diff --git a/.gitignore b/.gitignore index 4c2c805..c370a79 100644 --- a/.gitignore +++ b/.gitignore @@ -43,3 +43,4 @@ polkit-0.98.tar.gz /polkit-122.tar.gz /polkit-123.tar.gz /124.tar.gz +/125.tar.gz diff --git a/92.patch b/92.patch deleted file mode 100644 index 5fc86d9..0000000 --- a/92.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 4910132853ad68dbe8f4e7710dd098120d1b9b95 Mon Sep 17 00:00:00 2001 -From: Xi Ruoyao -Date: Tue, 25 Jan 2022 19:19:30 +0800 -Subject: [PATCH 1/3] jsauthority: ensure to call JS_Init() and JS_ShutDown() - exactly once - -Before this commit, we were calling JS_Init() in -polkit_backend_js_authority_class_init and never called JS_ShutDown. -This is actually a misusage of SpiderMonkey API. Quote from a comment -in js/Initialization.h (both mozjs-78 and mozjs-91): - - It is currently not possible to initialize SpiderMonkey multiple - times (that is, calling JS_Init/JSAPI methods/JS_ShutDown in that - order, then doing so again). - -This misusage does not cause severe issues with mozjs-78. However, when -we eventually port jsauthority to use mozjs-91, bad thing will happen: -see the test failure mentioned in #150. - -This commit is tested with both mozjs-78 and mozjs-91, all tests pass -with it. ---- - src/polkitbackend/polkitbackendjsauthority.cpp | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp -index ca17108..b22c34e 100644 ---- a/src/polkitbackend/polkitbackendjsauthority.cpp -+++ b/src/polkitbackend/polkitbackendjsauthority.cpp -@@ -75,6 +75,13 @@ - - /* ---------------------------------------------------------------------------------------------------- */ - -+static class JsInitHelperType -+{ -+public: -+ JsInitHelperType() { JS_Init(); } -+ ~JsInitHelperType() { JS_ShutDown(); } -+} JsInitHelper; -+ - struct _PolkitBackendJsAuthorityPrivate - { - gchar **rules_dirs; -@@ -589,7 +596,6 @@ polkit_backend_js_authority_finalize (GObject *object) - delete authority->priv->js_polkit; - - JS_DestroyContext (authority->priv->cx); -- /* JS_ShutDown (); */ - - G_OBJECT_CLASS (polkit_backend_js_authority_parent_class)->finalize (object); - } -@@ -666,7 +672,6 @@ polkit_backend_js_authority_class_init (PolkitBackendJsAuthorityClass *klass) - - g_type_class_add_private (klass, sizeof (PolkitBackendJsAuthorityPrivate)); - -- JS_Init (); - } - - /* ---------------------------------------------------------------------------------------------------- */ --- -GitLab - - -From 2b5f49a4e4266d2c327ef55e6df121511e23236b Mon Sep 17 00:00:00 2001 -From: Xi Ruoyao -Date: Tue, 25 Jan 2022 19:20:58 +0800 -Subject: [PATCH 2/3] jsauthority: port to mozjs-91 - ---- - configure.ac | 2 +- - meson.build | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/configure.ac b/configure.ac -index e434ca2..6783ee7 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -80,7 +80,7 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0]) - AC_SUBST(GLIB_CFLAGS) - AC_SUBST(GLIB_LIBS) - --PKG_CHECK_MODULES(LIBJS, [mozjs-78]) -+PKG_CHECK_MODULES(LIBJS, [mozjs-91]) - - AC_SUBST(LIBJS_CFLAGS) - AC_SUBST(LIBJS_CXXFLAGS) --- -diff --git a/meson.build b/meson.build -index 858078d..09cce0f 100644 ---- a/meson.build -+++ b/meson.build -@@ -133,7 +133,7 @@ expat_dep = dependency('expat') - assert(cc.has_header('expat.h', dependencies: expat_dep), 'Can\'t find expat.h. Please install expat.') - assert(cc.has_function('XML_ParserCreate', dependencies: expat_dep), 'Can\'t find expat library. Please install expat.') - --mozjs_dep = dependency('mozjs-78') -+mozjs_dep = dependency('mozjs-91') - - dbus_dep = dependency('dbus-1', required: false) - dbus_policydir = pk_prefix / pk_datadir / 'dbus-1/system.d' --- -GitLab - diff --git a/CVE-2021-4115.patch b/CVE-2021-4115.patch deleted file mode 100644 index 3cb5581..0000000 --- a/CVE-2021-4115.patch +++ /dev/null @@ -1,71 +0,0 @@ -diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c -index 8ed1363..2fbf5f1 100644 ---- a/src/polkit/polkitsystembusname.c -+++ b/src/polkit/polkitsystembusname.c -@@ -62,6 +62,10 @@ enum - PROP_NAME, - }; - -+ -+guint8 dbus_call_respond_fails; // has to be global because of callback -+ -+ - static void subject_iface_init (PolkitSubjectIface *subject_iface); - - G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT, -@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src, - if (!v) - { - data->caught_error = TRUE; -+ dbus_call_respond_fails += 1; - } - else - { -@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus - tmp_context = g_main_context_new (); - g_main_context_push_thread_default (tmp_context); - -+ dbus_call_respond_fails = 0; -+ - /* Do two async calls as it's basically as fast as one sync call. - */ - g_dbus_connection_call (connection, -@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus - on_retrieved_unix_uid_pid, - &data); - -- while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error)) -- g_main_context_iteration (tmp_context, TRUE); -+ while (TRUE) -+ { -+ /* If one dbus call returns error, we must wait until the other call -+ * calls _call_finish(), otherwise fd leak is possible. -+ * Resolves: GHSL-2021-077 -+ */ - -- if (data.caught_error) -- goto out; -+ if ( (dbus_call_respond_fails > 1) ) -+ { -+ // we got two faults, we can leave -+ goto out; -+ } -+ -+ if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid))) -+ { -+ // we got one fault and the other call finally finished, we can leave -+ goto out; -+ } -+ -+ if ( !(data.retrieved_uid && data.retrieved_pid) ) -+ { -+ g_main_context_iteration (tmp_context, TRUE); -+ } -+ else -+ { -+ break; -+ } -+ } - - if (out_uid) - *out_uid = data.uid; diff --git a/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch b/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch deleted file mode 100644 index a06300a..0000000 --- a/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch +++ /dev/null @@ -1,79 +0,0 @@ -From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001 -From: Jan Rybar -Date: Tue, 25 Jan 2022 17:21:46 +0000 -Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034) - ---- - src/programs/pkcheck.c | 5 +++++ - src/programs/pkexec.c | 23 ++++++++++++++++++++--- - 2 files changed, 25 insertions(+), 3 deletions(-) - -diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c -index f1bb4e1..768525c 100644 ---- a/src/programs/pkcheck.c -+++ b/src/programs/pkcheck.c -@@ -363,6 +363,11 @@ main (int argc, char *argv[]) - local_agent_handle = NULL; - ret = 126; - -+ if (argc < 1) -+ { -+ exit(126); -+ } -+ - /* Disable remote file access from GIO. */ - setenv ("GIO_USE_VFS", "local", 1); - -diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c -index 7698c5c..84e5ef6 100644 ---- a/src/programs/pkexec.c -+++ b/src/programs/pkexec.c -@@ -488,6 +488,15 @@ main (int argc, char *argv[]) - pid_t pid_of_caller; - gpointer local_agent_handle; - -+ -+ /* -+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out. -+ */ -+ if (argc<1) -+ { -+ exit(127); -+ } -+ - ret = 127; - authority = NULL; - subject = NULL; -@@ -614,10 +623,10 @@ main (int argc, char *argv[]) - - path = g_strdup (pwstruct.pw_shell); - if (!path) -- { -+ { - g_printerr ("No shell