commit fa0121312fc008b4111d49d2f531b47bb753f9ca Author: Tim Biermann <tbier@posteo.de> Date: Fri Jan 28 10:52:30 2022 +0100 Revert "polkit: -> 0.120" This reverts commit 4da9e0617829e0bdf5c1ba0117f6c80e4669618e. diff --git a/polkit/.footprint b/polkit/.footprint index 856a8036f..e51de5a6b 100644 --- a/polkit/.footprint +++ b/polkit/.footprint @@ -8,7 +8,7 @@ drwxr-xr-x root/root usr/ drwxr-xr-x root/root usr/bin/ -rwxr-xr-x root/root usr/bin/pkaction -rwxr-xr-x root/root usr/bin/pkcheck --rwxr-xr-x root/root usr/bin/pkexec +-rwsrwxr-x root/root usr/bin/pkexec -rwxr-xr-x root/root usr/bin/pkttyagent drwxr-xr-x root/root usr/include/ drwxr-xr-x root/root usr/include/polkit-1/ @@ -56,7 +56,7 @@ drwxr-xr-x root/root usr/lib/pkgconfig/ -rw-r--r-- root/root usr/lib/pkgconfig/polkit-agent-1.pc -rw-r--r-- root/root usr/lib/pkgconfig/polkit-gobject-1.pc drwxr-xr-x root/root usr/lib/polkit-1/ --rwxr-xr-x root/root usr/lib/polkit-1/polkit-agent-helper-1 +-rwsr-xr-x root/root usr/lib/polkit-1/polkit-agent-helper-1 -rwxr-xr-x root/root usr/lib/polkit-1/polkitd drwxr-xr-x root/root usr/share/ drwxr-xr-x root/root usr/share/dbus-1/ diff --git a/polkit/.signature b/polkit/.signature index c56f16179..632215fbe 100644 --- a/polkit/.signature +++ b/polkit/.signature @@ -1,6 +1,8 @@ untrusted comment: verify with /etc/ports/opt.pub -RWSE3ohX2g5d/XfEcgUTa3g8hpH1bAVwiltwnuY1rQXFbGlQ3Wm/Fk2AVXOVFWZ5SS48kcHi9CdKbhuZ8fNw/rA3Lfn/0dDeogQ= -SHA256 (Pkgfile) = d4e61c5186b56bd2f04900a3b03bfc8e477f99a05dc39431d299c86a567cc91c -SHA256 (.footprint) = 460c1a12c699356020b16d7b135579e128fb3208a2e25e8e78bf76b642342158 +RWSE3ohX2g5d/V8l9iBDcPY09Je8xzkpyInqswb+VSyU6oV2Ysyhhp5EPQnUwnJuSi+ajKS5lXvvyHIMPtTVggBgb+h9CX5dUwQ= +SHA256 (Pkgfile) = 728a668cb1422d14793379687a58314c10fffffc70bd920c1d328f402a78843c +SHA256 (.footprint) = 7ae3e87d2e0379db60e118c5b79938e87319b3460d1907ef73524cbdad79db15 SHA256 (polkit-0.120.tar.gz) = ee7a599a853117bf273548725719fa92fabd2f136915c7a4906cee98567aee03 SHA256 (polkit-1) = 9045eb2a1e2e403b0144d14a5cfe903dc97cfef979c956815a56777c0eb1bf1a +SHA256 (CVE-2021-4034.patch) = 5930a48bf4262a7c89f8737a1a5a648bd41cfdb6476dcca1140cba6555b67d2c +SHA256 (99.patch) = 9a84b59d38b3f86c70c5fc3a28cbfe8d7a22cf190eb20ff433f7f53f5ff73a9a diff --git a/polkit/84.patch b/polkit/84.patch new file mode 100644 index 000000000..66ed8c435 --- /dev/null +++ b/polkit/84.patch @@ -0,0 +1,190 @@ +From 0b59685e8f3729852a175777bceeccbe34870460 Mon Sep 17 00:00:00 2001 +From: Simon McVittie <smcv@debian.org> +Date: Thu, 3 Jun 2021 17:11:46 +0100 +Subject: [PATCH 1/8] meson_post_install: Use geteuid instead of getpass + +Signed-off-by: Simon McVittie <smcv@debian.org> +--- + meson_post_install.py | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/meson_post_install.py b/meson_post_install.py +index 0a0fccf..a87b711 100644 +--- a/meson_post_install.py ++++ b/meson_post_install.py +@@ -1,6 +1,5 @@ + #!