rpms
/
polkit
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import polkit-0.115-9.el8

This commit is contained in:
CentOS Sources 2019-11-05 17:01:42 -05:00 committed by Andrew Lukoshko
parent dbce2686a1
commit 34b189cfb0
4 changed files with 283 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
SOURCES/polkit-0.115-allow-uid-of-1.patch Normal file
View File

@ -0,0 +1,20 @@
diff -up ./src/polkit/polkitunixprocess.c.ori ./src/polkit/polkitunixprocess.c
--- ./src/polkit/polkitunixprocess.c.ori 2019-02-06 16:47:23.460666237 +0100
+++ ./src/polkit/polkitunixprocess.c 2019-02-06 16:47:43.846573792 +0100
@@ -211,14 +211,9 @@ polkit_unix_process_set_property (GObjec
polkit_unix_process_set_pid (unix_process, g_value_get_int (value));
break;
- case PROP_UID: {
- gint val;
-
- val = g_value_get_int (value);
- g_return_if_fail (val != -1);
- polkit_unix_process_set_uid (unix_process, val);
+ case PROP_UID:
+ polkit_unix_process_set_uid (unix_process, g_value_get_int (value));
break;
- }
case PROP_START_TIME:
polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value));

148
SOURCES/polkit-0.115-move-to-mozjs60.patch Normal file
View File

@ -0,0 +1,148 @@
diff --git a/configure.ac b/configure.ac
index 5c37e481147466fd5a3a0a6b814f20fd2fe6bce8..5cedb4eca980f050fb5855ab577e93100adf8fec 100644
--- a/configure.ac
+++ b/configure.ac
@@ -79,7 +79,7 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
AC_SUBST(GLIB_CFLAGS)
AC_SUBST(GLIB_LIBS)
-PKG_CHECK_MODULES(LIBJS, [mozjs-52])
+PKG_CHECK_MODULES(LIBJS, [mozjs-60])
AC_SUBST(LIBJS_CFLAGS)
AC_SUBST(LIBJS_CXXFLAGS)
diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
index 76027149d4dfdc54064be48a3aeafeec8326a67b..984a0f0e579d51c09117f4e495b0c3fdc46fe61b 100644
--- a/src/polkitbackend/polkitbackendjsauthority.cpp
+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
@@ -150,18 +150,17 @@ G_DEFINE_TYPE (PolkitBackendJsAuthority, polkit_backend_js_authority, POLKIT_BAC
/* ---------------------------------------------------------------------------------------------------- */
static const struct JSClassOps js_global_class_ops = {
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL
+ nullptr, // addProperty
+ nullptr, // deleteProperty
+ nullptr, // enumerate
+ nullptr, // newEnumerate
+ nullptr, // resolve
+ nullptr, // mayResolve
+ nullptr, // finalize
+ nullptr, // call
+ nullptr, // hasInstance
+ nullptr, // construct
+ JS_GlobalObjectTraceHook
};
static JSClass js_global_class = {
@@ -172,18 +171,17 @@ static JSClass js_global_class = {
/* ---------------------------------------------------------------------------------------------------- */
static const struct JSClassOps js_polkit_class_ops = {
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL,
- NULL
+ nullptr, // addProperty
+ nullptr, // deleteProperty
+ nullptr, // enumerate
+ nullptr, // newEnumerate
+ nullptr, // resolve
+ nullptr, // mayResolve
+ nullptr, // finalize
+ nullptr, // call
+ nullptr, // hasInstance
+ nullptr, // construct
+ nullptr // trace
};
static JSClass js_polkit_class = {
@@ -469,19 +467,18 @@ polkit_backend_js_authority_constructed (GObject *object)
{
JS::CompartmentOptions compart_opts;
- compart_opts.behaviors().setVersion(JSVERSION_LATEST);
+
JS::RootedObject global(authority->priv->cx);
authority->priv->js_global = new JS::Heap<JSObject*> (JS_NewGlobalObject (authority->priv->cx, &js_global_class, NULL, JS::FireOnNewGlobalHook, compart_opts));
global = authority->priv->js_global->get ();
-
- if (global == NULL)
+ if (!global)
goto fail;
authority->priv->ac = new JSAutoCompartment(authority->priv->cx, global);
- if (authority->priv->ac == NULL)
+ if (!authority->priv->ac)
goto fail;
if (!JS_InitStandardClasses (authority->priv->cx, global))
@@ -493,7 +490,7 @@ polkit_backend_js_authority_constructed (GObject *object)
polkit = authority->priv->js_polkit->get ();
- if (polkit == NULL)
+ if (!polkit)
goto fail;
if (!JS_DefineProperty(authority->priv->cx, global, "polkit", polkit, JSPROP_ENUMERATE))
@@ -504,7 +501,7 @@ polkit_backend_js_authority_constructed (GObject *object)
js_polkit_functions))
goto fail;
- JS::CompileOptions options(authority->priv->cx, JSVERSION_UNKNOWN);
+ JS::CompileOptions options(authority->priv->cx);
JS::RootedValue rval(authority->priv->cx);
if (!JS::Evaluate (authority->priv->cx,
options,
@@ -684,7 +681,9 @@ set_property_strv (PolkitBackendJsAuthority *authority,
JS::AutoValueVector elems(authority->priv->cx);
guint n;
- elems.resize(value->len);
+ if (!elems.resize(value->len))
+ g_error ("Unable to resize vector");
+
for (n = 0; n < value->len; n++)
{
const char *c_string = (const char *) g_ptr_array_index(value, n);
@@ -741,7 +740,7 @@ subject_to_jsval (PolkitBackendJsAuthority *authority,
GError **error)
{
gboolean ret = FALSE;
- JS::CompileOptions options(authority->priv->cx, JSVERSION_UNKNOWN);
+ JS::CompileOptions options(authority->priv->cx);
const char *src;
JS::RootedObject obj(authority->priv->cx);
pid_t pid;
@@ -868,7 +867,7 @@ action_and_details_to_jsval (PolkitBackendJsAuthority *authority,
GError **error)
{
gboolean ret = FALSE;
- JS::CompileOptions options(authority->priv->cx, JSVERSION_UNKNOWN);
+ JS::CompileOptions options(authority->priv->cx);
const char *src;
JS::RootedObject obj(authority->priv->cx);
gchar **keys;

