b/src/polkit/polkitunixprocess.c
-@@ -56,6 +56,14 @@
- * To uniquely identify processes, both the process id and the start
- * time of the process (a monotonic increasing value representing the
- * time since the kernel was started) is used.
-+ *
-+ * NOTE: This object stores, and provides access to, the real UID of the
-+ * process. That value can change over time (with set*uid*(2) and exec*(2)).
-+ * Checks whether an operation is allowed need to take care to use the UID
-+ * value as of the time when the operation was made (or, following the open()
-+ * privilege check model, when the connection making the operation possible
-+ * was initiated). That is usually done by initializing this with
-+ * polkit_unix_process_new_for_owner() with trusted data.
- */
-
- /**
-@@ -90,9 +98,6 @@ static void subject_iface_init (PolkitSubjectIface *subject_iface);
- static guint64 get_start_time_for_pid (gint pid,
- GError **error);
-
--static gint _polkit_unix_process_get_owner (PolkitUnixProcess *process,
-- GError **error);
--
- #if defined(HAVE_FREEBSD) || defined(HAVE_NETBSD) || defined(HAVE_OPENBSD)
- static gboolean get_kinfo_proc (gint pid,
- #if defined(HAVE_NETBSD)
-@@ -182,7 +187,7 @@ polkit_unix_process_constructed (GObject *object)
- {
- GError *error;
- error = NULL;
-- process->uid = _polkit_unix_process_get_owner (process, &error);
-+ process->uid = polkit_unix_process_get_racy_uid__ (process, &error);
- if (error != NULL)
- {
- process->uid = -1;
-@@ -271,6 +276,12 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass)
- * Gets the user id for @process. Note that this is the real user-id,
- * not the effective user-id.
- *
-+ * NOTE: The UID may change over time, so the returned value may not match the
-+ * current state of the underlying process; or the UID may have been set by
-+ * polkit_unix_process_new_for_owner() or polkit_unix_process_set_uid(),
-+ * in which case it may not correspond to the actual UID of the referenced
-+ * process at all (at any point in time).
-+ *
- * Returns: The user id for @process or -1 if unknown.
- */
- gint
-@@ -708,13 +719,20 @@ out:
- return start_time;
- }
-
--static gint
--_polkit_unix_process_get_owner (PolkitUnixProcess *process,
-- GError **error)
-+/*
-+ * Private: Return the "current" UID. Note that this is inherently racy,
-+ * and the value may already be obsolete by the time this function returns;
-+ * this function only guarantees that the UID was valid at some point during
-+ * its execution.
-+ */
-+gint
-+polkit_unix_process_get_racy_uid__ (PolkitUnixProcess *process,
-+ GError **error)
- {
- gint result;
- gchar *contents;
- gchar **lines;
-+ guint64 start_time;
- #if defined(HAVE_FREEBSD) || defined(HAVE_OPENBSD)
- struct kinfo_proc p;
- #elif defined(HAVE_NETBSD)
-@@ -722,6 +740,7 @@ _polkit_unix_process_get_owner (PolkitUnixProcess *process,
- #else
- gchar filename[64];
- guint n;
-+ GError *local_error;
- #endif
-
- g_return_val_if_fail (POLKIT_IS_UNIX_PROCESS (process), 0);
-@@ -745,8 +764,10 @@ _polkit_unix_process_get_owner (PolkitUnixProcess *process,
-
- #if defined(HAVE_FREEBSD)
- result = p.ki_uid;
-+ start_time = (guint64) p.ki_start.tv_sec;
- #else
- result = p.p_uid;
-+ start_time = (guint64) p.p_ustart_sec;
- #endif
- #else
-
-@@ -781,17 +802,37 @@ _polkit_unix_process_get_owner (PolkitUnixProcess *process,
- else
- {
- result = real_uid;
-- goto out;
-+ goto found;
- }
- }
--
- g_set_error (error,
- POLKIT_ERROR,
- POLKIT_ERROR_FAILED,
- "Didn't find any line starting with `Uid:' in file %s",
- filename);
-+ goto out;
-+
-+found:
-+ /* The UID and start time are, sadly, not available in a single file. So,
-+ * read the UID first, and then the start time; if the start time is the same
-+ * before and after reading the UID, it couldn't have changed.