/usr/bin/env python3 + +-import getpass + import os + import pwd + import sys +@@ -24,7 +23,7 @@ dst_dirs = [ + for dst in dst_dirs: + if not os.path.exists(dst): + os.makedirs(dst, mode=0o700) +- if getpass.getuser() == "root": ++ if os.geteuid() == 0: + os.chown(dst, polkitd_uid, -1) + + # polkit-agent-helper-1 need to be setuid root because it's used to +@@ -32,5 +31,5 @@ for dst in dst_dirs: + # and/or other users. + dst = os.path.join(pkglibdir, 'polkit-agent-helper-1') + os.chmod(dst, 0o4755) +-if getpass.getuser() == "root": ++if os.geteuid() == 0: + os.chown(dst, 0, -1) + +diff --git a/meson_post_install.py b/meson_post_install.py +index a87b711..ef69bb2 100644 +--- a/meson_post_install.py ++++ b/meson_post_install.py +@@ -11,7 +11,10 @@ pkgdatadir = os.path.join(prefix, sys.argv[2]) + pkglibdir = os.path.join(prefix, sys.argv[3]) + pkgsysconfdir = os.path.join(prefix, sys.argv[4]) + +-polkitd_uid = pwd.getpwnam(sys.argv[5]).pw_uid ++try: ++ polkitd_uid = pwd.getpwnam(sys.argv[5]).pw_uid ++except KeyError: ++ polkitd_uid = None + + os.chmod(os.path.join(bindir, 'pkexec'), 0o4775) + +@@ -23,7 +26,7 @@ dst_dirs = [ + for dst in dst_dirs: + if not os.path.exists(dst): + os.makedirs(dst, mode=0o700) +- if os.geteuid() == 0: ++ if os.geteuid() == 0 and polkitd_uid is not None: + os.chown(dst, polkitd_uid, -1) + + # polkit-agent-helper-1 need to be setuid root because it's used to + +diff --git a/meson_post_install.py b/meson_post_install.py +index ef69bb2..de42531 100644 +--- a/meson_post_install.py ++++ b/meson_post_install.py +@@ -10,9 +10,10 @@ bindir = os.path.join(prefix, sys.argv[1]) + pkgdatadir = os.path.join(prefix, sys.argv[2]) + pkglibdir = os.path.join(prefix, sys.argv[3]) + pkgsysconfdir = os.path.join(prefix, sys.argv[4]) ++polkitd_user = sys.argv[5] + + try: +- polkitd_uid = pwd.getpwnam(sys.argv[5]).pw_uid ++ polkitd_uid = pwd.getpwnam(polkitd_user).pw_uid + except KeyError: + polkitd_uid = None + +@@ -28,6 +29,12 @@ for dst in dst_dirs: + os.makedirs(dst, mode=0o700) + if os.geteuid() == 0 and polkitd_uid is not None: + os.chown(dst, polkitd_uid, -1) ++ else: ++ print( ++ 'Owner of {} needs to be set to {} after installation'.format( ++ dst, polkitd_user, ++ ) ++ ) + + # polkit-agent-helper-1 need to be setuid root because it's used to + # authenticate not only the invoking user, but possibly also root +@@ -36,3 +43,7 @@ dst = os.path.join(pkglibdir, 'polkit-agent-helper-1') + os.chmod(dst, 0o4755) + if os.geteuid() == 0: + os.chown(dst, 0, -1) ++else: ++ print( ++ 'Owner of {} needs to be set to root after installation'.format(dst) ++ ) + +diff --git a/meson_post_install.py b/meson_post_install.py +index de42531..94ffa57 100644 +--- a/meson_post_install.py ++++ b/meson_post_install.py +@@ -17,7 +17,7 @@ try: + except KeyError: + polkitd_uid = None + +-os.chmod(os.path.join(bindir, 'pkexec'), 0o4775) ++os.chmod(os.path.join(bindir, 'pkexec'), 0o4755) + + dst_dirs = [ + os.path.join(pkgsysconfdir, 'rules.d'), + +diff --git a/meson_post_install.py b/meson_post_install.py +index 94ffa57..85cd0ea 100644 +--- a/meson_post_install.py ++++ b/meson_post_install.py +@@ -17,7 +17,18 @@ try: + except KeyError: + polkitd_uid = None + +-os.chmod(os.path.join(bindir, 'pkexec'), 0o4755) ++dst = os.path.join(bindir, 'pkexec') ++ ++if os.geteuid() == 0: ++ os.chmod(dst, 0o4755) ++ os.chown(dst, 0, -1) ++else: ++ print( ++ 'Owner and mode of {} need to be setuid root (04755) after ' ++ 'installation'.format( ++ dst, ++ ) ++ ) + + dst_dirs = [ + os.path.join(pkgsysconfdir, 'rules.d'), +@@ -40,10 +51,14 @@ for dst in dst_dirs: + # authenticate not only the invoking user, but possibly also root + # and/or other users. + dst = os.path.join(pkglibdir, 'polkit-agent-helper-1') +-os.chmod(dst, 0o4755) ++ + if os.geteuid() == 0: ++ os.chmod(dst, 0o4755) + os.chown(dst, 0, -1) + else: + print( +- 'Owner of {} needs to be set to root after installation'.format(dst) ++ 'Owner and mode of {} need to be setuid root (04755) after ' ++ 'installation'.format( ++ dst, ++ ) + ) + +diff --git a/meson_post_install.py b/meson_post_install.py +index 85cd0ea..0ab7469 100644 +--- a/meson_post_install.py ++++ b/meson_post_install.py +@@ -4,12 +4,22 @@ import os + import pwd + import sys + ++destdir = os.environ.get('DESTDIR') + prefix = os.environ['MESON_INSTALL_DESTDIR_PREFIX'] + +-bindir = os.path.join(prefix, sys.argv[1]) +-pkgdatadir = os.path.join(prefix, sys.argv[2]) +-pkglibdir = os.path.join(prefix, sys.argv[3]) +-pkgsysconfdir = os.path.join(prefix, sys.argv[4]) ++def destdir_path(p): ++ if os.path.isabs(p): ++ if destdir is None: ++ return p ++ else: ++ return os.path.join(destdir, os.path.relpath(p, '/')) ++ else: ++ return os.path.join(prefix, p) ++ ++bindir = destdir_path(sys.argv[1]) ++pkgdatadir = destdir_path(sys.argv[2]) ++pkglibdir = destdir_path(sys.argv[3]) ++pkgsysconfdir = destdir_path(sys.argv[4]) + polkitd_user = sys.argv[5] + + try: + diff --git a/polkit/99.patch b/polkit/99.patch new file mode 100644 index 000000000..5e144688d --- /dev/null +++ b/polkit/99.patch @@ -0,0 +1,42 @@ +From e7f3d9e8341df64e2abc3910dafb1113a84bff07 Mon Sep 17 00:00:00 2001 +From: Simon McVittie <smcv@debian.org> +Date: Mon, 25 Oct 2021 20:21:27 +0100 +Subject: [PATCH] Don't pass positional parameters to i18n.merge_file + +These were always ignored, and Meson 0.60.0 disallowed them. + +Resolves: https://gitlab.freedesktop.org/polkit/polkit/-/issues/160 +Reference: https://github.com/mesonbuild/meson/pull/9445 +Signed-off-by: Simon McVittie <smcv@debian.org> +--- + actions/meson.build | 1 - + src/examples/meson.build | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/actions/meson.build b/actions/meson.build +index 2abaaf3..1e3f370 100644 +--- a/actions/meson.build ++++ b/actions/meson.build +@@ -1,7 +1,6 @@ + policy = 'org.freedesktop.policykit.policy' + + i18n.merge_file( +- policy, + input: policy + '.in', + output: '@BASENAME@', + po_dir: po_dir, +diff --git a/src/examples/meson.build b/src/examples/meson.build +index c6305ab..8c18de5 100644 +--- a/src/examples/meson.build ++++ b/src/examples/meson.build +@@ -1,7 +1,6 @@ + policy = 'org.freedesktop.policykit.examples.pkexec.policy' + + i18n.merge_file( +- policy, + input: policy + '.in', + output: '@BASENAME@', + po_dir: po_dir, +-- +GitLab + diff --git a/polkit/CVE-2021-4034.patch b/polkit/CVE-2021-4034.patch new file mode 100644 index 000000000..a06300a53 --- /dev/null +++ b/polkit/CVE-2021-4034.patch @@ -0,0 +1,79 @@ +From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001 +From: Jan Rybar <jrybar@redhat.com> +Date: Tue, 25 Jan 2022 17:21:46 +0000 +Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034) + +--- + src/programs/pkcheck.c | 5 +++++ + src/programs/pkexec.c | 23 ++++++++++++++++++++--- + 2 files changed, 25 insertions(+), 3 deletions(-) + +diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c +index f1bb4e1..768525c 100644 +--- a/src/programs/pkcheck.c ++++ b/src/programs/pkcheck.c +@@ -363,6 +363,11 @@ main (int argc, char *argv[]) + local_agent_handle = NULL; + ret = 126; + ++ if (argc < 1) ++ { ++ exit(126); ++ } ++ + /* Disable remote file access from GIO. */ + setenv ("GIO_USE_VFS", "local", 1); + +diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c +index 7698c5c..84e5ef6 100644 +--- a/src/programs/pkexec.c ++++ b/src/programs/pkexec.c +@@ -488,6 +488,15 @@ main (int argc, char *argv[]) + pid_t pid_of_caller; + gpointer local_agent_handle; + ++ ++ /* ++ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out. ++ */ ++ if (argc<1) ++ { ++ exit(127); ++ } ++ + ret = 127; + authority = NULL; + subject = NULL; +@@ -614,10 +623,10 @@ main (int argc, char *argv[]) + + path = g_strdup (pwstruct.pw_shell); + if (!path) +- { ++ { + g_printerr ("No shell configured or error retrieving pw_shell\n"); + goto out; +- } ++ } + /* If you change this, be sure to change the if (!command_line) + case below too */ + command_line = g_strdup (path); +@@ -636,7 +645,15 @@ main (int argc, char *argv[]) + goto out; + } + g_free (path); +- argv[n] = path = s; ++ path = s; ++ ++ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated. ++ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination ++ */ ++ if (argv[n] != NULL) ++ { ++ argv[n] = path; ++ } + } + if (access (path, F_OK) != 0) + { +-- +GitLab + diff --git a/polkit/Pkgfile b/polkit/Pkgfile index 19f9ed16e..9e66d09be 100644 --- a/polkit/Pkgfile +++ b/polkit/Pkgfile @@ -7,9 +7,13 @@ name=polkit version=0.120 release=3 source=(https://freedesktop.org/software/polkit/releases/$name-$version.tar.gz - polkit-1) + polkit-1 + CVE-2021-4034.patch 99.patch) build() { + patch -Np1 -d $name-$version -i $SRC/99.patch + patch -Np1 -d $name-$version -i $SRC/CVE-2021-4034.patch + meson setup $name-$version build \ --prefix=/usr \ --buildtype=plain \ @@ -19,6 +23,8 @@ build() { meson compile -C build DESTDIR=$PKG meson install -C build + chmod 4775 $PKG/usr/bin/pkexec + chmod 4755 $PKG/usr/lib/polkit-1/polkit-agent-helper-1 install -m 0644 $SRC/polkit-1 $PKG/etc/pam.d rm -r $PKG/usr/share/locale