GNU bug report logs - #53549
[PATCH] gnu: polkit: Fix CVE-2021-4034.

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Wed, 26 Jan 2022 11:57:02 UTC

Severity: important

Tags: patch, security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #12 received at 53549 <at> debbugs.gnu.org (full text, mbox):

From: Liliana Marie Prikler <liliana.prikler <at> ist.tugraz.at>
To: Ludovic Courtès <ludo <at> gnu.org>, 53549 <at> debbugs.gnu.org
Subject: Re: [PATCH] gnu: polkit: Fix CVE-2021-4034.
Date: Wed, 26 Jan 2022 16:14:48 +0100

Hi Ludo,

Am Mittwoch, dem 26.01.2022 um 12:56 +0100 schrieb Ludovic Courtès:
> * gnu/packages/patches/polkit-CVE-2021-4034.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/polkit.scm (polkit-mozjs)[replacement]: New field.
> * gnu/packages/polkit.scm (polkit-mozjs/fixed): New variable.
> ---
>  gnu/local.mk                                  |  1 +
>  .../patches/polkit-CVE-2021-4034.patch        | 82
> +++++++++++++++++++
>  gnu/packages/polkit.scm                       | 13 ++-
>  3 files changed, 95 insertions(+), 1 deletion(-)
>  create mode 100644 gnu/packages/patches/polkit-CVE-2021-4034.patch
> 
> Hi!
> 
> We could avoid grafting and instead use 'polkit/fixed' in 'setuid-
> programs', but it seems safer and less error-prone to graft.
> 
> Thoughts?
Given that there is also a duktape variant, a graft is necessary, no? 
On a related note, polit-duktape inherits polkit-mozjs in a way that
does not require adding a separate graft for it, right?  Assuming both
of the above hold, LGTM.

Cheers
This bug report was last modified 3 years and 115 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.