-+ */
-+ local_error = NULL;
-+ start_time = get_start_time_for_pid (process->pid, &local_error);
-+ if (local_error != NULL)
-+ {
-+ g_propagate_error (error, local_error);
-+ goto out;
-+ }
- #endif
-
-+ if (process->start_time != start_time)
-+ {
-+ g_set_error (error, POLKIT_ERROR, POLKIT_ERROR_FAILED,
-+ "process with PID %d has been replaced", process->pid);
-+ goto out;
-+ }
-+
- out:
- g_strfreev (lines);
- g_free (contents);
-@@ -810,5 +851,5 @@ gint
- polkit_unix_process_get_owner (PolkitUnixProcess *process,
- GError **error)
- {
-- return _polkit_unix_process_get_owner (process, error);
-+ return polkit_unix_process_get_racy_uid__ (process, error);
- }
-diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
-index 1cd60d3..cb6fdab 100644
---- a/src/polkitbackend/polkitbackendinteractiveauthority.c
-+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
-@@ -575,7 +575,7 @@ log_result (PolkitBackendInteractiveAuthority *authority,
- if (polkit_authorization_result_get_is_authorized (result))
- log_result_str = "ALLOWING";
-
-- user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, NULL);
-+ user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, NULL, NULL);
-
- subject_str = polkit_subject_to_string (subject);
-
-@@ -847,6 +847,7 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority
- gchar *subject_str;
- PolkitIdentity *user_of_caller;
- PolkitIdentity *user_of_subject;
-+ gboolean user_of_subject_matches;
- gchar *user_of_caller_str;
- gchar *user_of_subject_str;
- PolkitAuthorizationResult *result;
-@@ -892,7 +893,7 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority
- action_id);
-
- user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor,
-- caller,
-+ caller, NULL,
- &error);
- if (error != NULL)
- {
-@@ -907,7 +908,7 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority
- g_debug (" user of caller is %s", user_of_caller_str);
-
- user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor,
-- subject,
-+ subject, &user_of_subject_matches,
- &error);
- if (error != NULL)
- {
-@@ -937,7 +938,10 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority
- * We only allow this if, and only if,
- *
- * - processes may check for another process owned by the *same* user but not
-- * if details are passed (otherwise you'd be able to spoof the dialog)
-+ * if details are passed (otherwise you'd be able to spoof the dialog);
-+ * the caller supplies the user_of_subject value, so we additionally
-+ * require it to match at least at one point in time (via
-+ * user_of_subject_matches).
- *
- * - processes running as uid 0 may check anything and pass any details
- *
-@@ -945,7 +949,9 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority
- * then any uid referenced by that annotation is also allowed to check
- * to check anything and pass any details
- */
-- if (!polkit_identity_equal (user_of_caller, user_of_subject) || has_details)
-+ if (!user_of_subject_matches
-+ || !polkit_identity_equal (user_of_caller, user_of_subject)
-+ || has_details)
- {
- if (!may_identity_check_authorization (interactive_authority, action_id, user_of_caller))
- {
-@@ -1110,9 +1116,10 @@ check_authorization_sync (PolkitBackendAuthority *authority,
- goto out;
- }
-
-- /* every subject has a user */
-+ /* every subject has a user; this is supplied by the client, so we rely
-+ * on the caller to validate its acceptability. */
- user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor,
-- subject,
-+ subject, NULL,
- error);
- if (user_of_subject == NULL)
- goto out;
-@@ -2480,6 +2487,7 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken
- PolkitSubject *session_for_caller;
- PolkitIdentity *user_of_caller;
- PolkitIdentity *user_of_subject;
-+ gboolean user_of_subject_matches;
- AuthenticationAgent *agent;
- gboolean ret;
- gchar *caller_cmdline;
-@@ -2532,7 +2540,7 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken
- goto out;
- }
-
-- user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, caller, NULL);
-+ user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, caller, NULL, NULL);
- if (user_of_caller == NULL)
- {
- g_set_error (error,
-@@ -2541,7 +2549,7 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken
- "Cannot determine user of caller");
- goto out;
- }
-- user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, NULL);
-+ user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, &user_of_subject_matches, NULL);
- if (user_of_subject == NULL)
- {
- g_set_error (error,
-@@ -2550,7 +2558,8 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken
- "Cannot determine user of subject");
- goto out;
- }
-- if (!polkit_identity_equal (user_of_caller, user_of_subject))
