GNU bug report logs -
#48915
[PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560.
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Tue, 8 Jun 2021 08:46:02 UTC
Severity: normal
Tags: patch, security
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 48915 in the body.
You can then email your comments to 48915 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#48915; Package
guix-patches.
(Tue, 08 Jun 2021 08:46:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ludovic Courtès <ludo <at> gnu.org>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Tue, 08 Jun 2021 08:46:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/polkit-CVE-2021-3560.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/polkit.scm (polkit/fixed): New variable.
(polkit)[replacement]: New field.
---
gnu/local.mk | 1 +
.../patches/polkit-CVE-2021-3560.patch | 21 +++++++++++++++++++
gnu/packages/polkit.scm | 9 ++++++++
3 files changed, 31 insertions(+)
create mode 100644 gnu/packages/patches/polkit-CVE-2021-3560.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 0599df8968..42c5ee0d31 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1555,6 +1555,7 @@ dist_patch_DATA = \
%D%/packages/patches/plib-CVE-2011-4620.patch \
%D%/packages/patches/plib-CVE-2012-4552.patch \
%D%/packages/patches/plotutils-spline-test.patch \
+ %D%/packages/patches/polkit-CVE-2021-3560.patch \
%D%/packages/patches/portaudio-audacity-compat.patch \
%D%/packages/patches/portmidi-modular-build.patch \
%D%/packages/patches/postgresql-disable-resolve_symlinks.patch \
diff --git a/gnu/packages/patches/polkit-CVE-2021-3560.patch b/gnu/packages/patches/polkit-CVE-2021-3560.patch
new file mode 100644
index 0000000000..9aa0373fda
--- /dev/null
+++ b/gnu/packages/patches/polkit-CVE-2021-3560.patch
@@ -0,0 +1,21 @@
+This patch fixes CVE-2021-3560, "local privilege escalation using
+polkit_system_bus_name_get_creds_sync()":
+
+ https://www.openwall.com/lists/oss-security/2021/06/03/1
+
+Patch from <https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13a>.
+
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8daa12cb9093c1d765c7b83654a2b8d0d382378e..8ed13631508dd96624898df90ee2ece4dcf3e1e5 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
+ while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+ g_main_context_iteration (tmp_context, TRUE);
+
++ if (data.caught_error)
++ goto out;
++
+ if (out_uid)
+ *out_uid = data.uid;
+ if (out_pid)
diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm
index d868aceec2..fcd8633b7a 100644
--- a/gnu/packages/polkit.scm
+++ b/gnu/packages/polkit.scm
@@ -44,6 +44,7 @@
(package
(name "polkit")
(version "0.116")
+ (replacement polkit/fixed)
(source (origin
(method url-fetch)
(uri (string-append
@@ -135,6 +136,14 @@ making process with respect to granting access to privileged operations
for unprivileged applications.")
(license lgpl2.0+)))
+(define-public polkit/fixed
+ (package
+ (inherit polkit)
+ (version "0.11A") ;0.116 + patch
+ (source (origin
+ (inherit (package-source polkit))
+ (patches (search-patches "polkit-CVE-2021-3560.patch"))))))
+
(define-public polkit-qt
(package
(name "polkit-qt")
--
2.31.1
Added tag(s) security.
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Tue, 08 Jun 2021 08:47:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#48915; Package
guix-patches.
(Tue, 08 Jun 2021 17:53:01 GMT)
Full text and
rfc822 format available.
Message #10 received at 48915 <at> debbugs.gnu.org (full text, mbox):
On Tue, Jun 08, 2021 at 10:45:12AM +0200, Ludovic Courtès wrote:
> +(define-public polkit/fixed
> + (package
> + (inherit polkit)
> + (version "0.11A") ;0.116 + patch
> + (source (origin
> + (inherit (package-source polkit))
> + (patches (search-patches "polkit-CVE-2021-3560.patch"))))))
Typically, we don't change the version when creating replacement
packages that apply a patch. We only change the version when the
replacement package actually updates to a new version.
Thanks for taking care of this!
Information forwarded
to
guix-patches <at> gnu.org:
bug#48915; Package
guix-patches.
(Tue, 08 Jun 2021 21:33:01 GMT)
Full text and
rfc822 format available.
Message #13 received at 48915 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> skribis:
> On Tue, Jun 08, 2021 at 10:45:12AM +0200, Ludovic Courtès wrote:
>> +(define-public polkit/fixed
>> + (package
>> + (inherit polkit)
>> + (version "0.11A") ;0.116 + patch
>> + (source (origin
>> + (inherit (package-source polkit))
>> + (patches (search-patches "polkit-CVE-2021-3560.patch"))))))
>
> Typically, we don't change the version when creating replacement
> packages that apply a patch. We only change the version when the
> replacement package actually updates to a new version.
Pushed as 9178566954cc7f34d2d991d31df4565adad93508!
As discussed on IRC, I ended up making ‘polkit/fixed’ private, with the
version string unchanged (inherited from ‘polkit’).
We wondered whether Cuirass would build ‘polkit/fixed’ if it’s private.
Turns out it does, but this comment in (gnu ci) is still valid:
--8<---------------cut here---------------start------------->8---
(define (all-packages)
"Return the list of packages to build."
(define (adjust package result)
(cond ((package-replacement package)
;; XXX: If PACKAGE and its replacement have the same name/version,
;; then both Cuirass jobs will have the same name, which
;; effectively means that the second one will be ignored. Thus,
;; return the replacement first.
(cons* (package-replacement package) ;build both
package
result))
--8<---------------cut here---------------end--------------->8---
IOW, the replacement, and only the replacement, gets built.
The current ‘zstd’ replacement is private
<https://ci.guix.gnu.org/search?query=system%3Ax86_64-linux+spec%3Amaster+zstd>
only shows derivations for the replacement, not for the original one.
That’s okay though because the original one necessarily got built
earlier.
Thanks,
Ludo’.
bug closed, send any further explanations to
48915 <at> debbugs.gnu.org and Ludovic Courtès <ludo <at> gnu.org>
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Tue, 08 Jun 2021 21:33:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 07 Jul 2021 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 years and 349 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.