rebase to polkit-125
Resolves: RHEL-55287
This commit is contained in:
parent
387bf6e79a
commit
22efca9921
1
.gitignore
vendored
1
.gitignore
vendored
@ -43,3 +43,4 @@ polkit-0.98.tar.gz
|
||||
/polkit-122.tar.gz
|
||||
/polkit-123.tar.gz
|
||||
/124.tar.gz
|
||||
/125.tar.gz
|
||||
|
103
92.patch
103
92.patch
@ -1,103 +0,0 @@
|
||||
From 4910132853ad68dbe8f4e7710dd098120d1b9b95 Mon Sep 17 00:00:00 2001
|
||||
From: Xi Ruoyao <xry111@mengyan1223.wang>
|
||||
Date: Tue, 25 Jan 2022 19:19:30 +0800
|
||||
Subject: [PATCH 1/3] jsauthority: ensure to call JS_Init() and JS_ShutDown()
|
||||
exactly once
|
||||
|
||||
Before this commit, we were calling JS_Init() in
|
||||
polkit_backend_js_authority_class_init and never called JS_ShutDown.
|
||||
This is actually a misusage of SpiderMonkey API. Quote from a comment
|
||||
in js/Initialization.h (both mozjs-78 and mozjs-91):
|
||||
|
||||
It is currently not possible to initialize SpiderMonkey multiple
|
||||
times (that is, calling JS_Init/JSAPI methods/JS_ShutDown in that
|
||||
order, then doing so again).
|
||||
|
||||
This misusage does not cause severe issues with mozjs-78. However, when
|
||||
we eventually port jsauthority to use mozjs-91, bad thing will happen:
|
||||
see the test failure mentioned in #150.
|
||||
|
||||
This commit is tested with both mozjs-78 and mozjs-91, all tests pass
|
||||
with it.
|
||||
---
|
||||
src/polkitbackend/polkitbackendjsauthority.cpp | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
|
||||
index ca17108..b22c34e 100644
|
||||
--- a/src/polkitbackend/polkitbackendjsauthority.cpp
|
||||
+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
|
||||
@@ -75,6 +75,13 @@
|
||||
|
||||
/* ---------------------------------------------------------------------------------------------------- */
|
||||
|
||||
+static class JsInitHelperType
|
||||
+{
|
||||
+public:
|
||||
+ JsInitHelperType() { JS_Init(); }
|
||||
+ ~JsInitHelperType() { JS_ShutDown(); }
|
||||
+} JsInitHelper;
|
||||
+
|
||||
struct _PolkitBackendJsAuthorityPrivate
|
||||
{
|
||||
gchar **rules_dirs;
|
||||
@@ -589,7 +596,6 @@ polkit_backend_js_authority_finalize (GObject *object)
|
||||
delete authority->priv->js_polkit;
|
||||
|
||||
JS_DestroyContext (authority->priv->cx);
|
||||
- /* JS_ShutDown (); */
|
||||
|
||||
G_OBJECT_CLASS (polkit_backend_js_authority_parent_class)->finalize (object);
|
||||
}
|
||||
@@ -666,7 +672,6 @@ polkit_backend_js_authority_class_init (PolkitBackendJsAuthorityClass *klass)
|
||||
|
||||
g_type_class_add_private (klass, sizeof (PolkitBackendJsAuthorityPrivate));
|
||||
|
||||
- JS_Init ();
|
||||
}
|
||||
|
||||
/* ---------------------------------------------------------------------------------------------------- */
|
||||
--
|
||||
GitLab
|
||||
|
||||
|
||||
From 2b5f49a4e4266d2c327ef55e6df121511e23236b Mon Sep 17 00:00:00 2001
|
||||
From: Xi Ruoyao <xry111@mengyan1223.wang>
|
||||
Date: Tue, 25 Jan 2022 19:20:58 +0800
|
||||
Subject: [PATCH 2/3] jsauthority: port to mozjs-91
|
||||
|
||||
---
|
||||
configure.ac | 2 +-
|
||||
meson.build | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index e434ca2..6783ee7 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -80,7 +80,7 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
|
||||
AC_SUBST(GLIB_CFLAGS)
|
||||
AC_SUBST(GLIB_LIBS)
|
||||
|
||||
-PKG_CHECK_MODULES(LIBJS, [mozjs-78])
|
||||
+PKG_CHECK_MODULES(LIBJS, [mozjs-91])
|
||||
|
||||
AC_SUBST(LIBJS_CFLAGS)
|
||||
AC_SUBST(LIBJS_CXXFLAGS)
|
||||
--
|
||||
diff --git a/meson.build b/meson.build
|
||||
index 858078d..09cce0f 100644
|
||||
--- a/meson.build
|
||||
+++ b/meson.build
|
||||
@@ -133,7 +133,7 @@ expat_dep = dependency('expat')
|
||||
assert(cc.has_header('expat.h', dependencies: expat_dep), 'Can\'t find expat.h. Please install expat.')
