PolicyKit Authorization Framework
PolicyKit is a toolkit for defining and handling authorizations.
It is used for allowing unprivileged processes to speak to privileged
processes.
- Download package
-
Checkout Package
osc -A https://api.opensuse.org checkout SUSE:SLE-15-SP2:GA/polkit && cd $_
- Create Badge
Refresh
Refresh
Source Files
Filename | Size | Changed |
---|---|---|
baselibs.conf | 0000000011 11 Bytes | |
pkexec.patch | 0000002118 2.07 KB | |
polkit-0.116.tar.gz | 0001548311 1.48 MB | |
polkit-0.116.tar.gz.sign | 0000000455 455 Bytes | |
polkit-gettext.patch | 0000001988 1.94 KB | |
polkit-keyinit.patch | 0000000447 447 Bytes | |
polkit-no-wheel-group.patch | 0000000469 469 Bytes | |
polkit.changes | 0000025156 24.6 KB | |
polkit.keyring | 0000041710 40.7 KB | |
polkit.spec | 0000007560 7.38 KB |
Latest Revision
Gustavo Yokoyama Ribeiro (gyribeiro)
committed
(revision 2)
GNOME 3.34 update (allow to drop old mozjs52 in SLE15 SP2) jsc#SLE-8245 Dropped SLE patches: CVE-2019-6133.patch 0001-Fix-CVE-FIXME-Trusting-client-supplied-UID.patch both CVE and bug numbers are preserved and handled by version update old: SUSE:SLE-15-SP2:GA/polkit new: openSUSE.org:openSUSE:Factory/polkit rev 69 Index: pkexec.patch =================================================================== --- pkexec.patch (revision 3) +++ pkexec.patch (revision 69) @@ -6,10 +6,10 @@ building packages that want to check for pkexec in an emulated environment that does not support setuid invocation (eg. QEMU linux-user). -Index: polkit-0.114/src/programs/pkexec.c +Index: polkit-0.116/src/programs/pkexec.c =================================================================== ---- polkit-0.114.orig/src/programs/pkexec.c 2018-04-03 20:16:17.000000000 +0200 -+++ polkit-0.114/src/programs/pkexec.c 2018-04-10 02:48:03.031508016 +0200 +--- polkit-0.116.orig/src/programs/pkexec.c 2018-05-31 13:52:53.000000000 +0200 ++++ polkit-0.116/src/programs/pkexec.c 2019-05-31 22:55:58.014504104 +0200 @@ -504,27 +504,6 @@ main (int argc, char *argv[]) /* Disable remote file access from GIO. */ setenv ("GIO_USE_VFS", "local", 1); Index: polkit-no-wheel-group.patch =================================================================== --- polkit-no-wheel-group.patch (revision 3) +++ polkit-no-wheel-group.patch (revision 69) @@ -1,7 +1,7 @@ -Index: polkit-0.107/src/polkitbackend/50-default.rules +Index: polkit-0.116/src/polkitbackend/50-default.rules =================================================================== ---- polkit-0.107.orig/src/polkitbackend/50-default.rules -+++ polkit-0.107/src/polkitbackend/50-default.rules +--- polkit-0.116.orig/src/polkitbackend/50-default.rules 2018-03-27 13:46:06.000000000 +0200 ++++ polkit-0.116/src/polkitbackend/50-default.rules 2019-05-31 22:55:57.990503876 +0200 @@ -8,5 +8,5 @@ // about configuring polkit. Index: polkit.changes =================================================================== --- polkit.changes (revision 3) +++ polkit.changes (revision 69) @@ -1,9 +1,55 @@ ------------------------------------------------------------------- -Tue Jul 23 06:29:16 UTC 2019 - Marcus Meissner <meissner@suse.com> +Fri Nov 29 10:36:53 UTC 2019 - Bjørn Lie <bjorn.lie@gmail.com> -- CVE-2019-6133.patch: Fixed improper caching of auth decisions, - which could bypass uid checking in the interactive backend. - (bsc#1121826 CVE-2019-6133) +- Fix usage of libexecdir instead of prefix/lib where applicable. + +------------------------------------------------------------------- +Tue Oct 8 12:41:44 UTC 2019 - Marcus Meissner <meissner@suse.com> + +- polkit-keyinit.patch: add pam_keyinit to the polkit configuration (bsc#1144053) + +------------------------------------------------------------------- +Wed May 29 07:57:26 UTC 2019 - Bjørn Lie <bjorn.lie@gmail.com> + +- Update to version 0.116: + + Leaking zombie child processes. + + Possible resource leak found by static analyzer. + + Output messages tuneup. + + Sanity fixes. + + pkttyagent tty echo disabled on SIGINT. + + HACKING: add link to Code of Conduct. + + polkitbackend: comment typos fix. + + configure.ac: fix detection of systemd with cgroups v2. + + CVE-2018-19788 High UIDs overflow fix. + + CVE-2019-6133 Slowfork vulnerability fix. + + Allow unset process-uid. + + Port the JS authority to mozjs-60. + + Use JS_EncodeStringToUTF8. + + Updated translations. +- Replace pkgconfig(mozjs-52) with pkgconfig(mozjs-60) + BuildRequires following upstreams changes. +- Drop patches fixed upstream: + + polkit-fix-possible-resource-leak.patch + + polkit-fix-leaking-zombie-child-processes.patch + + polkit-CVE-2018-19788.patch +- Refresh patches with quilt. + +------------------------------------------------------------------- +Fri May 10 14:44:20 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org> + +- Use systemd_ordering instead of systemd_requires: strictly + speaking, polkit does not require systemd to be present. Just + that when we install on a system with systemd (e.g outside + containers) we would want systemd to be present before + installing polkit. Help also reduce a cycle without special hacks + in systemd.spec. + +------------------------------------------------------------------- +Fri Apr 26 11:06:05 UTC 2019 - mvetter@suse.com + +- bsc#1130588: Require shadow instead of old pwdutils +- User proper Requires(pre)/Requires(post) for permissions and + shadow ------------------------------------------------------------------- Thu Dec 20 17:29:58 UTC 2018 - meissner@suse.com @@ -12,10 +58,20 @@ (bsc#1118277 CVE-2018-19788) ------------------------------------------------------------------- -Wed Jul 4 12:00:12 UTC 2018 - meissner@suse.com +Fri Aug 17 07:56:08 UTC 2018 - bjorn.lie@gmail.com + +- Add polkit-fix-possible-resource-leak.patch: Fix possible + resource leak found by static analyzer. +- Add polkit-fix-leaking-zombie-child-processes.patch: polkitd: fix + zombie not reaped when js spawned process timed out (fdo#106021). + +------------------------------------------------------------------- +Wed Jul 11 10:48:37 UTC 2018 - meissner@suse.com -- 0001-Fix-CVE-FIXME-Trusting-client-supplied-UID.patch: - Fixed trusting the client-supplied UID (CVE-2018-1116 bsc#1099031) +- Update to version 0.115: + - Fix CVE-2018-1116: Trusting client-supplied UID (bsc#1099031) + - jsauthority: pass "%s" format string to remaining report function + (obsoletes polkit-jsauthority-pass-format-string.patch) ------------------------------------------------------------------- Mon Apr 9 22:38:39 UTC 2018 - bjorn.lie@gmail.com Index: polkit.keyring =================================================================== --- polkit.keyring (revision 3) +++ polkit.keyring (revision 69) @@ -624,3 +624,33 @@ xswOcJBwoxssbQmiBaFp13Frzhjwjwqer+npV6FuOLjRsnMd7h9EgiGYGqH385w0 =DnDa -----END PGP PUBLIC KEY BLOCK----- + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: SKS 1.1.6 +Comment: Hostname: fks.pgpkeys.eu + +mQENBFtkaE8BCADL6NFIHYl5RDKRyDm2/igDWiveVFWzUZGJeBBkAcpZcstJK0mDxwWbcOwE ++XvMUux4HwZCymZb+5SctrHyQvS629BTbynfZv5JOIAKl1Hg24yklBGYJ1LX/4H140Y2cGTN +3xymGisSYMNF11Cngsw1qND8NJ6fqadHafn8s1gvphFkCs8LpoJgTBrLEUQZpnpSRcIP+/UR +2R/ErCkwE9erPHfksj+B+hGD6PKqeLPSvLq5F9L+axnMgH784QQADn3BaM2ZePtC+gbUYgsY +ra6jwsEsjZmd/nauVex2rB3MaRgiwTg6+cmDXgd5a0w2CPMFlQiWiamb7/UfCxsFRgs3ABEB +AAG0J0phbiBSeWJhciAoUmVkIEhhdCkgPGpyeWJhckByZWRoYXQuY29tPokBOAQTAQIAIgUC +W2RoTwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQjOswMP/c4lha5wf8C7+FoCIU +NE83GgnG4Vp7jJFgn1B8ea7Jvya0X37kHWBUueQv7F0M+3qUtVQNHDSIfehysiAtNncWh58V +n9JWohzvWTGnZ1bY8IeU/MxCrBrWaxqsjsWOPq1smtnIas7LLkn44oOlyOXDVOp/JOk4QxoO +gf6GIERpit/0dBNjFSkeL037ocB/f6WekG4MpYtp/U4gy3MAWhBKXxJUTgJFRSiLtGEdnUGW +wG8ZbulGRRO79rWg9ThvpPEEqZG/2bm4kWMlaaaDsJ9lbPA4rN0uU0ny3/2COwqKtpwrLvRE +duRcVG9vpnCl5zkFtNc00p2RRBrQJ/PLq2OdSrGMf0skhbkBDQRbZGhPAQgAxaVnvy+O0sUR +/P1e7CAQKg7jSXFoUIHVpT/F7Q2t3hs2I3wmQTAy92CVWDXJDDpN93VR6IJQzws0F7IV9+Js +xl4Hu6ELyaOpMD0QVb09s9C0s2nz88rn6WMoy0wuVJcB0h8aNzUBjRsgi94XTH44tlcVZj4q +/GbQaJy8kBNu5V6sAQg64h5xuU4tow8tkzL78bNOLeYXyEYOO+Dlt/879oxQca+dTHXr13NV +wKFqcduBIcsQZd5JnQFeXo+8XWpmeS/wwX0RW+J0mSYWvjP/fMeE7BIftbbolqr+HwwppVNP +ouFDPq/9bKmQs7USen6rOJ6uIqMhPkopgXXOle3EEQARAQABiQEfBBgBAgAJBQJbZGhPAhsM +AAoJEIzrMDD/3OJYmlMH/0NTd/lZ0jh0djRYlRcz0OIT9B/2gYmNoekEsciEliPS3WEN+M2s +kZM/L/lLFCbD4dOqlXqb84Yvch9iC/VzCEYCEs8Kz647H2mBnyHxxOKtgrXJpWhZoRzs9pzb +AVCEkl5+PjFRwhn7Nwpm/EG+02VgR9JC1ZdX28iN3a3axbLuI9RIZznRRL5Jr5ePMJ0nRvWY +HX4K+Wt5UhHuo1Kaj9Yn0UcTCj7WKznRjNtL6S4N4mS8OJwi8jZ8Rvb3GFCViEaVz/+ZNBaW +HGJO/6RB1aNr3SlD155eTM6H6v2lsNn4gpc7T3GL9AzEsuUef5mqo1EsO+OJeBrQv8vVybJx +GJ8= +=QrX7 +-----END PGP PUBLIC KEY BLOCK----- Index: polkit.spec =================================================================== --- polkit.spec (revision 3) +++ polkit.spec (revision 69) @@ -1,7 +1,7 @@ # # spec file for package polkit # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,12 +17,12 @@ Name: polkit -Version: 0.114 +Version: 0.116 Release: 0 Summary: PolicyKit Authorization Framework License: LGPL-2.1-or-later Group: System/Libraries -URL: http://www.freedesktop.org/wiki/Software/polkit/ +Url: http://www.freedesktop.org/wiki/Software/polkit/ Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz Source1: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz.sign Source2: %{name}.keyring @@ -34,14 +34,8 @@ Patch1: polkit-gettext.patch # PATCH-FIX-UPSTREAM pkexec.patch schwab@suse.de -- pkexec: allow --version and --help even if not setuid Patch2: pkexec.patch -# PATCH-FIX-UPSTREAM polkit-jsauthority-pass-format-string.patch bgo#105865 bjorn.lie@gmail.com -- jsauthority: pass "%s" format string to remaining report function -Patch3: polkit-jsauthority-pass-format-string.patch -# PATCH-FIX-UPSTREAM 0001-Fix-CVE-FIXME-Trusting-client-supplied-UID.patch bsc#1099031 mgerstner@suse.com -- security fix -Patch4: 0001-Fix-CVE-FIXME-Trusting-client-supplied-UID.patch -# PATCH-FIX-UPSTREAM polkit-CVE-2018-19788.patch bsc#1118277 meissner@suse.com -- 2cb40c4d5feeaa09325522bd7d97910f1b59e379 -Patch5: polkit-CVE-2018-19788.patch -# PATCH-FIX-UPSTREAM CVE-2019-6133.patch bsc#1121826 meissner@suse.com -- c898fdf4b1aafaa04f8ada9d73d77c8bb76e2f81 -Patch6: CVE-2019-6133.patch +# PATCH-FIX-OPENSUSE polkit-keyinit.patch meissner@ -- bsc#1144053 Please add "pam_keyinit.so" to the /etc/pam.d/polkit-1 configuration file +Patch3: polkit-keyinit.patch BuildRequires: gcc-c++ BuildRequires: gtk-doc @@ -51,20 +45,19 @@ BuildRequires: libtool BuildRequires: pam-devel BuildRequires: systemd-rpm-macros -BuildRequires: pkgconfig(gio-unix-2.0) >= 2.30.0 -BuildRequires: pkgconfig(gmodule-2.0) >= 2.30.0 +BuildRequires: pkgconfig(gio-unix-2.0) >= 2.32.0 +BuildRequires: pkgconfig(gmodule-2.0) >= 2.32.0 BuildRequires: pkgconfig(gobject-introspection-1.0) >= 0.6.2 BuildRequires: pkgconfig(libsystemd) -BuildRequires: pkgconfig(mozjs-52) +BuildRequires: pkgconfig(mozjs-60) BuildRequires: pkgconfig(systemd) # gtk-doc drags indirectyly ruby in for one of the helpers. This in turn causes a build cycle. #!BuildIgnore: ruby Requires: dbus-1 Requires: libpolkit0 = %{version}-%{release} -# FIXME: use proper Requires(pre/post/preun/...) -PreReq: permissions -PreReq: pwdutils -%systemd_requires +Requires(pre): shadow +Requires(post): permissions +%systemd_ordering # Upstream First - Policy: # Never add any patches to this package without the upstream commit id @@ -121,31 +114,23 @@ This package provides the GObject Introspection bindings for PolicyKit. %prep -%setup -q -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 +%autosetup -p1 %build -export V=1 -# needed for patch1 and patch2 +# Needed for patch1 and patch2 autoreconf -fi export SUID_CFLAGS="-fPIE" export SUID_LDFLAGS="-z now -pie" %configure \ - --with-os-type=suse \ - --enable-gtk-doc \ - --with-pic \ - --disable-static \ - --enable-introspection \ - --enable-examples \ - --enable-libsystemd-login \ - --libexecdir=%{_libexecdir}/polkit-1 -make %{?