configured or error retrieving pw_shell\n"); - goto out; -- } -+ } - /* If you change this, be sure to change the if (!command_line) - case below too */ - command_line = g_strdup (path); -@@ -636,7 +645,15 @@ main (int argc, char *argv[]) - goto out; - } - g_free (path); -- argv[n] = path = s; -+ path = s; -+ -+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated. -+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination -+ */ -+ if (argv[n] != NULL) -+ { -+ argv[n] = path; -+ } - } - if (access (path, F_OK) != 0) - { --- -GitLab - diff --git a/mozjs78.patch b/mozjs78.patch deleted file mode 100644 index 8db59a4..0000000 --- a/mozjs78.patch +++ /dev/null @@ -1,90 +0,0 @@ -diff --git a/configure.ac b/configure.ac -index eea70fc..c4569f1 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -34,7 +34,7 @@ AC_PROG_LN_S - AC_SYS_LARGEFILE - AM_PROG_CC_C_O - AC_PROG_CXX --AX_CXX_COMPILE_STDCXX([14], [], [mandatory]) -+AX_CXX_COMPILE_STDCXX([17], [], [mandatory]) - - # Taken from dbus - AC_ARG_ENABLE(ansi, [ --enable-ansi enable -ansi -pedantic gcc flags],enable_ansi=$enableval,enable_ansi=no) -@@ -80,7 +80,7 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0]) - AC_SUBST(GLIB_CFLAGS) - AC_SUBST(GLIB_LIBS) - --PKG_CHECK_MODULES(LIBJS, [mozjs-68]) -+PKG_CHECK_MODULES(LIBJS, [mozjs-78]) - - AC_SUBST(LIBJS_CFLAGS) - AC_SUBST(LIBJS_CXXFLAGS) -diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp -index 25bd1f9..ca17108 100644 ---- a/src/polkitbackend/polkitbackendjsauthority.cpp -+++ b/src/polkitbackend/polkitbackendjsauthority.cpp -@@ -49,6 +49,7 @@ - #include - #include - #include -+#include - #include - - #include "initjs.h" /* init.js */ -@@ -367,7 +368,7 @@ load_scripts (PolkitBackendJsAuthority *authority) - static void - reload_scripts (PolkitBackendJsAuthority *authority) - { -- JS::AutoValueArray<1> args(authority->priv->cx); -+ JS::RootedValueArray<1> args(authority->priv->cx); - JS::RootedValue rval(authority->priv->cx); - - JS::RootedObject js_polkit(authority->priv->cx, authority->priv->js_polkit->get ()); -@@ -482,10 +483,6 @@ polkit_backend_js_authority_constructed (GObject *object) - if (!JS::InitSelfHostedCode (authority->priv->cx)) - goto fail; - -- JS::ContextOptionsRef (authority->priv->cx) -- .setIon (TRUE) -- .setBaseline (TRUE) -- .setAsmJS (TRUE); - JS::SetWarningReporter(authority->priv->cx, report_error); - JS_SetContextPrivate (authority->priv->cx, authority); - -@@ -720,7 +717,7 @@ set_property_strv (PolkitBackendJsAuthority *authority, - elems[n].setNull (); - } - -- JS::RootedObject array_object(authority->priv->cx, JS_NewArrayObject (authority->priv->cx, elems)); -+ JS::RootedObject array_object(authority->priv->cx, JS::NewArrayObject (authority->priv->cx, elems)); - - value_jsval = JS::ObjectValue (*array_object); - JS_SetProperty (authority->priv->cx, obj, name, value_jsval); -@@ -1114,7 +1111,7 @@ polkit_backend_js_authority_get_admin_auth_identities (PolkitBackendInteractiveA - { - PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority); - GList *ret = NULL; -- JS::AutoValueArray<2> args(authority->priv->cx); -+ JS::RootedValueArray<2> args(authority->priv->cx); - JS::RootedValue rval(authority->priv->cx); - guint n; - GError *error = NULL; -@@ -1218,7 +1215,7 @@ polkit_backend_js_authority_check_authorization_sync (PolkitBackendInteractiveAu - { - PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority); - PolkitImplicitAuthorization ret = implicit; -- JS::AutoValueArray<2> args(authority->priv->cx); -+ JS::RootedValueArray<2> args(authority->priv->cx); - JS::RootedValue