|
||||
assert(cc.has_function('XML_ParserCreate', dependencies: expat_dep), 'Can\'t find expat library. Please install expat.')
|
||||
|
||||
-mozjs_dep = dependency('mozjs-78')
|
||||
+mozjs_dep = dependency('mozjs-91')
|
||||
|
||||
dbus_dep = dependency('dbus-1', required: false)
|
||||
dbus_policydir = pk_prefix / pk_datadir / 'dbus-1/system.d'
|
||||
--
|
||||
GitLab
|
||||
|
@ -1,71 +0,0 @@
|
||||
diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
|
||||
index 8ed1363..2fbf5f1 100644
|
||||
--- a/src/polkit/polkitsystembusname.c
|
||||
+++ b/src/polkit/polkitsystembusname.c
|
||||
@@ -62,6 +62,10 @@ enum
|
||||
PROP_NAME,
|
||||
};
|
||||
|
||||
+
|
||||
+guint8 dbus_call_respond_fails; // has to be global because of callback
|
||||
+
|
||||
+
|
||||
static void subject_iface_init (PolkitSubjectIface *subject_iface);
|
||||
|
||||
G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT,
|
||||
@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src,
|
||||
if (!v)
|
||||
{
|
||||
data->caught_error = TRUE;
|
||||
+ dbus_call_respond_fails += 1;
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
|
||||
tmp_context = g_main_context_new ();
|
||||
g_main_context_push_thread_default (tmp_context);
|
||||
|
||||
+ dbus_call_respond_fails = 0;
|
||||
+
|
||||
/* Do two async calls as it's basically as fast as one sync call.
|
||||
*/
|
||||
g_dbus_connection_call (connection,
|
||||
@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
|
||||
on_retrieved_unix_uid_pid,
|
||||
&data);
|
||||
|
||||
- while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
|
||||
- g_main_context_iteration (tmp_context, TRUE);
|
||||
+ while (TRUE)
|
||||
+ {
|
||||
+ /* If one dbus call returns error, we must wait until the other call
|
||||
+ * calls _call_finish(), otherwise fd leak is possible.