94
SOURCES/polkit-0.115-pkttyagent-tty-echo-off-on-fail.patch Normal file
View File

@ -0,0 +1,94 @@
commit bfb722bbe5a503095cc7e860f282b142f5aa75f1
Author: Jan Rybar <jrybar@redhat.com>
Date: Fri Mar 15 16:07:53 2019 +0000
pkttyagent: PolkitAgentTextListener leaves echo tty disabled if SIGINT/SIGTERM
If no password is typed into terminal during authentication raised by PolkitAgentTextListener, pkttyagent sends kill (it receives from systemctl/hostnamectl e.g.) without chance to restore echoing back on. This cannot be done in on_request() since it's run in a thread without guarantee the signal is distributed there.
diff --git a/src/programs/pkttyagent.c b/src/programs/pkttyagent.c
index 3f324b8..3c8d502 100644
--- a/src/programs/pkttyagent.c
+++ b/src/programs/pkttyagent.c
@@ -25,11 +25,44 @@
#include <stdio.h>
#include <stdlib.h>
+#include <signal.h>
+#include <termios.h>
#include <glib/gi18n.h>
#include <polkit/polkit.h>
#define POLKIT_AGENT_I_KNOW_API_IS_SUBJECT_TO_CHANGE
#include <polkitagent/polkitagent.h>
+
+static volatile sig_atomic_t tty_flags_saved;
+struct termios ts;
+FILE *tty = NULL;
+struct sigaction savesigterm, savesigint, savesigtstp;
+
+
+static void tty_handler(int signal)
+{
+ switch (signal)
+ {
+ case SIGTERM:
+ sigaction (SIGTERM, &savesigterm, NULL);
+ break;
+ case SIGINT:
+ sigaction (SIGINT, &savesigint, NULL);
+ break;
+ case SIGTSTP:
+ sigaction (SIGTSTP, &savesigtstp, NULL);
+ break;
+ }
+
+ if (tty_flags_saved)
+ {
+ tcsetattr (fileno (tty), TCSAFLUSH, &ts);
+ }
+
+ kill(getpid(), signal);
+}
+
+
int
main (int argc, char *argv[])
{
@@ -74,6 +107,8 @@ main (int argc, char *argv[])
GMainLoop *loop = NULL;
guint ret = 126;
GVariantBuilder builder;
+ struct sigaction sa;
+ const char *tty_name = NULL;
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
@@ -212,6 +247,27 @@ main (int argc, char *argv[])
}
}
+/* Bash leaves tty echo disabled if SIGINT/SIGTERM comes to polkitagenttextlistener.c::on_request(),
+ but due to threading the handlers cannot take care of the signal there.
+ Though if controlling terminal cannot be found, the world won't stop spinning.
+*/
+ tty_name = ctermid(NULL);
+ if (tty_name != NULL)
+ {
+ tty = fopen(tty_name, "r+");
+ }
+
+ if (tty != NULL && !tcgetattr (fileno (tty), &ts))
+ {
+ tty_flags_saved = TRUE;
+ }
+
+ memset (&sa, 0, sizeof (sa));
+ sa.sa_handler = &tty_handler;
+ sigaction (SIGTERM, &sa, &savesigterm);
+ sigaction (SIGINT, &sa, &savesigint);
+ sigaction (SIGTSTP, &sa, &savesigtstp);
+
loop = g_main_loop_new (NULL, FALSE);
g_main_loop_run (loop);

