Avoid unix-process authorization subject when using polkit (bug #1009541, CVE-2013-4325).
Resolves: rhbz#1009541
This commit is contained in:
parent
b5dbf8cf03
commit
c06157892d
21
hplip-CVE-2013-4325.patch
Normal file
21
hplip-CVE-2013-4325.patch
Normal file
@ -0,0 +1,21 @@
|
||||
diff -up hplip-3.13.7/base/pkit.py.CVE-2013-4325 hplip-3.13.7/base/pkit.py
|
||||
--- hplip-3.13.7/base/pkit.py.CVE-2013-4325 2013-07-23 06:18:29.000000000 +0100
|
||||
+++ hplip-3.13.7/base/pkit.py 2013-09-11 10:54:13.252419283 +0100
|
||||
@@ -176,15 +176,10 @@ class PolicyKitService(dbus.service.Obje
|
||||
"/org/freedesktop/PolicyKit1/Authority",
|
||||
"org.freedesktop.PolicyKit1.Authority")
|
||||
policy_kit = dbus.Interface(obj, "org.freedesktop.PolicyKit1.Authority")
|
||||
- info = dbus.Interface(connection.get_object("org.freedesktop.DBus",
|
||||
- "/org/freedesktop/DBus/Bus",
|
||||
- False),
|
||||
- "org.freedesktop.DBus")
|
||||
- pid = info.GetConnectionUnixProcessID(sender)
|
||||
|
||||
subject = (
|
||||
- 'unix-process',
|
||||
- { 'pid' : dbus.UInt32(pid, variant_level = 1) }
|
||||
+ 'system-bus-name',
|
||||
+ { 'name' : dbus.String(sender, variant_level = 1) }
|
||||
)
|
||||
details = { '' : '' }
|
||||
flags = dbus.UInt32(1) # AllowUserInteraction = 0x00000001
|
11
hplip.spec
11
hplip.spec
@ -7,7 +7,7 @@
|
||||
Summary: HP Linux Imaging and Printing Project
|
||||
Name: hplip
|
||||
Version: 3.13.9
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+ and MIT
|
||||
Group: System Environment/Daemons
|
||||
|
||||
@ -37,6 +37,7 @@ Patch19: hplip-makefile-chgrp.patch
|
||||
Patch20: hplip-hpaio-localonly.patch
|
||||
Patch21: hplip-check.patch
|
||||
Patch22: hplip-mkstemp.patch
|
||||
Patch23: hplip-CVE-2013-4325.patch
|
||||
|
||||
%global hpijs_epoch 1
|
||||
Requires: hpijs%{?_isa} = %{hpijs_epoch}:%{version}-%{release}
|
||||
@ -258,6 +259,10 @@ done
|
||||
# Avoid several bugs in createTempFile (bug #925032).
|
||||
%patch22 -p1 -b .mkstemp
|
||||
|
||||
# Applied patch to avoid unix-process authorization subject when using
|
||||
# polkit as it is racy (CVE-2013-4325).
|
||||
%patch23 -p1 -b .CVE-2013-4325
|
||||
|
||||
sed -i.duplex-constraints \
|
||||
-e 's,\(UIConstraints.* \*Duplex\),//\1,' \
|
||||
prnt/drv/hpcups.drv.in
|
||||
@ -487,6 +492,10 @@ rm -f %{buildroot}%{_sysconfdir}/xdg/autostart/hplip-systray.desktop
|
||||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Wed Sep 18 2013 Tim Waugh <twaugh@redhat.com> - 3.13.9-2
|
||||
- Applied patch to avoid unix-process authorization subject when using
|
||||
polkit as it is racy (bug #1009541, CVE-2013-4325).
|
||||
|
||||
* Tue Sep 10 2013 Jiri Popelka <jpopelka@redhat.com> - 3.13.9-1
|
||||
- 3.13.9: hplipjs filter removed, several patches applied upstream
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user