|
||||
+ * Resolves: GHSL-2021-077
|
||||
+ */
|
||||
|
||||
- if (data.caught_error)
|
||||
- goto out;
|
||||
+ if ( (dbus_call_respond_fails > 1) )
|
||||
+ {
|
||||
+ // we got two faults, we can leave
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid)))
|
||||
+ {
|
||||
+ // we got one fault and the other call finally finished, we can leave
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ if ( !(data.retrieved_uid && data.retrieved_pid) )
|
||||
+ {
|
||||
+ g_main_context_iteration (tmp_context, TRUE);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
if (out_uid)
|
||||
*out_uid = data.uid;
|
@ -1,79 +0,0 @@
|
||||
From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Rybar <jrybar@redhat.com>
|
||||
Date: Tue, 25 Jan 2022 17:21:46 +0000
|
||||
Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
|
||||
|
||||
---
|
||||
src/programs/pkcheck.c | 5 +++++
|
||||
src/programs/pkexec.c | 23 ++++++++++++++++++++---
|
||||
2 files changed, 25 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
|
||||
index f1bb4e1..768525c 100644
|
||||
--- a/src/programs/pkcheck.c
|
||||
+++ b/src/programs/pkcheck.c
|
||||
@@ -363,6 +363,11 @@ main (int argc, char *argv[])
|
||||
local_agent_handle = NULL;
|
||||
ret = 126;
|
||||
|
||||
+ if (argc < 1)
|
||||
+ {
|
||||
+ exit(126);
|
||||
+ }
|
||||
+
|
||||
/* Disable remote file access from GIO. */
|
||||
setenv ("GIO_USE_VFS", "local", 1);
|
||||
|
||||
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
|
||||
index 7698c5c..84e5ef6 100644
|
||||
--- a/src/programs/pkexec.c
|
||||
+++ b/src/programs/pkexec.c
|
||||
@@ -488,6 +488,15 @@ main (int argc, char *argv[])
|
||||
pid_t pid_of_caller;
|
||||
gpointer local_agent_handle;
|
||||
|
||||
+
|
||||
+ /*
|
||||
+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
|
||||
+ */
|
||||
+ if (argc<1)
|
||||
+ {
|
||||
+ exit(127);
|
||||
+ }
|
||||
+
|
||||
ret = 127;
|
||||
authority = NULL;
|
||||
subject = NULL;
|
||||
@@ -614,10 +623,10 @@ main (int argc, char *argv[])
|
||||
|
||||
path = g_strdup (pwstruct.pw_shell);
|
||||
if (!path)
|
||||
- {
|
||||
+ {
|
||||
g_printerr ("No shell configured or error retrieving pw_shell\n");
|
||||
goto out;
|
||||
- }
|
||||
+ }
|
||||
/* If you change this, be sure to change the if (!command_line)
|
||||
case below too */
|
||||
command_line = g_strdup (path);
|
||||
@@ -636,7 +645,15 @@ main (int argc, char *argv[])
|
||||
goto out;
|
||||
}
|
||||
g_free (path);
|
||||
- argv[n] = path = s;
|
||||
+ path = s;
|
||||
+
|
||||
+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
|
||||
+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
|
||||
+ */
|
||||
+ if (argv[n] != NULL)
|
||||
+ {
|
||||
+ argv[n] = path;
|
||||
+ }
|
||||
}
|
||||
if (access (path, F_OK) != 0)
|
||||
{
|
||||
--
|
||||
GitLab
|
||||
|
@ -1,90 +0,0 @@
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index eea70fc..c4569f1 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -34,7 +34,7 @@ AC_PROG_LN_S
|
||||
AC_SYS_LARGEFILE
|
||||
AM_PROG_CC_C_O
|
||||
AC_PROG_CXX
|
||||
-AX_CXX_COMPILE_STDCXX([14], [], [mandatory])
|
||||
+AX_CXX_COMPILE_STDCXX([17], [], [mandatory])
|
||||
|
||||
# Taken from dbus
|
||||
AC_ARG_ENABLE(ansi, [ --enable-ansi enable -ansi -pedantic gcc flags],enable_ansi=$enableval,enable_ansi=no)
|
||||
@@ -80,7 +80,7 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
|
||||
AC_SUBST(GLIB_CFLAGS)
|
||||
AC_SUBST(GLIB_LIBS)
|
||||
|
||||
-PKG_CHECK_MODULES(LIBJS, [mozjs-68])
|
||||
+PKG_CHECK_MODULES(LIBJS, [mozjs-78])
|
||||
|
||||
AC_SUBST(LIBJS_CFLAGS)
|
||||
AC_SUBST(LIBJS_CXXFLAGS)
|
||||
diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
|
||||
index 25bd1f9..ca17108 100644
|
||||