25
SPECS/polkit.spec
View File

@ -1,12 +1,12 @@
# Only enable if using patches that touches configure.ac,
# Makefile.am or other build system related files
#
#define enable_autoreconf 1
%define enable_autoreconf 1
Summary: An authorization framework
Name: polkit
Version: 0.115
Release: 6%{?dist}
Release: 9%{?dist}
License: LGPLv2+
URL: http://www.freedesktop.org/wiki/Software/polkit
Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz
@ -20,6 +20,9 @@ Patch3: polkit-0.115-polkitagentlistener-res-leak.patch
Patch4: polkit-0.115-spawning-zombie-processes.patch
Patch5: polkit-0.115-CVE-2018-19788.patch
Patch6: polkit-0.115-CVE-2019-6133.patch
Patch7: polkit-0.115-pkttyagent-tty-echo-off-on-fail.patch
Patch8: polkit-0.115-allow-uid-of-1.patch
Patch9: polkit-0.115-move-to-mozjs60.patch
BuildRequires: gcc-c++
@ -30,7 +33,7 @@ BuildRequires: gtk-doc
BuildRequires: intltool
BuildRequires: gobject-introspection-devel
BuildRequires: systemd, systemd-devel
BuildRequires: pkgconfig(mozjs-52)
BuildRequires: pkgconfig(mozjs-60)
BuildRequires: git
%if 0%{?enable_autoreconf}
@ -114,7 +117,7 @@ export LDFLAGS='-pie -Wl,-z,now -Wl,-z,relro'
--disable-static \
--enable-introspection \
--disable-examples \
--enable-libsystemd-login=yes --with-mozjs=mozjs-17.0
--enable-libsystemd-login=yes
make V=1
%install
@ -185,6 +188,20 @@ exit 0
%{_libdir}/girepository-1.0/*.typelib
%changelog
* Tue Sep 10 2019 Jan Rybar <jrybar@redhat.com> - 0.115-9
- Rebuild to reflect mozjs60 s390 abi change
- Related: rhbz#1746889
* Thu Jun 13 2019 Jan Rybar <jrybar@redhat.com> - 0.115-8
- Backport changing dependency to mozjs60
- Resolves: rhbz#1729416
* Thu Jun 13 2019 Jan Rybar <jrybar@redhat.com> - 0.115-7
- pkttyagent: polkit-agent-helper-1 timeout leaves tty echo disabled
- Mitigation of regression caused by fix of CVE-2018-19788
- Resolves: rhbz#1693781
- Resolves: rhbz#1693814
* Mon Jan 21 2019 Jan Rybar <jrybar@redhat.com> - 0.115-6
- Fix of CVE-2019-6133, PID reuse via slow fork
- Resolves: rhbz#1667778