#53549 - [PATCH] gnu: polkit: Fix CVE-2021-4034.

GNU bug report logs - #53549
[PATCH] gnu: polkit: Fix CVE-2021-4034.

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Wed, 26 Jan 2022 11:57:02 UTC

Severity: important

Tags: patch, security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Message #17 received at 53549-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org> To: Liliana Marie Prikler <liliana.prikler <at> ist.tugraz.at> Cc: 53549-done <at> debbugs.gnu.org Subject: Re: bug#53549: [PATCH] gnu: polkit: Fix CVE-2021-4034. Date: Wed, 26 Jan 2022 17:56:37 +0100

Hi, Liliana Marie Prikler <liliana.prikler <at> ist.tugraz.at> skribis: > Am Mittwoch, dem 26.01.2022 um 12:56 +0100 schrieb Ludovic Courtès: >> * gnu/packages/patches/polkit-CVE-2021-4034.patch: New file. >> * gnu/local.mk (dist_patch_DATA): Add it. >> * gnu/packages/polkit.scm (polkit-mozjs)[replacement]: New field. >> * gnu/packages/polkit.scm (polkit-mozjs/fixed): New variable. >> --- >> gnu/local.mk | 1 + >> .../patches/polkit-CVE-2021-4034.patch | 82 >> +++++++++++++++++++ >> gnu/packages/polkit.scm | 13 ++- >> 3 files changed, 95 insertions(+), 1 deletion(-) >> create mode 100644 gnu/packages/patches/polkit-CVE-2021-4034.patch >> >> Hi! >> >> We could avoid grafting and instead use 'polkit/fixed' in 'setuid- >> programs', but it seems safer and less error-prone to graft. >> >> Thoughts? > Given that there is also a duktape variant, a graft is necessary, no? > On a related note, polit-duktape inherits polkit-mozjs in a way that > does not require adding a separate graft for it, right? Assuming both > of the above hold, LGTM. The duktape variant is defined with ‘package/inherit’ and thus it automatically gets a replacement with the patch: --8<---------------cut here---------------start------------->8--- $ ./pre-inst-env guix build polkit-duktape --no-grafts /gnu/store/z92ymaf84ij8f37cm1wrkkmgrw2slrym-polkit-duktape-0.120 $ ./pre-inst-env guix build polkit-duktape /gnu/store/3g55nhkcbc0a4l7b26gxsalxq0rq1cs7-polkit-duktape-0.121 $ guix gc -R $(./pre-inst-env guix build polkit-duktape -d) |grep polkit-CVE /gnu/store/lxms944bda56ll590dsrkkhc9n2h3xws-polkit-CVE-2021-4034.patch --8<---------------cut here---------------end--------------->8--- Pushed as 3993d33d1c0129b1ca6f0fd122fe2bbe48e4f093. Thanks for taking a look! Ludo’.

This bug report was last modified 3 years and 115 days ago.

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #53549 [PATCH] gnu: polkit: Fix CVE-2021-4034.

GNU bug report logs - #53549
[PATCH] gnu: polkit: Fix CVE-2021-4034.