-+ if (!user_of_subject_matches
-+ || !polkit_identity_equal (user_of_caller, user_of_subject))
- {
- if (identity_is_root_user (user_of_caller))
- {
-@@ -2643,6 +2652,7 @@ polkit_backend_interactive_authority_unregister_authentication_agent (PolkitBack
- PolkitSubject *session_for_caller;
- PolkitIdentity *user_of_caller;
- PolkitIdentity *user_of_subject;
-+ gboolean user_of_subject_matches;
- AuthenticationAgent *agent;
- gboolean ret;
- gchar *scope_str;
-@@ -2691,7 +2701,7 @@ polkit_backend_interactive_authority_unregister_authentication_agent (PolkitBack
- goto out;
- }
-
-- user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, caller, NULL);
-+ user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, caller, NULL, NULL);
- if (user_of_caller == NULL)
- {
- g_set_error (error,
-@@ -2700,7 +2710,7 @@ polkit_backend_interactive_authority_unregister_authentication_agent (PolkitBack
- "Cannot determine user of caller");
- goto out;
- }
-- user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, NULL);
-+ user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, &user_of_subject_matches, NULL);
- if (user_of_subject == NULL)
- {
- g_set_error (error,
-@@ -2709,7 +2719,8 @@ polkit_backend_interactive_authority_unregister_authentication_agent (PolkitBack
- "Cannot determine user of subject");
- goto out;
- }
-- if (!polkit_identity_equal (user_of_caller, user_of_subject))
-+ if (!user_of_subject_matches
-+ || !polkit_identity_equal (user_of_caller, user_of_subject))
- {
- if (identity_is_root_user (user_of_caller))
- {
-@@ -2819,7 +2830,7 @@ polkit_backend_interactive_authority_authentication_agent_response (PolkitBacken
- identity_str);
-
- user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor,
-- caller,
-+ caller, NULL,
- error);
- if (user_of_caller == NULL)
- goto out;
-diff --git a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
-index 2a6c739..b00cdbd 100644
---- a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
-+++ b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
-@@ -29,6 +29,7 @@
- #include <stdlib.h>
-
- #include <polkit/polkit.h>
-+#include <polkit/polkitprivate.h>
- #include "polkitbackendsessionmonitor.h"
-
- /* <internal>
-@@ -246,26 +247,40 @@ polkit_backend_session_monitor_get_sessions (PolkitBackendSessionMonitor *monito
- * polkit_backend_session_monitor_get_user:
- * @monitor: A #PolkitBackendSessionMonitor.
- * @subject: A #PolkitSubject.
-+ * @result_matches: If not %NULL, set to indicate whether the return value matches current (RACY) state.
- * @error: Return location for error.
- *
- * Gets the user corresponding to @subject or %NULL if no user exists.
- *
-+ * NOTE: For a #PolkitUnixProcess, the UID is read from @subject (which may
-+ * come from e.g. a D-Bus client), so it may not correspond to the actual UID
-+ * of the referenced process (at any point in time). This is indicated by
-+ * setting @result_matches to %FALSE; the caller may reject such subjects or
-+ * require additional privileges. @result_matches == %TRUE only indicates that
-+ * the UID matched the underlying process at ONE point in time, it may not match
-+ * later.
-+ *
- * Returns: %NULL if @error is set otherwise a #PolkitUnixUser that should be freed with g_object_unref().
- */
- PolkitIdentity *
- polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor *monitor,
- PolkitSubject *subject,
-+ gboolean *result_matches,
- GError **error)
- {
- PolkitIdentity *ret;
-- guint32 uid;
-+ gboolean matches;
-
- ret = NULL;
-+ matches = FALSE;
-
- if (POLKIT_IS_UNIX_PROCESS (subject))
- {
-- uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject));
-- if ((gint) uid == -1)
-+ gint subject_uid, current_uid;
-+ GError *local_error;
-+
-+ subject_uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject));
-+ if (subject_uid == -1)
- {
- g_set_error (error,
- POLKIT_ERROR,
-@@ -273,14 +288,24 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor
- "Unix process subject does not have uid set");
- goto out;
- }
-- ret = polkit_unix_user_new (uid);
-+ local_error = NULL;
-+ current_uid = polkit_unix_process_get_racy_uid__ (POLKIT_UNIX_PROCESS (subject), &local_error);
-+ if (local_error != NULL)
-+ {
-+ g_propagate_error (error, local_error);
-+ goto out;
-+ }
-+ ret = polkit_unix_user_new (subject_uid);
-+ matches = (subject_uid == current_uid);
- }
- else if (POLKIT_IS_SYSTEM_BUS_NAME (subject))
- {
- ret = (PolkitIdentity*)polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error);
-+ matches = TRUE;
- }
- else if (POLKIT_IS_UNIX_SESSION (subject))
- {
-+ uid_t uid;
-
- if (sd_session_get_uid (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject)), &uid) < 0)