_smp_mflags} + --with-os-type=suse \ + --enable-gtk-doc \ + --with-pic \ + --disable-static \ + --enable-introspection \ + --enable-examples \ + --enable-libsystemd-login \ + %{nil} +%make_build %install %make_install @@ -213,8 +198,8 @@ %{_bindir}/pkcheck %verify(not mode) %attr(4755,root,root) %{_bindir}/pkexec %{_bindir}/pkttyagent -%dir %{_libexecdir}/polkit-1 -%{_libexecdir}/polkit-1/polkitd +%dir %{_prefix}/lib/polkit-1 +%{_prefix}/lib/polkit-1/polkitd %verify(not mode) %attr(4755,root,root) %{_prefix}/lib/polkit-1/polkit-agent-helper-1 # $HOME for polkit user %dir %{_localstatedir}/lib/polkit Index: polkit-0.116.tar.gz =================================================================== Binary file polkit-0.116.tar.gz (revision 69) added Index: polkit-0.116.tar.gz.sign =================================================================== --- polkit-0.116.tar.gz.sign (added) +++ polkit-0.116.tar.gz.sign (revision 69) @@ -0,0 +1,10 @@ +-----BEGIN PGP SIGNATURE----- + +iQEcBAABAgAGBQJcwtuMAAoJEIzrMDD/3OJYhGAH/27d2LGj6CaqWgSfJcL7LkKt +gXlS/jG16GpgW4K38KRK5d/3z6SXz0rgsT8LBAOSWdtpil1MFQqO2cUcQGAv5IeF +5vBVgWzCRTF2KPBDgWHuE0QEw0iRBtZL4cOsibj0IiF8JBZ5zCowrUvVF4V6XS7+ +4kPYZD24ydY/vz5k6hbwqZfxbqQIOe8vZODzPelfjIDW1E0Zrovp9+KtMCVmSEJz +reUiUc1eY0NpP51NhmwykkZ9D4AZ8fB76uqfELtEd9Yec3I0pvwyvI03eLmD7liC +yI1VEIezPUgJnrGRf8uaVdaLE5TGn7hSIFCGy3xpBd2ZjTKncoed5JtpVDO1WiY= +=1bx+ +-----END PGP SIGNATURE----- Index: polkit-keyinit.patch =================================================================== --- polkit-keyinit.patch (added) +++ polkit-keyinit.patch (revision 69) @@ -0,0 +1,9 @@ +Index: polkit-0.116/data/polkit-1.in +=================================================================== +--- polkit-0.116.orig/data/polkit-1.in ++++ polkit-0.116/data/polkit-1.in +@@ -4,3 +4,4 @@ auth include @PAM_FILE_INCLUD + account include @PAM_FILE_INCLUDE_ACCOUNT@ + password include @PAM_FILE_INCLUDE_PASSWORD@ + session include @PAM_FILE_INCLUDE_SESSION@ ++session optional pam_keyinit.so revoke [force] Index: 0001-Fix-CVE-FIXME-Trusting-client-supplied-UID.patch =================================================================== --- 0001-Fix-CVE-FIXME-Trusting-client-supplied-UID.patch (revision 3) +++ 0001-Fix-CVE-FIXME-Trusting-client-supplied-UID.patch (deleted) @@ -1,577 +0,0 @@ -From b77e3f0c13ac008905ad2a867c63f766af43ea95 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= <mitr@redhat.com> -Date: Mon, 25 Jun 2018 19:24:06 +0200 -Subject: [PATCH] Fix CVE-FIXME: Trusting client-supplied UID -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -As part of CVE-2013-4288, the D-Bus clients were allowed (and -encouraged) to submit the UID of the subject of authorization checks -to avoid races against UID changes (notably using executables -set-UID to root). - -However, that also allowed any client to submit an arbitrary UID, and -that could be used to bypass "can only ask about / affect the same UID" -checks in CheckAuthorization / RegisterAuthenticationAgent / -UnregisterAuthenticationAgent. This allowed an attacker: - -- With CheckAuthorization, to cause the registered authentication - agent in victim's session to pop up a dialog, or to determine whether - the victim currently has a temporary authorization to perform an - operation. - - (In principle, the attacker can also determine whether JavaScript - rules allow the victim process to perform an operatin; however, - usually rules base their decisions on information deterined from - the supplied UID, so the attacker usually won't learn anything new.) - -- With RegisterAuthenticationAgent, to prevent the victim's - authentication agent to work (for a specific victim process), - or to learn about which operations requiring authorization - the victim is attempting. - -To fix this, expose internal _polkit_unix_process_get_owner() / -obsolete polkit_unix_process_get_owner() as a private -polkit_unix_process_get_racy_uid__() (being more explicit about the -dangers on relying on it), and use it in -polkit_backend_session_monitor_get_user_for_subject() to return -a boolean indicating whether the subject UID may be caller-chosen. - -Then, in the permission checks that require the subject to be -equal to the caller, fail on caller-chosen UIDs (and continue -through the pre-existing code paths which allow root, or root-designated -server processes, to ask about arbitrary subjects.) - -Signed-off-by: Miloslav Trmač <mitr@redhat.com> ---- - src/polkit/polkitprivate.h | 2 + - src/polkit/polkitunixprocess.c | 61 ++++++++++++++++--- - .../polkitbackendinteractiveauthority.c | 39 +++++++----- - .../polkitbackendsessionmonitor-systemd.c | 38 ++++++++++-- - .../polkitbackendsessionmonitor.c | 40 ++++++++++-- - .../polkitbackendsessionmonitor.h | 1 + - 6 files changed, 148 insertions(+), 33 deletions(-) - -diff --git a/src/polkit/polkitprivate.h b/src/polkit/polkitprivate.h -index 9f07063..c80142d 100644 ---- a/src/polkit/polkitprivate.h -+++ b/src/polkit/polkitprivate.h -@@ -44,6 +44,8 @@ GVariant *polkit_action_description_to_gvariant (PolkitActionDescription *action - GVariant *polkit_subject_to_gvariant (PolkitSubject *subject); - GVariant *polkit_identity_to_gvariant (PolkitIdentity *identity); - -+gint polkit_unix_process_get_racy_uid__ (PolkitUnixProcess *process, GError **error); -+ - PolkitSubject *polkit_subject_new_for_gvariant (GVariant *variant, GError **error); - PolkitIdentity *polkit_identity_new_for_gvariant (GVariant *variant, GError **error); - -diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c -index d4ebf50..972b777 100644 ---- a/src/polkit/polkitunixprocess.c -+++ b/src/polkit/polkitunixprocess.c -@@ -56,6 +56,14 @@ - * To uniquely identify processes, both the process id and the start - * time of the process (a monotonic increasing value representing the - * time since the kernel was started) is used. -+ * -+ * NOTE: This object stores, and provides access to, the real UID of the -+ * process. That value can change over time (with set*uid*(2) and exec*(2)). -+ * Checks whether an operation is allowed need to take care to use the UID -+ * value as of the time when the operation was made (or, following the open() -+ * privilege check model, when the connection making the operation possible -+ * was initiated). That is usually done by initializing this with -+ * polkit_unix_process_new_for_owner() with trusted data. - */ - - /** -@@ -90,9 +98,6 @@ static void subject_iface_init (PolkitSubjectIface *subject_iface); - static guint64 get_start_time_for_pid (gint pid, - GError **error); - --static gint _polkit_unix_process_get_owner (PolkitUnixProcess *process, -- GError **error); -- - #if defined(HAVE_FREEBSD) || defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) - static gboolean get_kinfo_proc (gint pid, - #if defined(HAVE_NETBSD) -@@ -182,7 +187,7 @@ polkit_unix_process_constructed (GObject *object) - { - GError *error; - error = NULL; -- process->uid = _polkit_unix_process_get_owner (process, &error); -+ process->uid = polkit_unix_process_get_racy_uid__ (process, &error); - if (error != NULL) - { - process->uid = -1; -@@ -271,6 +276,12 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass) - * Gets the user id for @process. Note that this is the real user-id, - * not the effective user-id. - * -+ * NOTE: The UID may change over time, so the returned value may not match the -+ * current state of the underlying process; or the UID may have been set by -+ * polkit_unix_process_new_for_owner() or polkit_unix_process_set_uid(), -+ * in which case it may not correspond to the actual UID of the referenced -+ * process at all (at any point in time). -+ * - * Returns: The user id for @process or -1 if unknown. - */ - gint -@@ -708,13 +719,20 @@ out: - return start_time; - } - --static gint --_polkit_unix_process_get_owner (PolkitUnixProcess *process, -- GError **error) -+/* -+ * Private: Return the "current" UID. Note that this is inherently racy, -+ * and the value may already be obsolete by the time this function returns; -+ * this function only guarantees that the UID was valid at some point during -+ * its execution. -+ */ -+gint -+polkit_unix_process_get_racy_uid__ (PolkitUnixProcess *process, -+ GError **error) - { - gint result; - gchar *contents; - gchar **lines; -+ guint64 start_time; - #if defined(HAVE_FREEBSD) || defined(HAVE_OPENBSD) - struct kinfo_proc p; - #elif defined(HAVE_NETBSD) -@@ -722,6 +740,7 @@ _polkit_unix_process_get_owner (PolkitUnixProcess *process, - #else - gchar filename[64]; - guint n; -+ GError *local_error; - #endif - - g_return_val_if_fail (POLKIT_IS_UNIX_PROCESS (process), 0); -@@ -745,8 +764,10 @@ _polkit_unix_process_get_owner (PolkitUnixProcess *process, - - #if defined(HAVE_FREEBSD) - result = p.ki_uid; -+ start_time = (guint64) p.ki_start.tv_sec; - #else - result = p.p_uid; -+ start_time = (guint64) p.p_ustart_sec; - #endif - #else - -@@ -781,17 +802,37 @@ _polkit_unix_process_get_owner (PolkitUnixProcess *process, - else - { - result = real_uid; -- goto out; -+ goto found; - } - } -- - g_set_error (error, - POLKIT_ERROR, - POLKIT_ERROR_FAILED, - "Didn't find any line starting with `Uid:' in file %s", - filename); -+ goto out; -+ -+found: -+ /* The UID and start time are, sadly, not available in a single file. So, -+ * read the UID first, and then the start time; if the start time is the same -+ * before and after reading the UID, it couldn't have changed. -+ */ -+ local_error = NULL; -+ start_time = get_start_time_for_pid (process->pid, &local_error); -+ if (local_error != NULL) -+ { -+ g_propagate_error (error, local_error); -+ goto out; -+ } - #endif - -+ if (process->start_time != start_time) -+ { -+ g_set_error (error, POLKIT_ERROR, POLKIT_ERROR_FAILED, -+ "process with PID %d has been replaced", process->pid); -+ goto out; -+ } -+ - out: - g_strfreev (lines); - g_free (contents); -@@ -810,5 +851,5 @@ gint - polkit_unix_process_get_owner (PolkitUnixProcess *process, - GError **error) - { -- return _polkit_unix_process_get_owner (process, error); -+ return polkit_unix_process_get_racy_uid__ (process, error); - } -diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c -index 1cd60d3..cb6fdab 100644 ---- a/src/polkitbackend/polkitbackendinteractiveauthority.c -+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c -@@ -575,7 +575,7 @@ log_result (PolkitBackendInteractiveAuthority *authority, - if (polkit_authorization_result_get_is_authorized (result)) - log_result_str = "ALLOWING"; - -- user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, NULL); -+ user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, NULL, NULL); - - subject_str = polkit_subject_to_string (subject); - -@@ -847,6 +847,7 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority - gchar *subject_str; - PolkitIdentity *user_of_caller; - PolkitIdentity *user_of_subject; -+ gboolean user_of_subject_matches; - gchar *user_of_caller_str; - gchar *user_of_subject_str; - PolkitAuthorizationResult *result; -@@ -892,7 +893,7 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority - action_id); - - user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, -- caller, -+ caller, NULL, - &error); - if (error != NULL) - { -@@ -907,7 +908,7 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority - g_debug (" user of caller is %s", user_of_caller_str); - - user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, -- subject, -+ subject, &user_of_subject_matches, - &error); - if (error != NULL) - { -@@ -937,7 +938,10 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority - * We only allow this if, and only if, - * - * - processes may check for another process owned by the *same* user but not -- * if details are passed (otherwise you'd be able to spoof the dialog) -+ * if details are passed (otherwise you'd be able to spoof the dialog); -+ * the caller supplies the user_of_subject value, so we additionally -+ * require it to match at least at one point in time (via -+ * user_of_subject_matches). - * - * - processes running as uid 0 may check anything and pass any details - * -@@ -945,7 +949,9 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority - * then any uid referenced by that annotation is also allowed to check - * to check anything and pass any details - */ -- if (!polkit_identity_equal (user_of_caller, user_of_subject) || has_details) -+ if (!user_of_subject_matches -+ || !polkit_identity_equal (user_of_caller, user_of_subject) -+ || has_details) - { - if (!may_identity_check_authorization (interactive_authority, action_id, user_of_caller)) - { -@@ -1110,9 +1116,10 @@ check_authorization_sync (PolkitBackendAuthority *authority, - goto out; - } - -- /* every subject has a user */ -+ /* every subject has a user; this is supplied by the client, so we rely -+ * on the caller to validate its acceptability. */ - user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, -- subject, -+ subject, NULL, - error); - if (user_of_subject == NULL) - goto out; -@@ -2480,6 +2487,7 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken - PolkitSubject *session_for_caller; - PolkitIdentity *user_of_caller; - PolkitIdentity *user_of_subject; -+ gboolean user_of_subject_matches; - AuthenticationAgent *agent; - gboolean ret; - gchar *caller_cmdline; -@@ -2532,7 +2540,7 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken - goto out; - } - -- user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, caller, NULL); -+ user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, caller, NULL, NULL); - if (user_of_caller == NULL) - { - g_set_error (error, -@@ -2541,7 +2549,7 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken - "Cannot determine user of caller"); - goto out; - } -- user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, NULL); -+ user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, &user_of_subject_matches, NULL); - if (user_of_subject == NULL) - { - g_set_error (error, -@@ -2550,7 +2558,8 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken - "Cannot determine user of subject"); - goto out; - } -- if (!polkit_identity_equal (user_of_caller, user_of_subject)) -+ if (!user_of_subject_matches -+ || !polkit_identity_equal (user_of_caller, user_of_subject)) - { - if (identity_is_root_user (user_of_caller)) - { -@@ -2643,6 +2652,7 @@ polkit_backend_interactive_authority_unregister_authentication_agent (PolkitBack - PolkitSubject *session_for_caller; - PolkitIdentity *user_of_caller; - PolkitIdentity *user_of_subject; -+ gboolean user_of_subject_matches; - AuthenticationAgent *agent; - gboolean ret; - gchar *scope_str; -@@ -2691,7 +2701,7 @@ polkit_backend_interactive_authority_unregister_authentication_agent (PolkitBack - goto out; - } - -- user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, caller, NULL); -+ user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, caller, NULL, NULL); - if (user_of_caller == NULL) - { - g_set_error (error, -@@ -2700,7 +2710,7 @@ polkit_backend_interactive_authority_unregister_authentication_agent (PolkitBack - "Cannot determine user of caller"); - goto out; - } -- user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, NULL); -+ user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, &user_of_subject_matches, NULL); - if (user_of_subject == NULL) - { - g_set_error (error, -@@ -2709,7 +2719,8 @@ polkit_backend_interactive_authority_unregister_authentication_agent (PolkitBack - "Cannot determine user of subject"); - goto out; - } -- if (!polkit_identity_equal (user_of_caller, user_of_subject)) -+ if (!user_of_subject_matches -+ || !polkit_identity_equal (user_of_caller, user_of_subject)) - { - if (identity_is_root_user (user_of_caller)) - { -@@ -2819,7 +2830,7 @@ polkit_backend_interactive_authority_authentication_agent_response (PolkitBacken - identity_str); - - user_of_caller = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, -- caller, -+ caller, NULL, - error); - if (user_of_caller == NULL) - goto out; -diff --git a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c -index 2a6c739..b00cdbd 100644 ---- a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c -+++ b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c -@@ -29,6 +29,7 @@ - #include <stdlib.h> - - #include <polkit/polkit.h> -+#include <polkit/polkitprivate.h> - #include "polkitbackendsessionmonitor.h" - - /* <internal> -@@ -246,26 +247,40 @@ polkit_backend_session_monitor_get_sessions (PolkitBackendSessionMonitor *monito - * polkit_backend_session_monitor_get_user: - * @monitor: A #PolkitBackendSessionMonitor. - * @subject: A #PolkitSubject. -+ * @result_matches: If not %NULL, set to indicate whether the return value matches current (RACY) state. - * @error: Return location for error. - * - * Gets the user corresponding to @subject or %NULL if no user exists. - * -+ * NOTE: For a #PolkitUnixProcess, the UID is read from @subject (which may -+ * come from e.g. a D-Bus client), so it may not correspond to the actual UID -+ * of the referenced process (at any point in time). This is indicated by -+ * setting @result_matches to %FALSE; the caller may reject such subjects or -+ * require additional privileges. @result_matches == %TRUE only indicates that -+ * the UID matched the underlying process at ONE point in time, it may not match -+ * later. -+ * - * Returns: %NULL if @error is set otherwise a #PolkitUnixUser that should be freed with g_object_unref(). - */ - PolkitIdentity * - polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor *monitor, - PolkitSubject *subject, -+ gboolean *result_matches, - GError **error) - { - PolkitIdentity *ret; -- guint32 uid; -+ gboolean matches; - - ret = NULL; -+ matches = FALSE; - - if (POLKIT_IS_UNIX_PROCESS (subject)) - { -- uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)); -- if ((gint) uid == -1) -+ gint subject_uid, current_uid; -+ GError *local_error; -+ -+ subject_uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)); -+ if (subject_uid == -1) - { - g_set_error (error, - POLKIT_ERROR, -@@ -273,14 +288,24 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor - "Unix process subject does not have uid set"); - goto out; - } -- ret = polkit_unix_user_new (uid); -+ local_error = NULL; -+ current_uid = polkit_unix_process_get_racy_uid__ (POLKIT_UNIX_PROCESS (subject), &local_error); -+ if (local_error != NULL) -+ { -+ g_propagate_error (error, local_error); -+ goto out; -+ } -+ ret = polkit_unix_user_new (subject_uid); -+ matches = (subject_uid == current_uid); - } - else if (POLKIT_IS_SYSTEM_BUS_NAME (subject)) - { - ret = (PolkitIdentity*)polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error); -+ matches = TRUE; - } - else if (POLKIT_IS_UNIX_SESSION (subject)) - { -+ uid_t uid; - - if (sd_session_get_uid (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject)), &uid) < 0) - { -@@ -292,9 +317,14 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor - } - - ret = polkit_unix_user_new (uid); -+ matches = TRUE; - } - - out: -+ if (result_matches != NULL) -+ { -+ *result_matches = matches; -+ } - return ret; - } - -diff --git a/src/polkitbackend/polkitbackendsessionmonitor.c b/src/polkitbackend/polkitbackendsessionmonitor.c -index e1a9ab3..ed30755 100644 ---- a/src/polkitbackend/polkitbackendsessionmonitor.c -+++ b/src/polkitbackend/polkitbackendsessionmonitor.c -@@ -27,6 +27,7 @@ - #include <glib/gstdio.h> - - #include <polkit/polkit.h> -+#include <polkit/polkitprivate.h> - #include "polkitbackendsessionmonitor.h" - - #define CKDB_PATH "/var/run/ConsoleKit/database" -@@ -273,28 +274,40 @@ polkit_backend_session_monitor_get_sessions (PolkitBackendSessionMonitor *monito - * polkit_backend_session_monitor_get_user: - * @monitor: A #PolkitBackendSessionMonitor. - * @subject: A #PolkitSubject. -+ * @result_matches: If not %NULL, set to indicate whether the return value matches current (RACY) state. - * @error: Return location for error. - * - * Gets the user corresponding to @subject or %NULL if no user exists. - * -+ * NOTE: For a #PolkitUnixProcess, the UID is read from @subject (which may -+ * come from e.g. a D-Bus client), so it may not correspond to the actual UID -+ * of the referenced process (at any point in time). This is indicated by -+ * setting @result_matches to %FALSE; the caller may reject such subjects or -+ * require additional privileges. @result_matches == %TRUE only indicates that -+ * the UID matched the underlying process at ONE point in time, it may not match -+ * later. -+ * - * Returns: %NULL if @error is set otherwise a #PolkitUnixUser that should be freed with g_object_unref(). - */ - PolkitIdentity * - polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor *monitor, - PolkitSubject *subject, -+ gboolean *result_matches, - GError **error) - { - PolkitIdentity *ret; -+ gboolean matches; - GError *local_error; -- gchar *group; -- guint32 uid; - - ret = NULL; -+ matches = FALSE; - - if (POLKIT_IS_UNIX_PROCESS (subject)) - { -- uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)); -- if ((gint) uid == -1) -+ gint subject_uid, current_uid; -+ -+ subject_uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)); -+ if (subject_uid == -1) - { - g_set_error (error, - POLKIT_ERROR, -@@ -302,14 +315,26 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor - "Unix process subject does not have uid set"); - goto out; - } -- ret = polkit_unix_user_new (uid); -+ local_error = NULL; -+ current_uid = polkit_unix_process_get_racy_uid__ (POLKIT_UNIX_PROCESS (subject), &local_error); -+ if (local_error != NULL) -+ { -+ g_propagate_error (error, local_error); -+ goto out; -+ } -+ ret = polkit_unix_user_new (subject_uid); -+ matches = (subject_uid == current_uid); - } - else if (POLKIT_IS_SYSTEM_BUS_NAME (subject)) - { - ret = (PolkitIdentity*)polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error); -+ matches = TRUE; - } - else if (POLKIT_IS_UNIX_SESSION (subject)) - { -+ gint uid; -+ gchar *group; -+ - if (!ensure_database (monitor, error)) - { - g_prefix_error (error, "Error getting user for session: Error ensuring CK database at " CKDB_PATH ": "); -@@ -328,9 +353,14 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor - g_free (group); - - ret = polkit_unix_user_new (uid); -+ matches = TRUE; - } - - out: -+ if (result_matches != NULL) -+ { -+ *result_matches = matches; -+ } - return ret; - } - -diff --git a/src/polkitbackend/polkitbackendsessionmonitor.h b/src/polkitbackend/polkitbackendsessionmonitor.h -index 8f8a2ca..3972326 100644 ---- a/src/polkitbackend/polkitbackendsessionmonitor.h -+++ b/src/polkitbackend/polkitbackendsessionmonitor.h -@@ -47,6 +47,7 @@ GList *polkit_backend_session_monitor_get_sessions (Polkit - - PolkitIdentity *polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor *monitor, - PolkitSubject *subject, -+ gboolean *result_matches, - GError **error); - - PolkitSubject *polkit_backend_session_monitor_get_session_for_subject (PolkitBackendSessionMonitor *monitor, --- -2.17.1 - Index: CVE-2019-6133.patch =================================================================== --- CVE-2019-6133.patch (revision 3) +++ CVE-2019-6133.patch (deleted) @@ -1,159 +0,0 @@ -diff --git a/src/polkit/polkitsubject.c b/src/polkit/polkitsubject.c -index d4c1182141d486fb0a2005d336f3ac05213f65a5..ccabd0a24627de8e785fc0dc31527082f8aecda0 100644 ---- a/src/polkit/polkitsubject.c -+++ b/src/polkit/polkitsubject.c -@@ -99,6 +99,8 @@ polkit_subject_hash (PolkitSubject *subject) - * @b: A #PolkitSubject. - * - * Checks if @a and @b are equal, ie. represent the same subject. -+ * However, avoid calling polkit_subject_equal() to compare two processes; -+ * for more information see the `PolkitUnixProcess` documentation. - * - * This function can be used in e.g. g_hash_table_new(). - * -diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c -index b02b25894ad120d88ea21d4c96ac8dca1821fcf2..78d72514ffd1ddd97ac28a678cf384f4045bb621 100644 ---- a/src/polkit/polkitunixprocess.c -+++ b/src/polkit/polkitunixprocess.c -@@ -51,7 +51,10 @@ - * @title: PolkitUnixProcess - * @short_description: Unix processs - * -- * An object for representing a UNIX process. -+ * An object for representing a UNIX process. NOTE: This object as -+ * designed is now known broken; a mechanism to exploit a delay in -+ * start time in the Linux kernel was identified. Avoid -+ * calling polkit_subject_equal() to compare two processes. - * - * To uniquely identify processes, both the process id and the start - * time of the process (a monotonic increasing value representing the -@@ -66,6 +69,72 @@ - * polkit_unix_process_new_for_owner() with trusted data. - */ - -+/* See https://gitlab.freedesktop.org/polkit/polkit/issues/75 -+ -+ But quoting the original email in full here to ensure it's preserved: -+ -+ From: Jann Horn <jannh@google.com> -+ Subject: [SECURITY] polkit: temporary auth hijacking via PID reuse and non-atomic fork -+ Date: Wednesday, October 10, 2018 5:34 PM -+ -+When a (non-root) user attempts to e.g. control systemd units in the system -+instance from an active session over DBus, the access is gated by a polkit -+policy that requires "auth_admin_keep" auth. This results in an auth prompt -+being shown to the user, asking the user to