--- a/src/polkitbackend/polkitbackendjsauthority.cpp
|
||||
+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
|
||||
@@ -49,6 +49,7 @@
|
||||
#include <js/Realm.h>
|
||||
#include <js/SourceText.h>
|
||||
#include <js/Warnings.h>
|
||||
+#include <js/Array.h>
|
||||
#include <jsapi.h>
|
||||
|
||||
#include "initjs.h" /* init.js */
|
||||
@@ -367,7 +368,7 @@ load_scripts (PolkitBackendJsAuthority *authority)
|
||||
static void
|
||||
reload_scripts (PolkitBackendJsAuthority *authority)
|
||||
{
|
||||
- JS::AutoValueArray<1> args(authority->priv->cx);
|
||||
+ JS::RootedValueArray<1> args(authority->priv->cx);
|
||||
JS::RootedValue rval(authority->priv->cx);
|
||||
|
||||
JS::RootedObject js_polkit(authority->priv->cx, authority->priv->js_polkit->get ());
|
||||
@@ -482,10 +483,6 @@ polkit_backend_js_authority_constructed (GObject *object)
|
||||
if (!JS::InitSelfHostedCode (authority->priv->cx))
|
||||
goto fail;
|
||||
|
||||
- JS::ContextOptionsRef (authority->priv->cx)
|
||||
- .setIon (TRUE)
|
||||
- .setBaseline (TRUE)
|
||||
- .setAsmJS (TRUE);
|
||||
JS::SetWarningReporter(authority->priv->cx, report_error);
|
||||
JS_SetContextPrivate (authority->priv->cx, authority);
|
||||
|
||||
@@ -720,7 +717,7 @@ set_property_strv (PolkitBackendJsAuthority *authority,
|
||||
elems[n].setNull ();
|
||||
}
|
||||
|
||||
- JS::RootedObject array_object(authority->priv->cx, JS_NewArrayObject (authority->priv->cx, elems));
|
||||
+ JS::RootedObject array_object(authority->priv->cx, JS::NewArrayObject (authority->priv->cx, elems));
|
||||
|
||||
value_jsval = JS::ObjectValue (*array_object);
|
||||
JS_SetProperty (authority->priv->cx, obj, name, value_jsval);
|
||||
@@ -1114,7 +1111,7 @@ polkit_backend_js_authority_get_admin_auth_identities (PolkitBackendInteractiveA
|
||||
{
|
||||
PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority);
|
||||
GList *ret = NULL;
|
||||
- JS::AutoValueArray<2> args(authority->priv->cx);
|
||||
+ JS::RootedValueArray<2> args(authority->priv->cx);
|
||||
JS::RootedValue rval(authority->priv->cx);
|
||||
guint n;
|
||||
GError *error = NULL;
|
||||
@@ -1218,7 +1215,7 @@ polkit_backend_js_authority_check_authorization_sync (PolkitBackendInteractiveAu
|
||||
{
|
||||
PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority);
|
||||
PolkitImplicitAuthorization ret = implicit;
|
||||
- JS::AutoValueArray<2> args(authority->priv->cx);
|
||||
+ JS::RootedValueArray<2> args(authority->priv->cx);
|
||||
JS::RootedValue rval(authority->priv->cx);
|
||||
GError *error = NULL;
|
||||
JS::RootedString ret_jsstr (authority->priv->cx);
|
||||
@@ -1409,7 +1406,7 @@ js_polkit_spawn (JSContext *cx,
|
||||
JS::CallArgs args = JS::CallArgsFromVp (js_argc, vp);
|
||||
array_object = &args[0].toObject();
|
||||
|
||||
- if (!JS_GetArrayLength (cx, array_object, &array_len))
|
||||
+ if (!JS::GetArrayLength (cx, array_object, &array_len))
|
||||
{
|
||||
JS_ReportErrorUTF8 (cx, "Failed to get array length");
|
||||
goto out;
|
16
polkit.spec
16
polkit.spec
@ -3,8 +3,8 @@
|
||||
#
|
||||
Summary: An authorization framework
|
||||
Name: polkit
|
||||
Version: 124
|
||||
Release: 3%{?dist}
|
||||
Version: 125
|
||||
Release: 1%{?dist}
|
||||
License: LGPL-2.0-or-later
|
||||
URL: https://github.com/polkit-org/polkit
|
||||
Source0: https://github.com/polkit-org/polkit/archive/refs/tags/%{version}.tar.gz
|
||||
@ -24,7 +24,8 @@ BuildRequires: pkgconfig(duktape)
|
||||
BuildRequires: meson
|
||||
BuildRequires: git
|
||||
|
||||
Requires: dbus, polkit-pkla-compat
|
||||
Requires: dbus
|
||||
Recommends: polkit-pkla-compat
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
%{?systemd_requires}
|
||||
%{?sysusers_requires_compat}
|
||||
@ -87,7 +88,7 @@ Libraries files for polkit.