- {
-@@ -292,9 +317,14 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor
- }
-
- ret = polkit_unix_user_new (uid);
-+ matches = TRUE;
- }
-
- out:
-+ if (result_matches != NULL)
-+ {
-+ *result_matches = matches;
-+ }
- return ret;
- }
-
-diff --git a/src/polkitbackend/polkitbackendsessionmonitor.c b/src/polkitbackend/polkitbackendsessionmonitor.c
-index e1a9ab3..ed30755 100644
---- a/src/polkitbackend/polkitbackendsessionmonitor.c
-+++ b/src/polkitbackend/polkitbackendsessionmonitor.c
-@@ -27,6 +27,7 @@
- #include <glib/gstdio.h>
-
- #include <polkit/polkit.h>
-+#include <polkit/polkitprivate.h>
- #include "polkitbackendsessionmonitor.h"
-
- #define CKDB_PATH "/var/run/ConsoleKit/database"
-@@ -273,28 +274,40 @@ polkit_backend_session_monitor_get_sessions (PolkitBackendSessionMonitor *monito
- * polkit_backend_session_monitor_get_user:
- * @monitor: A #PolkitBackendSessionMonitor.
- * @subject: A #PolkitSubject.
-+ * @result_matches: If not %NULL, set to indicate whether the return value matches current (RACY) state.
- * @error: Return location for error.
- *
- * Gets the user corresponding to @subject or %NULL if no user exists.
- *
-+ * NOTE: For a #PolkitUnixProcess, the UID is read from @subject (which may
-+ * come from e.g. a D-Bus client), so it may not correspond to the actual UID
-+ * of the referenced process (at any point in time). This is indicated by
-+ * setting @result_matches to %FALSE; the caller may reject such subjects or
-+ * require additional privileges. @result_matches == %TRUE only indicates that
-+ * the UID matched the underlying process at ONE point in time, it may not match
-+ * later.
-+ *
- * Returns: %NULL if @error is set otherwise a #PolkitUnixUser that should be freed with g_object_unref().
- */
- PolkitIdentity *
- polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor *monitor,
- PolkitSubject *subject,
-+ gboolean *result_matches,
- GError **error)
- {
- PolkitIdentity *ret;
-+ gboolean matches;
- GError *local_error;
-- gchar *group;
-- guint32 uid;
-
- ret = NULL;
-+ matches = FALSE;
-
- if (POLKIT_IS_UNIX_PROCESS (subject))
- {
-- uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject));
-- if ((gint) uid == -1)
-+ gint subject_uid, current_uid;
-+
-+ subject_uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject));
-+ if (subject_uid == -1)
- {
- g_set_error (error,
- POLKIT_ERROR,
-@@ -302,14 +315,26 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor
- "Unix process subject does not have uid set");
- goto out;
- }
-- ret = polkit_unix_user_new (uid);
-+ local_error = NULL;
-+ current_uid = polkit_unix_process_get_racy_uid__ (POLKIT_UNIX_PROCESS (subject), &local_error);
-+ if (local_error != NULL)
-+ {
-+ g_propagate_error (error, local_error);
-+ goto out;
-+ }
-+ ret = polkit_unix_user_new (subject_uid);
-+ matches = (subject_uid == current_uid);
- }
- else if (POLKIT_IS_SYSTEM_BUS_NAME (subject))
- {
- ret = (PolkitIdentity*)polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error);
-+ matches = TRUE;
- }
- else if (POLKIT_IS_UNIX_SESSION (subject))
- {
-+ gint uid;
-+ gchar *group;
-+
- if (!ensure_database (monitor, error))
- {
- g_prefix_error (error, "Error getting user for session: Error ensuring CK database at " CKDB_PATH ": ");
-@@ -328,9 +353,14 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor
- g_free (group);
-
- ret = polkit_unix_user_new (uid);
-+ matches = TRUE;
- }
-
- out:
-+ if (result_matches != NULL)
-+ {
-+ *result_matches = matches;
-+ }
- return ret;
- }
-
-diff --git a/src/polkitbackend/polkitbackendsessionmonitor.h b/src/polkitbackend/polkitbackendsessionmonitor.h
-index 8f8a2ca..3972326 100644
---- a/src/polkitbackend/polkitbackendsessionmonitor.h
-+++ b/src/polkitbackend/polkitbackendsessionmonitor.h
-@@ -47,6 +47,7 @@ GList *polkit_backend_session_monitor_get_sessions (Polkit
-
- PolkitIdentity *polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor *monitor,
- PolkitSubject *subject,
-+ gboolean *result_matches,
- GError **error);
-
- PolkitSubject *polkit_backend_session_monitor_get_session_for_subject (PolkitBackendSessionMonitor *monitor,
---
-2.17.1
-
Index: CVE-2019-6133.patch
===================================================================
--- CVE-2019-6133.patch (revision 3)
+++ CVE-2019-6133.patch (deleted)
@@ -1,159 +0,0 @@
-diff --git a/src/polkit/polkitsubject.c b/src/polkit/polkitsubject.c
-index d4c1182141d486fb0a2005d336f3ac05213f65a5..ccabd0a24627de8e785fc0dc31527082f8aecda0 100644
---- a/src/polkit/polkitsubject.c
-+++ b/src/polkit/polkitsubject.c
-@@ -99,6 +99,8 @@ polkit_subject_hash (PolkitSubject *subject)
- * @b: A #PolkitSubject.