confirm the action by entering the -+password of an administrator account. -+ -+After the action has been confirmed, the auth decision for "auth_admin_keep" is -+cached for up to five minutes. Subject to some restrictions, similar actions can -+then be performed in this timespan without requiring re-auth: -+ -+ - The PID of the DBus client requesting the new action must match the PID of -+ the DBus client requesting the old action (based on SO_PEERCRED information -+ forwarded by the DBus daemon). -+ - The "start time" of the client's PID (as seen in /proc/$pid/stat, field 22) -+ must not have changed. The granularity of this timestamp is in the -+ millisecond range. -+ - polkit polls every two seconds whether a process with the expected start time -+ still exists. If not, the temporary auth entry is purged. -+ -+Without the start time check, this would obviously be buggy because an attacker -+could simply wait for the legitimate client to disappear, then create a new -+client with the same PID. -+ -+Unfortunately, the start time check is bypassable because fork() is not atomic. -+Looking at the source code of copy_process() in the kernel: -+ -+ p->start_time = ktime_get_ns(); -+ p->real_start_time = ktime_get_boot_ns(); -+ [...] -+ retval = copy_thread_tls(clone_flags, stack_start, stack_size, p, tls); -+ if (retval) -+ goto bad_fork_cleanup_io; -+ -+ if (pid != &init_struct_pid) { -+ pid = alloc_pid(p->nsproxy->pid_ns_for_children); -+ if (IS_ERR(pid)) { -+ retval = PTR_ERR(pid); -+ goto bad_fork_cleanup_thread; -+ } -+ } -+ -+The ktime_get_boot_ns() call is where the "start time" of the process is -+recorded. The alloc_pid() call is where a free PID is allocated. In between -+these, some time passes; and because the copy_thread_tls() call between them can -+access userspace memory when sys_clone() is invoked through the 32-bit syscall -+entry point, an attacker can even stall the kernel arbitrarily long at this -+point (by supplying a pointer into userspace memory that is associated with a -+userfaultfd or is backed by a custom FUSE filesystem). -+ -+This means that an attacker can immediately call sys_clone() when the victim -+process is created, often resulting in a process that has the exact same start -+time reported in procfs; and then the attacker can delay the alloc_pid() call -+until after the victim process has died and the PID assignment has cycled -+around. This results in an attacker process that polkit can't distinguish from -+the victim process. -+*/ -+ -+ - /** - * PolkitUnixProcess: - * -diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c -index a1630b9535333ad6c728a198cc6bc8a4e55211a9..80e814155c2a0f58a4e8301eb2b7c4910fa31782 100644 ---- a/src/polkitbackend/polkitbackendinteractiveauthority.c -+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c -@@ -3031,6 +3031,43 @@ temporary_authorization_store_free (TemporaryAuthorizationStore *store) - g_free (store); - } - -+/* See the comment at the top of polkitunixprocess.c */ -+static gboolean -+subject_equal_for_authz (PolkitSubject *a, -+ PolkitSubject *b) -+{ -+ if (!polkit_subject_equal (a, b)) -+ return FALSE; -+ -+ /* Now special case unix processes, as we want to protect against -+ * pid reuse by including the UID. -+ */ -+ if (POLKIT_IS_UNIX_PROCESS (a) && POLKIT_IS_UNIX_PROCESS (b)) { -+ PolkitUnixProcess *ap = (PolkitUnixProcess*)a; -+ int uid_a = polkit_unix_process_get_uid ((PolkitUnixProcess*)a); -+ PolkitUnixProcess *bp = (PolkitUnixProcess*)b; -+ int uid_b = polkit_unix_process_get_uid ((PolkitUnixProcess*)b); -+ -+ if (uid_a != -1 && uid_b != -1) -+ { -+ if (uid_a == uid_b) -+ { -+ return TRUE; -+ } -+ else -+ { -+ g_printerr ("denying slowfork; pid %d uid %d != %d!\n", -+ polkit_unix_process_get_pid (ap), -+ uid_a, uid_b); -+ return FALSE; -+ } -+ } -+ /* Fall through; one of the uids is unset so we can't reliably compare */ -+ } -+ -+ return TRUE; -+} -+ - static gboolean - temporary_authorization_store_has_authorization (TemporaryAuthorizationStore *store, - PolkitSubject *subject, -@@ -3073,7 +3110,7 @@ temporary_authorization_store_has_authorization (TemporaryAuthorizationStore *st - TemporaryAuthorization *authorization = l->data; - - if (strcmp (action_id, authorization->action_id) == 0 && -- polkit_subject_equal (subject_to_use, authorization->subject)) -+ subject_equal_for_authz (subject_to_use, authorization->subject)) - { - ret = TRUE; - if (out_tmp_authz_id != NULL) Index: polkit-0.114.tar.gz =================================================================== Binary file polkit-0.114.tar.gz (revision 3) deleted Index: polkit-0.114.tar.gz.sign =================================================================== --- polkit-0.114.tar.gz.sign (revision 3) +++ polkit-0.114.tar.gz.sign (deleted) @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -wsFcBAABCAAQBQJayUecCRDptRpmWCnWVQAAtzIQAD2kwEHFTiJt4TtqBm9DDS64 -QNOE9+E4tTAQZlO+mwTtskQs/wojKDNpud+uhnhFWrMfmMGXVf2odz3PblhCmrsS -tYleKUlgV3aoBltelCvl9Xy0otrAZ0WygCKJpeyvzsN0FwiWhuVTLXofRnmUiCFP -jU847ldoawGw72tbH9qsFtEWRA+zbDT40ja1eO301JW5um6C+pKIs7MvNgSm4uEs -VnEGomUPmMY9I/6akcOBFrMovujWQKHP4sr99vWPsCwMy7Ju9+UvyhHPXFyh7yCq -AQePMOJxFnTT8tXlPyAxi+TO3ihokiqQhBY4wrRjguIm9MXaumasfuzN1LoHR7wy -Y73FAEjYWvf5BHChW5cqFjRYv29aNol/nyEKbF8HpKTt/FFOeUSlF3xWbMqP9xs7 -tle13Ax1o22XIq05kPRM2FT6WK87IMAk/6qF669aUgbl3+36N0KFyt/NpA2M6Oiq -Z9grgYtNgOZPzFM+UJOYijaSDSFtPpwbdEJQpEPxVqsDJ6lRKbAv/SyvBgvkZM3A -IiUE4GN4c2JGAj+rHDzEjzjtNfT10qVeF31j2+5/uRGyR4dBeRUBclwSIz1zGLLS -mfFRsqGnPpOxFA79NVr41aMmjv5wXfcsKQWrBUIfbkCdhZ9Hrzd8ItMO0b6xnBZ6 -348LpL6UknwI7dJA/HIv -=Yc4b ------END PGP SIGNATURE----- Index: polkit-CVE-2018-19788.patch =================================================================== --- polkit-CVE-2018-19788.patch (revision 3) +++ polkit-CVE-2018-19788.patch (deleted) @@ -1,181 +0,0 @@ -commit 2cb40c4d5feeaa09325522bd7d97910f1b59e379 -Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> -Date: Mon Dec 3 10:28:58 2018 +0100 - - Allow negative uids/gids in PolkitUnixUser and Group objects - - (uid_t) -1 is still used as placeholder to mean "unset". This is OK, since - there should be no users with such number, see - https://systemd.io/UIDS-GIDS#special-linux-uids. - - (uid_t) -1 is used as the default value in class initialization. - - When a user or group above INT32_MAX is created, the numeric uid or - gid wraps around to negative when the value is assigned to gint, and - polkit gets confused. Let's accept such gids, except for -1. - - A nicer fix would be to change the underlying type to e.g. uint32 to - not have negative values. But this cannot be done without breaking the - API, so likely new functions will have to be added (a - polkit_unix_user_new variant that takes a unsigned, and the same for - _group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will - require a bigger patch. - - Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74. - -diff --git a/src/polkit/polkitunixgroup.c b/src/polkit/polkitunixgroup.c -index c57a1aa..309f689 100644 ---- a/src/polkit/polkitunixgroup.c -+++ b/src/polkit/polkitunixgroup.c -@@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup, polkit_unix_group, G_TYPE_OBJECT, - static void - polkit_unix_group_init (PolkitUnixGroup *unix_group) - { -+ unix_group->gid = -1; /* (git_t) -1 is not a valid GID under Linux */ - } - - static void -@@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject *object, - GParamSpec *pspec) - { - PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object); -+ gint val; - - switch (prop_id) - { - case PROP_GID: -- unix_group->gid = g_value_get_int (value); -+ val = g_value_get_int (value); -+ g_return_if_fail (val != -1); -+ unix_group->gid = val; - break; - - default: -@@ -131,9 +135,9 @@ polkit_unix_group_class_init (PolkitUnixGroupClass *klass) - g_param_spec_int ("gid", - "Group ID", - "The UNIX group ID", -- 0, -+ G_MININT, - G_MAXINT, -- 0, -+ -1, - G_PARAM_CONSTRUCT | - G_PARAM_READWRITE | - G_PARAM_STATIC_NAME | -@@ -166,9 +170,10 @@ polkit_unix_group_get_gid (PolkitUnixGroup *group) - */ - void - polkit_unix_group_set_gid (PolkitUnixGroup *group, -- gint gid) -+ gint gid) - { - g_return_if_fail (POLKIT_IS_UNIX_GROUP (group)); -+ g_return_if_fail (gid != -1); - group->gid = gid; - } - -@@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group, - PolkitIdentity * - polkit_unix_group_new (gint gid) - { -+ g_return_val_if_fail (gid != -1, NULL); -+ - return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP, - "gid", gid, - NULL)); -diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c -index 972b777..b02b258 100644 ---- a/src/polkit/polkitunixprocess.c -+++ b/src/polkit/polkitunixprocess.c -@@ -159,9 +159,14 @@ polkit_unix_process_set_property (GObject *object, - polkit_unix_process_set_pid (unix_process, g_value_get_int (value)); - break; - -- case PROP_UID: -- polkit_unix_process_set_uid (unix_process, g_value_get_int (value)); -+ case PROP_UID: { -+ gint val; -+ -+ val = g_value_get_int (value); -+ g_return_if_fail (val != -1); -+ polkit_unix_process_set_uid (unix_process, val); - break; -+ } - - case PROP_START_TIME: - polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value)); -@@ -239,7 +244,7 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass) - g_param_spec_int ("uid", - "User ID", - "The UNIX user ID", -- -1, -+ G_MININT, - G_MAXINT, - -1, - G_PARAM_CONSTRUCT | -@@ -303,7 +308,6 @@ polkit_unix_process_set_uid (PolkitUnixProcess *process, - gint uid) - { - g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process)); -- g_return_if_fail (uid >= -1); - process->uid = uid; - } - -diff --git a/src/polkit/polkitunixuser.c b/src/polkit/polkitunixuser.c -index 8bfd3a1..234a697 100644 ---- a/src/polkit/polkitunixuser.c -+++ b/src/polkit/polkitunixuser.c -@@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, polkit_unix_user, G_TYPE_OBJECT, - static void - polkit_unix_user_init (PolkitUnixUser *unix_user) - { -+ unix_user->uid = -1; /* (uid_t) -1 is not a valid UID under Linux */ - unix_user->name = NULL; - } - -@@ -112,11 +113,14 @@ polkit_unix_user_set_property (GObject *object, - GParamSpec *pspec) - { - PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object); -+ gint val; - - switch (prop_id) - { - case PROP_UID: -- unix_user->uid = g_value_get_int (value); -+ val = g_value_get_int (value); -+ g_return_if_fail (val != -1); -+ unix_user->uid = val; - break; - - default: -@@ -144,9 +148,9 @@ polkit_unix_user_class_init (PolkitUnixUserClass *klass) - g_param_spec_int ("uid", - "User ID", - "The UNIX user ID", -- 0, -+ G_MININT, - G_MAXINT, -- 0, -+ -1, - G_PARAM_CONSTRUCT | - G_PARAM_READWRITE | - G_PARAM_STATIC_NAME | -@@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser *user, - gint uid) - { - g_return_if_fail (POLKIT_IS_UNIX_USER (user)); -+ g_return_if_fail (uid != -1); - user->uid = uid; - } - -@@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser *user, - PolkitIdentity * - polkit_unix_user_new (gint uid) - { -+ g_return_val_if_fail (uid != -1, NULL); -+ - return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER, - "uid", uid, - NULL)); Index: polkit-jsauthority-pass-format-string.patch =================================================================== --- polkit-jsauthority-pass-format-string.patch (revision 3) +++ polkit-jsauthority-pass-format-string.patch (deleted) @@ -1,32 +0,0 @@ -From 373705b35e7f6c7dc83de5e0a3ce11ecd15d0409 Mon Sep 17 00:00:00 2001 -From: Ray Strode <rstrode@redhat.com> -Date: Tue, 3 Apr 2018 15:26:37 -0400 -Subject: jsauthority: pass "%s" format string to remaining report function - -commit 00adeee1b62 attempted to add a "%s" format string to the -two JS_Report invocations that needed it, but somehow only got -one them. - -This commit gets the other one. - -https://bugzilla.gnome.org/show_bug.cgi?id=105865 ---- - src/polkitbackend/polkitbackendjsauthority.cpp | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp -index 9746c47..517f3c6 100644 ---- a/src/polkitbackend/polkitbackendjsauthority.cpp -+++ b/src/polkitbackend/polkitbackendjsauthority.cpp -@@ -1292,7 +1292,7 @@ js_polkit_log (JSContext *cx, - JS::CallArgs args = JS::CallArgsFromVp (argc, vp); - - s = JS_EncodeString (cx, args[0].toString ()); -- JS_ReportWarningUTF8 (cx, s); -+ JS_ReportWarningUTF8 (cx, "%s", s); - JS_free (cx, s); - - ret = true; --- -cgit v1.1 -
Comments 0