|
||||
-D gtk_doc=true \
|
||||
-D introspection=true \
|
||||
-D man=true \
|
||||
-D session_tracking=libsystemd-login \
|
||||
-D session_tracking=logind \
|
||||
-D tests=false
|
||||
|
||||
%meson_build
|
||||
@ -124,7 +125,7 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
|
||||
%{_unitdir}/polkit.service
|
||||
%dir %{_datadir}/polkit-1/
|
||||
%dir %{_datadir}/polkit-1/actions
|
||||
%attr(0750,root,polkitd) %dir %{_datadir}/polkit-1/rules.d
|
||||
%dir %{_datadir}/polkit-1/rules.d
|
||||
%{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy
|
||||
%{_datadir}/polkit-1/policyconfig-1.dtd
|
||||
%dir %{_sysconfdir}/polkit-1
|
||||
@ -137,6 +138,7 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
|
||||
%{_bindir}/pkttyagent
|
||||
%dir %{_prefix}/lib/polkit-1
|
||||
%{_prefix}/lib/polkit-1/polkitd
|
||||
%{_tmpfilesdir}/polkit-tmpfiles.conf
|
||||
|
||||
# see upstream docs for why these permissions are necessary
|
||||
%attr(4755,root,root) %{_bindir}/pkexec
|
||||
@ -160,6 +162,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
|
||||
%{_libdir}/girepository-1.0/*.typelib
|
||||
|
||||
%changelog
|
||||
* Tue Aug 20 2024 Jan Rybar <jrybar@redhat.com> - 125-1
|
||||
- rebase to polkit-125
|
||||
- Resolves: RHEL-55287
|
||||
|
||||
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 124-3
|
||||
- Bump release for June 2024 mass rebuild
|
||||
|
||||
|
@ -1,22 +0,0 @@
|
||||
commit 597d3e0d2643c96cbb1c8282066f0b0bc8534b5c
|
||||
Author: Luca Boccassi <bluca@debian.org>
|
||||
Date: Sun Oct 8 19:34:41 2023 +0100
|
||||
|
||||
unit: drop IPAddressDeny=any
|
||||
|
||||
It is not useful, as only AF_UNIX sockets are permitted anyway, and
|
||||
a network namespace it is used. It requires loading a BPF program
|
||||
which might not work everywhere.
|
||||
|
||||
diff --git a/data/polkit.service.in b/data/polkit.service.in
|
||||
index 4b44a80..539a25d 100644
|
||||
--- a/data/polkit.service.in
|
||||
+++ b/data/polkit.service.in
|
||||
@@ -11,7 +11,6 @@ DevicePolicy=strict
|
||||
ExecStart=@libprivdir@/polkitd --no-debug
|
||||
User=@polkitd_user@
|
||||
Group=@polkitd_user@
|
||||
-IPAddressDeny=any
|
||||
LimitMEMLOCK=0
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=yes
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (124.tar.gz) = 3c4fe60618cf6e74467dc0efac084a38c93b0a8e4e8c02d36de5ca35634ecff624b6977b54493e9b1ad41aa87693ac3246e14fe6f6b828f57b2012b869af9105
|
||||
SHA512 (125.tar.gz) = 64d85c1557355d6de6483beeb855b74a99dbb30cf9968206dc0aaf147156072ca2604bf667533099ee3972b3eed0421ec0a1ff8bea35a1e4c54da7b9688e0953
|
||||
|
Loading…
Reference in New Issue
Block a user