- *
- * Checks if @a and @b are equal, ie. represent the same subject.
-+ * However, avoid calling polkit_subject_equal() to compare two processes;
-+ * for more information see the `PolkitUnixProcess` documentation.
- *
- * This function can be used in e.g. g_hash_table_new().
- *
-diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
-index b02b25894ad120d88ea21d4c96ac8dca1821fcf2..78d72514ffd1ddd97ac28a678cf384f4045bb621 100644
---- a/src/polkit/polkitunixprocess.c
-+++ b/src/polkit/polkitunixprocess.c
-@@ -51,7 +51,10 @@
- * @title: PolkitUnixProcess
- * @short_description: Unix processs
- *
-- * An object for representing a UNIX process.
-+ * An object for representing a UNIX process. NOTE: This object as
-+ * designed is now known broken; a mechanism to exploit a delay in
-+ * start time in the Linux kernel was identified. Avoid
-+ * calling polkit_subject_equal() to compare two processes.
- *
- * To uniquely identify processes, both the process id and the start
- * time of the process (a monotonic increasing value representing the
-@@ -66,6 +69,72 @@
- * polkit_unix_process_new_for_owner() with trusted data.
- */
-
-+/* See https://gitlab.freedesktop.org/polkit/polkit/issues/75
-+
-+ But quoting the original email in full here to ensure it's preserved:
-+
-+ From: Jann Horn <jannh@google.com>
-+ Subject: [SECURITY] polkit: temporary auth hijacking via PID reuse and non-atomic fork
-+ Date: Wednesday, October 10, 2018 5:34 PM
-+
-+When a (non-root) user attempts to e.g. control systemd units in the system
-+instance from an active session over DBus, the access is gated by a polkit
-+policy that requires "auth_admin_keep" auth. This results in an auth prompt
-+being shown to the user, asking the user to confirm the action by entering the
-+password of an administrator account.
-+
-+After the action has been confirmed, the auth decision for "auth_admin_keep" is
-+cached for up to five minutes. Subject to some restrictions, similar actions can
-+then be performed in this timespan without requiring re-auth:
-+
-+ - The PID of the DBus client requesting the new action must match the PID of
-+ the DBus client requesting the old action (based on SO_PEERCRED information
-+ forwarded by the DBus daemon).
-+ - The "start time" of the client's PID (as seen in /proc/$pid/stat, field 22)
-+ must not have changed. The granularity of this timestamp is in the
-+ millisecond range.
-+ - polkit polls every two seconds whether a process with the expected start time
-+ still exists. If not, the temporary auth entry is purged.
-+
-+Without the start time check, this would obviously be buggy because an attacker
-+could simply wait for the legitimate client to disappear, then create a new
-+client with the same PID.
-+
-+Unfortunately, the start time check is bypassable because fork() is not atomic.
-+Looking at the source code of copy_process() in the kernel:
-+
-+ p->start_time = ktime_get_ns();
-+ p->real_start_time = ktime_get_boot_ns();
-+ [...]
