rebase to polkit-125

Resolves: RHEL-55287
This commit is contained in:
Jan Rybar 2024-08-20 18:25:02 +02:00
parent 387bf6e79a
commit 22efca9921
8 changed files with 13 additions and 371 deletions

1
.gitignore vendored
View File

@ -43,3 +43,4 @@ polkit-0.98.tar.gz
/polkit-122.tar.gz
/polkit-123.tar.gz
/124.tar.gz
/125.tar.gz

103
92.patch
View File

@ -1,103 +0,0 @@
From 4910132853ad68dbe8f4e7710dd098120d1b9b95 Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@mengyan1223.wang>
Date: Tue, 25 Jan 2022 19:19:30 +0800
Subject: [PATCH 1/3] jsauthority: ensure to call JS_Init() and JS_ShutDown()
exactly once
Before this commit, we were calling JS_Init() in
polkit_backend_js_authority_class_init and never called JS_ShutDown.
This is actually a misusage of SpiderMonkey API. Quote from a comment
in js/Initialization.h (both mozjs-78 and mozjs-91):
It is currently not possible to initialize SpiderMonkey multiple
times (that is, calling JS_Init/JSAPI methods/JS_ShutDown in that
order, then doing so again).
This misusage does not cause severe issues with mozjs-78. However, when
we eventually port jsauthority to use mozjs-91, bad thing will happen:
see the test failure mentioned in #150.
This commit is tested with both mozjs-78 and mozjs-91, all tests pass
with it.
---
src/polkitbackend/polkitbackendjsauthority.cpp | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
index ca17108..b22c34e 100644
--- a/src/polkitbackend/polkitbackendjsauthority.cpp
+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
@@ -75,6 +75,13 @@
/* ---------------------------------------------------------------------------------------------------- */
+static class JsInitHelperType
+{
+public:
+ JsInitHelperType() { JS_Init(); }
+ ~JsInitHelperType() { JS_ShutDown(); }
+} JsInitHelper;
+
struct _PolkitBackendJsAuthorityPrivate
{
gchar **rules_dirs;
@@ -589,7 +596,6 @@ polkit_backend_js_authority_finalize (GObject *object)
delete authority->priv->js_polkit;
JS_DestroyContext (authority->priv->cx);
- /* JS_ShutDown (); */
G_OBJECT_CLASS (polkit_backend_js_authority_parent_class)->finalize (object);
}
@@ -666,7 +672,6 @@ polkit_backend_js_authority_class_init (PolkitBackendJsAuthorityClass *klass)
g_type_class_add_private (klass, sizeof (PolkitBackendJsAuthorityPrivate));
- JS_Init ();
}
/* ---------------------------------------------------------------------------------------------------- */
--
GitLab
From 2b5f49a4e4266d2c327ef55e6df121511e23236b Mon Sep 17 00:00:00 2001
From: Xi Ruoyao <xry111@mengyan1223.wang>
Date: Tue, 25 Jan 2022 19:20:58 +0800
Subject: [PATCH 2/3] jsauthority: port to mozjs-91
---
configure.ac | 2 +-
meson.build | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index e434ca2..6783ee7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -80,7 +80,7 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
AC_SUBST(GLIB_CFLAGS)
AC_SUBST(GLIB_LIBS)
-PKG_CHECK_MODULES(LIBJS, [mozjs-78])
+PKG_CHECK_MODULES(LIBJS, [mozjs-91])
AC_SUBST(LIBJS_CFLAGS)
AC_SUBST(LIBJS_CXXFLAGS)
--
diff --git a/meson.build b/meson.build
index 858078d..09cce0f 100644
--- a/meson.build
+++ b/meson.build
@@ -133,7 +133,7 @@ expat_dep = dependency('expat')
assert(cc.has_header('expat.h', dependencies: expat_dep), 'Can\'t find expat.h. Please install expat.')
assert(cc.has_function('XML_ParserCreate', dependencies: expat_dep), 'Can\'t find expat library. Please install expat.')
-mozjs_dep = dependency('mozjs-78')
+mozjs_dep = dependency('mozjs-91')
dbus_dep = dependency('dbus-1', required: false)
dbus_policydir = pk_prefix / pk_datadir / 'dbus-1/system.d'
--
GitLab

View File

@ -1,71 +0,0 @@
diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
index 8ed1363..2fbf5f1 100644
--- a/src/polkit/polkitsystembusname.c
+++ b/src/polkit/polkitsystembusname.c
@@ -62,6 +62,10 @@ enum
PROP_NAME,
};
+
+guint8 dbus_call_respond_fails; // has to be global because of callback
+
+
static void subject_iface_init (PolkitSubjectIface *subject_iface);
G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT,
@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src,
if (!v)
{
data->caught_error = TRUE;
+ dbus_call_respond_fails += 1;
}
else
{
@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
tmp_context = g_main_context_new ();
g_main_context_push_thread_default (tmp_context);
+ dbus_call_respond_fails = 0;
+
/* Do two async calls as it's basically as fast as one sync call.
*/
g_dbus_connection_call (connection,
@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
on_retrieved_unix_uid_pid,
&data);
- while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
- g_main_context_iteration (tmp_context, TRUE);
+ while (TRUE)
+ {
+ /* If one dbus call returns error, we must wait until the other call
+ * calls _call_finish(), otherwise fd leak is possible.
+ * Resolves: GHSL-2021-077
+ */
- if (data.caught_error)
- goto out;
+ if ( (dbus_call_respond_fails > 1) )
+ {
+ // we got two faults, we can leave
+ goto out;
+ }
+
+ if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid)))
+ {
+ // we got one fault and the other call finally finished, we can leave
+ goto out;
+ }
+
+ if ( !(data.retrieved_uid && data.retrieved_pid) )
+ {
+ g_main_context_iteration (tmp_context, TRUE);
+ }
+ else
+ {
+ break;
+ }
+ }
if (out_uid)
*out_uid = data.uid;