rval(authority->priv->cx); - GError *error = NULL; - JS::RootedString ret_jsstr (authority->priv->cx); -@@ -1409,7 +1406,7 @@ js_polkit_spawn (JSContext *cx, - JS::CallArgs args = JS::CallArgsFromVp (js_argc, vp); - array_object = &args[0].toObject(); - -- if (!JS_GetArrayLength (cx, array_object, &array_len)) -+ if (!JS::GetArrayLength (cx, array_object, &array_len)) - { - JS_ReportErrorUTF8 (cx, "Failed to get array length"); - goto out; diff --git a/polkit.spec b/polkit.spec index 62268bb..054573b 100644 --- a/polkit.spec +++ b/polkit.spec @@ -3,8 +3,8 @@ # Summary: An authorization framework Name: polkit -Version: 124 -Release: 3%{?dist} +Version: 125 +Release: 1%{?dist} License: LGPL-2.0-or-later URL: https://github.com/polkit-org/polkit Source0: https://github.com/polkit-org/polkit/archive/refs/tags/%{version}.tar.gz @@ -24,7 +24,8 @@ BuildRequires: pkgconfig(duktape) BuildRequires: meson BuildRequires: git -Requires: dbus, polkit-pkla-compat +Requires: dbus +Recommends: polkit-pkla-compat Requires: %{name}-libs%{?_isa} = %{version}-%{release} %{?systemd_requires} %{?sysusers_requires_compat} @@ -87,7 +88,7 @@ Libraries files for polkit. -D gtk_doc=true \ -D introspection=true \ -D man=true \ - -D session_tracking=libsystemd-login \ + -D session_tracking=logind \ -D tests=false %meson_build @@ -124,7 +125,7 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la %{_unitdir}/polkit.service %dir %{_datadir}/polkit-1/ %dir %{_datadir}/polkit-1/actions -%attr(0750,root,polkitd) %dir %{_datadir}/polkit-1/rules.d +%dir %{_datadir}/polkit-1/rules.d %{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy %{_datadir}/polkit-1/policyconfig-1.dtd %dir %{_sysconfdir}/polkit-1 @@ -137,6 +138,7 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la %{_bindir}/pkttyagent %dir %{_prefix}/lib/polkit-1 %{_prefix}/lib/polkit-1/polkitd +%{_tmpfilesdir}/polkit-tmpfiles.conf # see upstream docs for why these permissions are necessary %attr(4755,root,root) %{_bindir}/pkexec @@ -160,6 +162,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la %{_libdir}/girepository-1.0/*.typelib %changelog +* Tue Aug 20 2024 Jan Rybar - 125-1 +- rebase to polkit-125 +- Resolves: RHEL-55287 + * Mon Jun 24 2024 Troy Dawson - 124-3 - Bump release for June 2024 mass rebuild diff --git a/remove-IPAddressDeny.patch b/remove-IPAddressDeny.patch deleted file mode 100644 index c8436bf..0000000 --- a/remove-IPAddressDeny.patch +++ /dev/null @@ -1,22 +0,0 @@ -commit 597d3e0d2643c96cbb1c8282066f0b0bc8534b5c -Author: Luca Boccassi -Date: Sun Oct 8 19:34:41 2023 +0100 - - unit: drop IPAddressDeny=any - - It is not useful, as only AF_UNIX sockets are permitted anyway, and - a network namespace it is used. It requires loading a BPF program - which might not work everywhere. - -diff --git a/data/polkit.service.in b/data/polkit.service.in -index 4b44a80..539a25d 100644 ---- a/data/polkit.service.in -+++ b/data/polkit.service.in -@@ -11,7 +11,6 @@ DevicePolicy=strict - ExecStart=@libprivdir@/polkitd --no-debug - User=@polkitd_user@ - Group=@polkitd_user@ --IPAddressDeny=any - LimitMEMLOCK=0 - LockPersonality=yes - MemoryDenyWriteExecute=yes diff --git a/sources b/sources index 54e28b1..3adc6b7 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (124.tar.gz) = 3c4fe60618cf6e74467dc0efac084a38c93b0a8e4e8c02d36de5ca35634ecff624b6977b54493e9b1ad41aa87693ac3246e14fe6f6b828f57b2012b869af9105 +SHA512 (125.tar.gz) = 64d85c1557355d6de6483beeb855b74a99dbb30cf9968206dc0aaf147156072ca2604bf667533099ee3972b3eed0421ec0a1ff8bea35a1e4c54da7b9688e0953