GNU bug report logs -
#53549
[PATCH] gnu: polkit: Fix CVE-2021-4034.
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Wed, 26 Jan 2022 11:57:02 UTC
Severity: important
Tags: patch, security
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 53549 in the body.
You can then email your comments to 53549 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#53549; Package
guix-patches.
(Wed, 26 Jan 2022 11:57:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ludovic Courtès <ludo <at> gnu.org>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Wed, 26 Jan 2022 11:57:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/polkit-CVE-2021-4034.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/polkit.scm (polkit-mozjs)[replacement]: New field.
* gnu/packages/polkit.scm (polkit-mozjs/fixed): New variable.
---
gnu/local.mk | 1 +
.../patches/polkit-CVE-2021-4034.patch | 82 +++++++++++++++++++
gnu/packages/polkit.scm | 13 ++-
3 files changed, 95 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/polkit-CVE-2021-4034.patch
Hi!
We could avoid grafting and instead use 'polkit/fixed' in 'setuid-programs',
but it seems safer and less error-prone to graft.
Thoughts?
Ludo'.
diff --git a/gnu/local.mk b/gnu/local.mk
index dceaa53145..eb07842775 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1645,6 +1645,7 @@ dist_patch_DATA = \
%D%/packages/patches/plib-CVE-2011-4620.patch \
%D%/packages/patches/plib-CVE-2012-4552.patch \
%D%/packages/patches/plotutils-spline-test.patch \
+ %D%/packages/patches/polkit-CVE-2021-4034.patch \
%D%/packages/patches/polkit-configure-elogind.patch \
%D%/packages/patches/polkit-use-duktape.patch \
%D%/packages/patches/portaudio-audacity-compat.patch \
diff --git a/gnu/packages/patches/polkit-CVE-2021-4034.patch b/gnu/packages/patches/polkit-CVE-2021-4034.patch
new file mode 100644
index 0000000000..ca766cb3be
--- /dev/null
+++ b/gnu/packages/patches/polkit-CVE-2021-4034.patch
@@ -0,0 +1,82 @@
+Fixes CVE-2021-4034, local privilege escalation with 'pkexec':
+
+ https://www.openwall.com/lists/oss-security/2022/01/25/11
+
+Patch from <https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683>.
+
+From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar <at> redhat.com>
+Date: Tue, 25 Jan 2022 17:21:46 +0000
+Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
+
+---
+ src/programs/pkcheck.c | 5 +++++
+ src/programs/pkexec.c | 23 ++++++++++++++++++++---
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
+index f1bb4e1..768525c 100644
+--- a/src/programs/pkcheck.c
++++ b/src/programs/pkcheck.c
+@@ -363,6 +363,11 @@ main (int argc, char *argv[])
+ local_agent_handle = NULL;
+ ret = 126;
+
++ if (argc < 1)
++ {
++ exit(126);
++ }
++
+ /* Disable remote file access from GIO. */
+ setenv ("GIO_USE_VFS", "local", 1);
+
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index 7698c5c..84e5ef6 100644
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -488,6 +488,15 @@ main (int argc, char *argv[])
+ pid_t pid_of_caller;
+ gpointer local_agent_handle;
+
++
++ /*
++ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
++ */
++ if (argc<1)
++ {
++ exit(127);
++ }
++
+ ret = 127;
+ authority = NULL;
+ subject = NULL;
+@@ -614,10 +623,10 @@ main (int argc, char *argv[])
+
+ path = g_strdup (pwstruct.pw_shell);
+ if (!path)
+- {
++ {
+ g_printerr ("No shell configured or error retrieving pw_shell\n");
+ goto out;
+- }
++ }
+ /* If you change this, be sure to change the if (!command_line)
+ case below too */
+ command_line = g_strdup (path);
+@@ -636,7 +645,15 @@ main (int argc, char *argv[])
+ goto out;
+ }
+ g_free (path);
+- argv[n] = path = s;
++ path = s;
++
++ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
++ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
++ */
++ if (argv[n] != NULL)
++ {
++ argv[n] = path;
++ }
+ }
+ if (access (path, F_OK) != 0)
+ {
diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm
index e4f4b1276f..1ae94be751 100644
--- a/gnu/packages/polkit.scm
+++ b/gnu/packages/polkit.scm
@@ -1,7 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2014 Andreas Enge <andreas <at> enge.fr>
;;; Copyright © 2015 Andy Wingo <wingo <at> igalia.com>
-;;; Copyright © 2015, 2021 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2015, 2021-2022 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2015 Mark H Weaver <mhw <at> netris.org>
;;; Copyright © 2016 Efraim Flashner <efraim <at> flashner.co.il>
;;; Copyright © 2017 Huang Ying <huang.ying.caritas <at> gmail.com>
@@ -54,6 +54,7 @@ (define-public polkit-mozjs
(package
(name "polkit")
(version "0.120")
+ (replacement polkit-mozjs/fixed)
(source (origin
(method url-fetch)
(uri (string-append
@@ -146,6 +147,16 @@ (define-public polkit-mozjs
for unprivileged applications.")
