File 0001-CVE-2026-4897-getline-string-overflow.patch of Package polkit

From 7e122c8a5120c2aae2d9d44a26796dc18f5b677c Mon Sep 17 00:00:00 2001
From: Jan Rybar <jrybar@redhat.com>
Date: Fri, 27 Mar 2026 15:57:01 +0100
Subject: [PATCH] CVE-2026-4897 - getline() string overflow

Report and fix by Aisle.com
Pavel Kohout, Aisle Research

Signed-off-by: Jan Rybar jrybar@redhat.com
---
 src/polkitagent/polkitagenthelperprivate.c | 23 +++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/src/polkitagent/polkitagenthelperprivate.c b/src/polkitagent/polkitagenthelperprivate.c
index 35bca85..7e4f94e 100644
--- a/src/polkitagent/polkitagenthelperprivate.c
+++ b/src/polkitagent/polkitagenthelperprivate.c
@@ -24,6 +24,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
+#include <errno.h>
 #include <unistd.h>
 
 #ifndef HAVE_CLEARENV
@@ -59,21 +60,25 @@ read_cookie (int argc, char **argv)
     return strdup (argv[2]);
   else
     {
-      char *ret = NULL;
-      size_t n = 0;
-      ssize_t r = getline (&ret, &n, stdin);
-      if (r == -1)
+      #define POLKIT_AGENT_MAX_COOKIE 4096
+      char buf[POLKIT_AGENT_MAX_COOKIE + 2]; /* +1 for newline, +1 for NUL */
+      if (fgets (buf, sizeof(buf), stdin) == NULL)
         {
           if (!feof (stdin))
-            perror ("getline");
-          free (ret);
+            perror ("fgets");
           return NULL;
         }
-      else
+      if (buf[strlen (buf) - 1] != '\n')
         {
-          g_strchomp (ret);
-          return ret;
+          /* Cookie too long - drain remaining input and reject */
+          int c;
+          while ((c = getchar ()) != '\n' && c != EOF)
+            ;
+          errno = EOVERFLOW;
+          return NULL;
         }
+      g_strchomp (buf);
+      return strdup (buf);
     }
 }
 
-- 
2.51.0
Places

File 0001-CVE-2026-4897-getline-string-overflow.patch of Package polkit

Places