-+ retval = copy_thread_tls(clone_flags, stack_start, stack_size, p, tls);
-+ if (retval)
-+ goto bad_fork_cleanup_io;
-+
-+ if (pid != &init_struct_pid) {
-+ pid = alloc_pid(p->nsproxy->pid_ns_for_children);
-+ if (IS_ERR(pid)) {
-+ retval = PTR_ERR(pid);
-+ goto bad_fork_cleanup_thread;
-+ }
-+ }
-+
-+The ktime_get_boot_ns() call is where the "start time" of the process is
-+recorded. The alloc_pid() call is where a free PID is allocated. In between
-+these, some time passes; and because the copy_thread_tls() call between them can
-+access userspace memory when sys_clone() is invoked through the 32-bit syscall
-+entry point, an attacker can even stall the kernel arbitrarily long at this
-+point (by supplying a pointer into userspace memory that is associated with a
-+userfaultfd or is backed by a custom FUSE filesystem).
-+
-+This means that an attacker can immediately call sys_clone() when the victim
-+process is created, often resulting in a process that has the exact same start
-+time reported in procfs; and then the attacker can delay the alloc_pid() call
-+until after the victim process has died and the PID assignment has cycled
-+around. This results in an attacker process that polkit can't distinguish from
-+the victim process.
-+*/
-+
-+
- /**
- * PolkitUnixProcess:
- *
-diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
-index a1630b9535333ad6c728a198cc6bc8a4e55211a9..80e814155c2a0f58a4e8301eb2b7c4910fa31782 100644
---- a/src/polkitbackend/polkitbackendinteractiveauthority.c
-+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
-@@ -3031,6 +3031,43 @@ temporary_authorization_store_free (TemporaryAuthorizationStore *store)
- g_free (store);
- }
-
-+/* See the comment at the top of polkitunixprocess.c */
-+static gboolean
-+subject_equal_for_authz (PolkitSubject *a,
-+ PolkitSubject *b)
-+{
-+ if (!polkit_subject_equal (a, b))
-+ return FALSE;
-+
-+ /* Now special case unix processes, as we want to protect against
-+ * pid reuse by including the UID.
-+ */
-+ if (POLKIT_IS_UNIX_PROCESS (a) && POLKIT_IS_UNIX_PROCESS (b)) {
-+ PolkitUnixProcess *ap = (PolkitUnixProcess*)a;
-+ int uid_a = polkit_unix_process_get_uid ((PolkitUnixProcess*)a);
-+ PolkitUnixProcess *bp = (PolkitUnixProcess*)b;
-+ int uid_b = polkit_unix_process_get_uid ((PolkitUnixProcess*)b);
-+
-+ if (uid_a != -1 && uid_b != -1)
-+ {
-+ if (uid_a == uid_b)
-+ {
-+ return TRUE;
-+ }
-+ else
-+ {
-+ g_printerr ("denying slowfork; pid %d uid %d != %d!\n",
-+ polkit_unix_process_get_pid (ap),
-+ uid_a, uid_b);
-+ return FALSE;
-+ }
-+ }
-+ /* Fall through; one of the uids is unset so we can't reliably compare */
-+ }
-+
-+ return TRUE;
-+}
-+
- static gboolean
- temporary_authorization_store_has_authorization (TemporaryAuthorizationStore *store,
- PolkitSubject *subject,
-@@ -3073,7 +3110,7 @@ temporary_authorization_store_has_authorization (TemporaryAuthorizationStore *st
- TemporaryAuthorization *authorization = l->data;
-
- if (strcmp (action_id, authorization->action_id) == 0 &&
-- polkit_subject_equal (subject_to_use, authorization->subject))
-+ subject_equal_for_authz (subject_to_use, authorization->subject))
- {
- ret = TRUE;
- if (out_tmp_authz_id != NULL)
Index: polkit-0.114.tar.gz
===================================================================
Binary file polkit-0.114.tar.gz (revision 3) deleted
Index: polkit-0.114.tar.gz.sign
===================================================================
--- polkit-0.114.tar.gz.sign (revision 3)
+++ polkit-0.114.tar.gz.sign (deleted)
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-wsFcBAABCAAQBQJayUecCRDptRpmWCnWVQAAtzIQAD2kwEHFTiJt4TtqBm9DDS64
-QNOE9+E4tTAQZlO+mwTtskQs/wojKDNpud+uhnhFWrMfmMGXVf2odz3PblhCmrsS
