import polkit-0.115-13.el8_5.1
This commit is contained in:
parent
5948bcba1d
commit
133a8fbc24
69
SOURCES/polkit-0.115-CVE-2021-4034.patch
Normal file
69
SOURCES/polkit-0.115-CVE-2021-4034.patch
Normal file
@ -0,0 +1,69 @@
|
||||
diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
|
||||
index f1bb4e1..aff4f60 100644
|
||||
--- a/src/programs/pkcheck.c
|
||||
+++ b/src/programs/pkcheck.c
|
||||
@@ -363,6 +363,12 @@ main (int argc, char *argv[])
|
||||
local_agent_handle = NULL;
|
||||
ret = 126;
|
||||
|
||||
+ if (argc < 1)
|
||||
+ {
|
||||
+ help();
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
/* Disable remote file access from GIO. */
|
||||
setenv ("GIO_USE_VFS", "local", 1);
|
||||
|
||||
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
|
||||
index 7698c5c..d84dc57 100644
|
||||
--- a/src/programs/pkexec.c
|
||||
+++ b/src/programs/pkexec.c
|
||||
@@ -488,6 +488,17 @@ main (int argc, char *argv[])
|
||||
pid_t pid_of_caller;
|
||||
gpointer local_agent_handle;
|
||||
|
||||
+
|
||||
+ /*
|
||||
+ * If 'pkexec' is called wrong, just show help and bail out.
|
||||
+ */
|
||||
+ if (argc<1)
|
||||
+ {
|
||||
+ clearenv();
|
||||
+ usage(argc, argv);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
ret = 127;
|
||||
authority = NULL;
|
||||
subject = NULL;
|
||||
@@ -614,10 +625,10 @@ main (int argc, char *argv[])
|
||||
|
||||
path = g_strdup (pwstruct.pw_shell);
|
||||
if (!path)
|
||||
- {
|
||||
+ {
|
||||
g_printerr ("No shell configured or error retrieving pw_shell\n");
|
||||
goto out;
|
||||
- }
|
||||
+ }
|
||||
/* If you change this, be sure to change the if (!command_line)
|
||||
case below too */
|
||||
command_line = g_strdup (path);
|
||||
@@ -636,7 +647,15 @@ main (int argc, char *argv[])
|
||||
goto out;
|
||||
}
|
||||
g_free (path);
|
||||
- argv[n] = path = s;
|
||||
+ path = s;
|
||||
+
|
||||
+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
|
||||
+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
|
||||
+ */
|
||||
+ if (argv[n] != NULL)
|
||||
+ {
|
||||
+ argv[n] = path;
|
||||
+ }
|
||||
}
|
||||
if (access (path, F_OK) != 0)
|
||||
{
|
@ -6,7 +6,7 @@
|
||||
Summary: An authorization framework
|
||||
Name: polkit
|
||||
Version: 0.115
|
||||
Release: 12%{?dist}
|
||||
Release: 13%{?dist}.1
|
||||
License: LGPLv2+
|
||||
URL: http://www.freedesktop.org/wiki/Software/polkit
|
||||
Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz
|
||||
@ -26,6 +26,7 @@ Patch9: polkit-0.115-move-to-mozjs60.patch
|
||||
Patch10: polkit-0.115-jsauthority-memleak.patch
|
||||
Patch11: polkit-0.115-pkttyagent-tcsaflush-batch-erase.patch
|
||||
Patch12: polkit-0.115-CVE-2021-3560.patch
|
||||
Patch13: polkit-0.115-CVE-2021-4034.patch
|
||||
|
||||
|
||||
BuildRequires: gcc-c++
|
||||
@ -191,6 +192,10 @@ exit 0
|
||||
%{_libdir}/girepository-1.0/*.typelib
|
||||
|
||||
%changelog
|
||||
* Fri Dec 03 2021 Jan Rybar <jrybar@redhat.com> - 0.115-13.el8_5.1
|
||||
- pkexec: argv overflow results in local privilege esc.
|
||||
- Resolves: CVE-2021-4034
|
||||
|
||||
* Tue May 25 2021 Jan Rybar <jrybar@redhat.com> - 0.115-12
|
||||
- early disconnection from D-Bus results in privilege esc.
|
||||
- Resolves: CVE-2021-3560
|
||||
|
Loading…
Reference in New Issue
Block a user