packages/polkit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!28 Fix CVE-2021-4034

Browse Source 
Merge pull request !28 from panxh_purple/master
This commit is contained in:
openeuler-ci-bot 2022-01-26 09:06:41 +00:00 committed by Gitee
commit f52b7af3eb
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 84 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
backport-CVE-2021-4034.patch Normal file
View File

@ -0,0 +1,79 @@
From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
From: Jan Rybar <jrybar@redhat.com>
Date: Tue, 25 Jan 2022 17:21:46 +0000
Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
---
src/programs/pkcheck.c | 5 +++++
src/programs/pkexec.c | 23 ++++++++++++++++++++---
2 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
index f1bb4e1..768525c 100644
--- a/src/programs/pkcheck.c
+++ b/src/programs/pkcheck.c
@@ -363,6 +363,11 @@ main (int argc, char *argv[])
local_agent_handle = NULL;
ret = 126;
+ if (argc < 1)
+ {
+ exit(126);
+ }
+
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
index 7698c5c..84e5ef6 100644
--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
@@ -488,6 +488,15 @@ main (int argc, char *argv[])
pid_t pid_of_caller;
gpointer local_agent_handle;
+
+ /*
+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
+ */
+ if (argc<1)
+ {
+ exit(127);
+ }
+
ret = 127;
authority = NULL;
subject = NULL;
@@ -614,10 +623,10 @@ main (int argc, char *argv[])
path = g_strdup (pwstruct.pw_shell);
if (!path)
- {
+ {
g_printerr ("No shell configured or error retrieving pw_shell\n");
goto out;
- }
+ }
/* If you change this, be sure to change the if (!command_line)
case below too */
command_line = g_strdup (path);
@@ -636,7 +645,15 @@ main (int argc, char *argv[])
goto out;
}
g_free (path);
- argv[n] = path = s;
+ path = s;
+
+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
+ */
+ if (argv[n] != NULL)
+ {
+ argv[n] = path;
+ }
}
if (access (path, F_OK) != 0)
{
--
1.8.3.1

6
polkit.spec
View File

@ -1,6 +1,6 @@
Name: polkit Name: polkit
Version: 0.120 Version: 0.120
Release: 1 Release: 2
Summary: Define and Handle authorizations tool Summary: Define and Handle authorizations tool
License: LGPLv2+ License: LGPLv2+
URL: http://www.freedesktop.org/wiki/Software/polkit URL: http://www.freedesktop.org/wiki/Software/polkit
@ -8,6 +8,7 @@ Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{
Source1: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz.sign Source1: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz.sign
Patch0: modify-admin-authorization-from-wheel-group-to-root.patch Patch0: modify-admin-authorization-from-wheel-group-to-root.patch
Patch1: backport-CVE-2021-4034.patch
BuildRequires: gcc-c++ glib2-devel >= 2.30.0 expat-devel pam-devel gtk-doc intltool BuildRequires: gcc-c++ glib2-devel >= 2.30.0 expat-devel pam-devel gtk-doc intltool
BuildRequires: gobject-introspection-devel systemd systemd-devel pkgconfig(mozjs-78) BuildRequires: gobject-introspection-devel systemd systemd-devel pkgconfig(mozjs-78)
@ -124,6 +125,9 @@ exit 0
%{_datadir}/man/man8/* %{_datadir}/man/man8/*
%changelog %changelog
* Wed Jan 26 2022 panxiaohe <panxiaohe@huawei.com> - 0.120-2
- Fix CVE-2021-4034
* Mon Dec 6 2021 panxiaohe <panxiaohe@huawei.com> - 0.120-1 * Mon Dec 6 2021 panxiaohe <panxiaohe@huawei.com> - 0.120-1
- Type:enhancement - Type:enhancement
- ID:NA - ID:NA