-tYleKUlgV3aoBltelCvl9Xy0otrAZ0WygCKJpeyvzsN0FwiWhuVTLXofRnmUiCFP
-jU847ldoawGw72tbH9qsFtEWRA+zbDT40ja1eO301JW5um6C+pKIs7MvNgSm4uEs
-VnEGomUPmMY9I/6akcOBFrMovujWQKHP4sr99vWPsCwMy7Ju9+UvyhHPXFyh7yCq
-AQePMOJxFnTT8tXlPyAxi+TO3ihokiqQhBY4wrRjguIm9MXaumasfuzN1LoHR7wy
-Y73FAEjYWvf5BHChW5cqFjRYv29aNol/nyEKbF8HpKTt/FFOeUSlF3xWbMqP9xs7
-tle13Ax1o22XIq05kPRM2FT6WK87IMAk/6qF669aUgbl3+36N0KFyt/NpA2M6Oiq
-Z9grgYtNgOZPzFM+UJOYijaSDSFtPpwbdEJQpEPxVqsDJ6lRKbAv/SyvBgvkZM3A
-IiUE4GN4c2JGAj+rHDzEjzjtNfT10qVeF31j2+5/uRGyR4dBeRUBclwSIz1zGLLS
-mfFRsqGnPpOxFA79NVr41aMmjv5wXfcsKQWrBUIfbkCdhZ9Hrzd8ItMO0b6xnBZ6
-348LpL6UknwI7dJA/HIv
-=Yc4b
------END PGP SIGNATURE-----
Index: polkit-CVE-2018-19788.patch
===================================================================
--- polkit-CVE-2018-19788.patch (revision 3)
+++ polkit-CVE-2018-19788.patch (deleted)
@@ -1,181 +0,0 @@
-commit 2cb40c4d5feeaa09325522bd7d97910f1b59e379
-Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
-Date: Mon Dec 3 10:28:58 2018 +0100
-
- Allow negative uids/gids in PolkitUnixUser and Group objects
-
- (uid_t) -1 is still used as placeholder to mean "unset". This is OK, since
- there should be no users with such number, see
- https://systemd.io/UIDS-GIDS#special-linux-uids.
-
- (uid_t) -1 is used as the default value in class initialization.
-
- When a user or group above INT32_MAX is created, the numeric uid or
- gid wraps around to negative when the value is assigned to gint, and
- polkit gets confused. Let's accept such gids, except for -1.
-
- A nicer fix would be to change the underlying type to e.g. uint32 to
- not have negative values. But this cannot be done without breaking the
- API, so likely new functions will have to be added (a
- polkit_unix_user_new variant that takes a unsigned, and the same for
- _group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will
- require a bigger patch.
-
- Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74.
-
-diff --git a/src/polkit/polkitunixgroup.c b/src/polkit/polkitunixgroup.c
-index c57a1aa..309f689 100644
---- a/src/polkit/polkitunixgroup.c
-+++ b/src/polkit/polkitunixgroup.c
-@@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup, polkit_unix_group, G_TYPE_OBJECT,
- static void
- polkit_unix_group_init (PolkitUnixGroup *unix_group)
- {
-+ unix_group->gid = -1; /* (git_t) -1 is not a valid GID under Linux */
- }
-
- static void
-@@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject *object,
- GParamSpec *pspec)
- {
- PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object);
-+ gint val;
-
- switch (prop_id)
- {
- case PROP_GID:
-- unix_group->gid = g_value_get_int (value);
-+ val = g_value_get_int (value);
-+ g_return_if_fail (val != -1);
-+ unix_group->gid = val;
- break;
-
- default:
-@@ -131,9 +135,9 @@ polkit_unix_group_class_init (PolkitUnixGroupClass *klass)
- g_param_spec_int ("gid",
- "Group ID",
- "The UNIX group ID",
-- 0,
-+ G_MININT,
- G_MAXINT,
-- 0,
-+ -1,
- G_PARAM_CONSTRUCT |
- G_PARAM_READWRITE |
- G_PARAM_STATIC_NAME |
-@@ -166,9 +170,10 @@ polkit_unix_group_get_gid (PolkitUnixGroup *group)
- */
- void
- polkit_unix_group_set_gid (PolkitUnixGroup *group,
-- gint gid)
-+ gint gid)
- {
- g_return_if_fail (POLKIT_IS_UNIX_GROUP (group));
-+ g_return_if_fail (gid != -1);
- group->gid = gid;
- }
-
-@@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group,
- PolkitIdentity *
- polkit_unix_group_new (gint gid)
- {
-+ g_return_val_if_fail (gid != -1, NULL);
-+
- return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP,
- "gid", gid,
- NULL));
-diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
-index 972b777..b02b258 100644
---- a/src/polkit/polkitunixprocess.c