(license lgpl2.0+)))
+(define-public polkit-mozjs/fixed
+ (package
+ (inherit polkit-mozjs)
+ (version "0.121")
+ (source (origin
+ (inherit (package-source polkit-mozjs))
+ (patches (cons (search-patch "polkit-CVE-2021-4034.patch")
+ (origin-patches
+ (package-source polkit-mozjs))))))))
+
;;; Variant of polkit built with Duktape, a lighter JavaScript engine compared
;;; to mozjs.
(define-public polkit-duktape
base-commit: 1402c6abe150ced4cbb4fa0721fe7c8796fe2c38
prerequisite-patch-id: 6ecfe5930fe8847a954c16425713d4a6ac515a04
--
2.34.0
Added tag(s) security.
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Wed, 26 Jan 2022 14:41:02 GMT)
Full text and
rfc822 format available.
Severity set to 'important' from 'normal'
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Wed, 26 Jan 2022 14:41:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#53549; Package
guix-patches.
(Wed, 26 Jan 2022 15:15:02 GMT)
Full text and
rfc822 format available.
Message #12 received at 53549 <at> debbugs.gnu.org (full text, mbox):
Hi Ludo,
Am Mittwoch, dem 26.01.2022 um 12:56 +0100 schrieb Ludovic Courtès:
> * gnu/packages/patches/polkit-CVE-2021-4034.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/polkit.scm (polkit-mozjs)[replacement]: New field.
> * gnu/packages/polkit.scm (polkit-mozjs/fixed): New variable.
> ---
> gnu/local.mk | 1 +
> .../patches/polkit-CVE-2021-4034.patch | 82
> +++++++++++++++++++
> gnu/packages/polkit.scm | 13 ++-
> 3 files changed, 95 insertions(+), 1 deletion(-)
> create mode 100644 gnu/packages/patches/polkit-CVE-2021-4034.patch
>
> Hi!
>
> We could avoid grafting and instead use 'polkit/fixed' in 'setuid-
> programs', but it seems safer and less error-prone to graft.
>
> Thoughts?
Given that there is also a duktape variant, a graft is necessary, no?
On a related note, polit-duktape inherits polkit-mozjs in a way that
does not require adding a separate graft for it, right? Assuming both
of the above hold, LGTM.
Cheers
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility.
(Wed, 26 Jan 2022 16:57:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Ludovic Courtès <ludo <at> gnu.org>:
bug acknowledged by developer.
(Wed, 26 Jan 2022 16:57:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 53549-done <at> debbugs.gnu.org (full text, mbox):
Hi,
Liliana Marie Prikler <liliana.prikler <at> ist.tugraz.at> skribis:
> Am Mittwoch, dem 26.01.2022 um 12:56 +0100 schrieb Ludovic Courtès:
>> * gnu/packages/patches/polkit-CVE-2021-4034.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Add it.
>> * gnu/packages/polkit.scm (polkit-mozjs)[replacement]: New field.
>> * gnu/packages/polkit.scm (polkit-mozjs/fixed): New variable.
>> ---
>> gnu/local.mk | 1 +
>> .../patches/polkit-CVE-2021-4034.patch | 82
>> +++++++++++++++++++
>> gnu/packages/polkit.scm | 13 ++-
>> 3 files changed, 95 insertions(+), 1 deletion(-)
>> create mode 100644 gnu/packages/patches/polkit-CVE-2021-4034.patch
>>
>> Hi!
>>
>> We could avoid grafting and instead use 'polkit/fixed' in 'setuid-
>> programs', but it seems safer and less error-prone to graft.
>>
>> Thoughts?
> Given that there is also a duktape variant, a graft is necessary, no?
> On a related note, polit-duktape inherits polkit-mozjs in a way that
> does not require adding a separate graft for it, right? Assuming both
> of the above hold, LGTM.
The duktape variant is defined with ‘package/inherit’ and thus it
automatically gets a replacement with the patch:
--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix build polkit-duktape --no-grafts
/gnu/store/z92ymaf84ij8f37cm1wrkkmgrw2slrym-polkit-duktape-0.120
$ ./pre-inst-env guix build polkit-duktape
/gnu/store/3g55nhkcbc0a4l7b26gxsalxq0rq1cs7-polkit-duktape-0.121
$ guix gc -R $(./pre-inst-env guix build polkit-duktape -d) |grep polkit-CVE
/gnu/store/lxms944bda56ll590dsrkkhc9n2h3xws-polkit-CVE-2021-4034.patch
--8<---------------cut here---------------end--------------->8---
Pushed as 3993d33d1c0129b1ca6f0fd122fe2bbe48e4f093.
Thanks for taking a look!
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 24 Feb 2022 12:24:08 GMT)
Full text and
rfc822 format available.
This bug report was last modified 3 years and 115 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.