View File

@ -1,79 +0,0 @@
From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
From: Jan Rybar <jrybar@redhat.com>
Date: Tue, 25 Jan 2022 17:21:46 +0000
Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
---
src/programs/pkcheck.c | 5 +++++
src/programs/pkexec.c | 23 ++++++++++++++++++++---
2 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
index f1bb4e1..768525c 100644
--- a/src/programs/pkcheck.c
+++ b/src/programs/pkcheck.c
@@ -363,6 +363,11 @@ main (int argc, char *argv[])
local_agent_handle = NULL;
ret = 126;
+ if (argc < 1)
+ {
+ exit(126);
+ }
+
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
index 7698c5c..84e5ef6 100644
--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
@@ -488,6 +488,15 @@ main (int argc, char *argv[])
pid_t pid_of_caller;
gpointer local_agent_handle;
+
+ /*
+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
+ */
+ if (argc<1)
+ {
+ exit(127);
+ }
+
ret = 127;
authority = NULL;
subject = NULL;
@@ -614,10 +623,10 @@ main (int argc, char *argv[])
path = g_strdup (pwstruct.pw_shell);
if (!path)
- {
+ {
g_printerr ("No shell configured or error retrieving pw_shell\n");
goto out;
- }
+ }
/* If you change this, be sure to change the if (!command_line)
case below too */
command_line = g_strdup (path);
@@ -636,7 +645,15 @@ main (int argc, char *argv[])
goto out;
}
g_free (path);
- argv[n] = path = s;
+ path = s;
+
+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
+ */
+ if (argv[n] != NULL)
+ {
+ argv[n] = path;
+ }
}
if (access (path, F_OK) != 0)
{
--
GitLab

View File

@ -1,90 +0,0 @@
diff --git a/configure.ac b/configure.ac
index eea70fc..c4569f1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -34,7 +34,7 @@ AC_PROG_LN_S
AC_SYS_LARGEFILE
AM_PROG_CC_C_O
AC_PROG_CXX
-AX_CXX_COMPILE_STDCXX([14], [], [mandatory])
+AX_CXX_COMPILE_STDCXX([17], [], [mandatory])
# Taken from dbus
AC_ARG_ENABLE(ansi, [ --enable-ansi enable -ansi -pedantic gcc flags],enable_ansi=$enableval,enable_ansi=no)
@@ -80,7 +80,7 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
AC_SUBST(GLIB_CFLAGS)
AC_SUBST(GLIB_LIBS)
-PKG_CHECK_MODULES(LIBJS, [mozjs-68])
+PKG_CHECK_MODULES(LIBJS, [mozjs-78])
AC_SUBST(LIBJS_CFLAGS)
AC_SUBST(LIBJS_CXXFLAGS)
diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
index 25bd1f9..ca17108 100644
--- a/src/polkitbackend/polkitbackendjsauthority.cpp
+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
@@ -49,6 +49,7 @@
#include <js/Realm.h>
#include <js/SourceText.h>
#include <js/Warnings.h>
+#include <js/Array.h>
#include <jsapi.h>
#include "initjs.h" /* init.js */
@@ -367,7 +368,7 @@ load_scripts (PolkitBackendJsAuthority *authority)
static void
reload_scripts (PolkitBackendJsAuthority *authority)
{
- JS::AutoValueArray<1> args(authority->priv->cx);
+ JS::RootedValueArray<1> args(authority->priv->cx);
JS::RootedValue rval(authority->priv->cx);
JS::RootedObject js_polkit(authority->priv->cx, authority->priv->js_polkit->get ());
@@ -482,10 +483,6 @@ polkit_backend_js_authority_constructed (GObject *object)
if (!JS::InitSelfHostedCode (authority->priv->cx))
goto fail;
- JS::ContextOptionsRef (authority->priv->cx)
- .setIon (TRUE)
- .setBaseline (TRUE)
- .setAsmJS (TRUE);
JS::SetWarningReporter(authority->priv->cx, report_error);
JS_SetContextPrivate (authority->priv->cx, authority);
@@ -720,7 +717,7 @@ set_property_strv (PolkitBackendJsAuthority *authority,
elems[n].setNull ();
}
- JS::RootedObject array_object(authority->priv->cx, JS_NewArrayObject (authority->priv->cx, elems));
+ JS::RootedObject array_object(authority->priv->cx, JS::NewArrayObject (authority->priv->cx, elems));
value_jsval = JS::ObjectValue (*array_object);
JS_SetProperty (authority->priv->cx, obj, name, value_jsval);
@@ -1114,7 +1111,7 @@ polkit_backend_js_authority_get_admin_auth_identities (PolkitBackendInteractiveA
{
PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority);
GList *ret = NULL;
- JS::AutoValueArray<2> args(authority->priv->cx);
+ JS::RootedValueArray<2> args(authority->priv->cx);
JS::RootedValue rval(authority->priv->cx);
guint n;
GError *error = NULL;
@@ -1218,7 +1215,7 @@ polkit_backend_js_authority_check_authorization_sync (PolkitBackendInteractiveAu
{
PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority);
PolkitImplicitAuthorization ret = implicit;
- JS::AutoValueArray<2> args(authority->priv->cx);
+ JS::RootedValueArray<2> args(authority->priv->cx);
JS::RootedValue rval(authority->priv->cx);
GError *error = NULL;
JS::RootedString ret_jsstr (authority->priv->cx);
@@ -1409,7 +1406,7 @@ js_polkit_spawn (JSContext *cx,
JS::CallArgs args = JS::CallArgsFromVp (js_argc, vp);
array_object = &args[0].toObject();
- if (!JS_GetArrayLength (cx, array_object, &array_len))
+ if (!JS::GetArrayLength (cx, array_object, &array_len))
{
JS_ReportErrorUTF8 (cx, "Failed to get array length");
goto out;