-+++ b/src/polkit/polkitunixprocess.c
-@@ -159,9 +159,14 @@ polkit_unix_process_set_property (GObject *object,
- polkit_unix_process_set_pid (unix_process, g_value_get_int (value));
- break;
-
-- case PROP_UID:
-- polkit_unix_process_set_uid (unix_process, g_value_get_int (value));
-+ case PROP_UID: {
-+ gint val;
-+
-+ val = g_value_get_int (value);
-+ g_return_if_fail (val != -1);
-+ polkit_unix_process_set_uid (unix_process, val);
- break;
-+ }
-
- case PROP_START_TIME:
- polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value));
-@@ -239,7 +244,7 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass)
- g_param_spec_int ("uid",
- "User ID",
- "The UNIX user ID",
-- -1,
-+ G_MININT,
- G_MAXINT,
- -1,
- G_PARAM_CONSTRUCT |
-@@ -303,7 +308,6 @@ polkit_unix_process_set_uid (PolkitUnixProcess *process,
- gint uid)
- {
- g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process));
-- g_return_if_fail (uid >= -1);
- process->uid = uid;
- }
-
-diff --git a/src/polkit/polkitunixuser.c b/src/polkit/polkitunixuser.c
-index 8bfd3a1..234a697 100644
---- a/src/polkit/polkitunixuser.c
-+++ b/src/polkit/polkitunixuser.c
-@@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, polkit_unix_user, G_TYPE_OBJECT,
- static void
- polkit_unix_user_init (PolkitUnixUser *unix_user)
- {
-+ unix_user->uid = -1; /* (uid_t) -1 is not a valid UID under Linux */
- unix_user->name = NULL;
- }
-
-@@ -112,11 +113,14 @@ polkit_unix_user_set_property (GObject *object,
- GParamSpec *pspec)
- {
- PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object);
-+ gint val;
-
- switch (prop_id)
- {
- case PROP_UID:
-- unix_user->uid = g_value_get_int (value);
-+ val = g_value_get_int (value);
-+ g_return_if_fail (val != -1);
-+ unix_user->uid = val;
- break;
-
- default:
-@@ -144,9 +148,9 @@ polkit_unix_user_class_init (PolkitUnixUserClass *klass)
- g_param_spec_int ("uid",
- "User ID",
- "The UNIX user ID",
-- 0,
-+ G_MININT,
- G_MAXINT,
-- 0,
-+ -1,
- G_PARAM_CONSTRUCT |
- G_PARAM_READWRITE |
- G_PARAM_STATIC_NAME |
-@@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
- gint uid)
- {
- g_return_if_fail (POLKIT_IS_UNIX_USER (user));
-+ g_return_if_fail (uid != -1);
- user->uid = uid;
- }
-
-@@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
- PolkitIdentity *
- polkit_unix_user_new (gint uid)
- {
-+ g_return_val_if_fail (uid != -1, NULL);
-+
- return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER,
- "uid", uid,
- NULL));
Index: polkit-jsauthority-pass-format-string.patch
===================================================================
--- polkit-jsauthority-pass-format-string.patch (revision 3)
+++ polkit-jsauthority-pass-format-string.patch (deleted)
@@ -1,32 +0,0 @@
-From 373705b35e7f6c7dc83de5e0a3ce11ecd15d0409 Mon Sep 17 00:00:00 2001
-From: Ray Strode <rstrode@redhat.com>
-Date: Tue, 3 Apr 2018 15:26:37 -0400
-Subject: jsauthority: pass "%s" format string to remaining report function
-
-commit 00adeee1b62 attempted to add a "%s" format string to the
-two JS_Report invocations that needed it, but somehow only got
-one them.
-
-This commit gets the other one.
-
-https://bugzilla.gnome.org/show_bug.cgi?id=105865
----
- src/polkitbackend/polkitbackendjsauthority.cpp | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
-index 9746c47..517f3c6 100644
---- a/src/polkitbackend/polkitbackendjsauthority.cpp
-+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
-@@ -1292,7 +1292,7 @@ js_polkit_log (JSContext *cx,
- JS::CallArgs args = JS::CallArgsFromVp (argc, vp);
-
- s = JS_EncodeString (cx, args[0].toString ());
-- JS_ReportWarningUTF8 (cx, s);
-+ JS_ReportWarningUTF8 (cx, "%s", s);
- JS_free (cx, s);
-
- ret = true;
---
-cgit v1.1
-
Comments 0