View File

@ -3,8 +3,8 @@
#
Summary: An authorization framework
Name: polkit
Version: 124
Release: 3%{?dist}
Version: 125
Release: 1%{?dist}
License: LGPL-2.0-or-later
URL: https://github.com/polkit-org/polkit
Source0: https://github.com/polkit-org/polkit/archive/refs/tags/%{version}.tar.gz
@ -24,7 +24,8 @@ BuildRequires: pkgconfig(duktape)
BuildRequires: meson
BuildRequires: git
Requires: dbus, polkit-pkla-compat
Requires: dbus
Recommends: polkit-pkla-compat
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%{?systemd_requires}
%{?sysusers_requires_compat}
@ -87,7 +88,7 @@ Libraries files for polkit.
-D gtk_doc=true \
-D introspection=true \
-D man=true \
-D session_tracking=libsystemd-login \
-D session_tracking=logind \
-D tests=false
%meson_build
@ -124,7 +125,7 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
%{_unitdir}/polkit.service
%dir %{_datadir}/polkit-1/
%dir %{_datadir}/polkit-1/actions
%attr(0750,root,polkitd) %dir %{_datadir}/polkit-1/rules.d
%dir %{_datadir}/polkit-1/rules.d
%{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy
%{_datadir}/polkit-1/policyconfig-1.dtd
%dir %{_sysconfdir}/polkit-1
@ -137,6 +138,7 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
%{_bindir}/pkttyagent
%dir %{_prefix}/lib/polkit-1
%{_prefix}/lib/polkit-1/polkitd
%{_tmpfilesdir}/polkit-tmpfiles.conf
# see upstream docs for why these permissions are necessary
%attr(4755,root,root) %{_bindir}/pkexec
@ -160,6 +162,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
%{_libdir}/girepository-1.0/*.typelib
%changelog
* Tue Aug 20 2024 Jan Rybar <jrybar@redhat.com> - 125-1
- rebase to polkit-125
- Resolves: RHEL-55287
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 124-3
- Bump release for June 2024 mass rebuild

View File

@ -1,22 +0,0 @@
commit 597d3e0d2643c96cbb1c8282066f0b0bc8534b5c
Author: Luca Boccassi <bluca@debian.org>
Date: Sun Oct 8 19:34:41 2023 +0100
unit: drop IPAddressDeny=any
It is not useful, as only AF_UNIX sockets are permitted anyway, and
a network namespace it is used. It requires loading a BPF program
which might not work everywhere.
diff --git a/data/polkit.service.in b/data/polkit.service.in
index 4b44a80..539a25d 100644
--- a/data/polkit.service.in
+++ b/data/polkit.service.in
@@ -11,7 +11,6 @@ DevicePolicy=strict
ExecStart=@libprivdir@/polkitd --no-debug
User=@polkitd_user@
Group=@polkitd_user@
-IPAddressDeny=any
LimitMEMLOCK=0
LockPersonality=yes
MemoryDenyWriteExecute=yes

View File

@ -1 +1 @@
SHA512 (124.tar.gz) = 3c4fe60618cf6e74467dc0efac084a38c93b0a8e4e8c02d36de5ca35634ecff624b6977b54493e9b1ad41aa87693ac3246e14fe6f6b828f57b2012b869af9105
SHA512 (125.tar.gz) = 64d85c1557355d6de6483beeb855b74a99dbb30cf9968206dc0aaf147156072ca2604bf667533099ee3972b3eed0421ec0a1ff8bea35a1e4c54da7b9688e0953