pkexec: argv overflow results in local privilege esc.
This commit is contained in:
parent
533d69baf4
commit
b46f05b958
72
CVE-2021-4034.patch
Normal file
72
CVE-2021-4034.patch
Normal file
@ -0,0 +1,72 @@
|
||||
commit a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
|
||||
Author: Jan Rybar <jrybar@redhat.com>
|
||||
Date: Tue Jan 25 17:21:46 2022 +0000
|
||||
|
||||
pkexec: local privilege escalation (CVE-2021-4034)
|
||||
|
||||
diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
|
||||
index f1bb4e1..768525c 100644
|
||||
--- a/src/programs/pkcheck.c
|
||||
+++ b/src/programs/pkcheck.c
|
||||
@@ -363,6 +363,11 @@ main (int argc, char *argv[])
|
||||
local_agent_handle = NULL;
|
||||
ret = 126;
|
||||
|
||||
+ if (argc < 1)
|
||||
+ {
|
||||
+ exit(126);
|
||||
+ }
|
||||
+
|
||||
/* Disable remote file access from GIO. */
|
||||
setenv ("GIO_USE_VFS", "local", 1);
|
||||
|
||||
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
|
||||
index 7698c5c..84e5ef6 100644
|
||||
--- a/src/programs/pkexec.c
|
||||
+++ b/src/programs/pkexec.c
|
||||
@@ -488,6 +488,15 @@ main (int argc, char *argv[])
|
||||
pid_t pid_of_caller;
|
||||
gpointer local_agent_handle;
|
||||
|
||||
+
|
||||
+ /*
|
||||
+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
|
||||
+ */
|
||||
+ if (argc<1)
|
||||
+ {
|
||||
+ exit(127);
|
||||
+ }
|
||||
+
|
||||
ret = 127;
|
||||
authority = NULL;
|
||||
subject = NULL;
|
||||
@@ -614,10 +623,10 @@ main (int argc, char *argv[])
|
||||
|
||||
path = g_strdup (pwstruct.pw_shell);
|
||||
if (!path)
|
||||
- {
|
||||
+ {
|
||||
g_printerr ("No shell configured or error retrieving pw_shell\n");
|
||||
goto out;
|
||||
- }
|
||||
+ }
|
||||
/* If you change this, be sure to change the if (!command_line)
|
||||
case below too */
|
||||
command_line = g_strdup (path);
|
||||
@@ -636,7 +645,15 @@ main (int argc, char *argv[])
|
||||
goto out;
|
||||
}
|
||||
g_free (path);
|
||||
- argv[n] = path = s;
|
||||
+ path = s;
|
||||
+
|
||||
+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
|
||||
+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
|
||||
+ */
|
||||
+ if (argv[n] != NULL)
|
||||
+ {
|
||||
+ argv[n] = path;
|
||||
+ }
|
||||
}
|
||||
if (access (path, F_OK) != 0)
|
||||
{
|
@ -22,7 +22,7 @@
|
||||
Summary: An authorization framework
|
||||
Name: polkit
|
||||
Version: 0.117
|
||||
Release: 7%{?dist}
|
||||
Release: 8%{?dist}
|
||||
License: LGPLv2+
|
||||
URL: http://www.freedesktop.org/wiki/Software/polkit
|
||||
Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz
|
||||
@ -30,6 +30,7 @@ Source1: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.
|
||||
|
||||
Patch1001: mozjs78.patch
|
||||
Patch1002: CVE-2021-3560.patch
|
||||
Patch1003: CVE-2021-4034.patch
|
||||
|
||||
%if 0%{?bundled_mozjs}
|
||||
Source2: https://ftp.mozilla.org/pub/firefox/releases/%{mozjs_version}esr/source/firefox-%{mozjs_version}esr.source.tar.xz
|
||||
@ -175,6 +176,7 @@ Libraries files for polkit.
|
||||
# Apply polkit patches
|
||||
%patch1001 -p1
|
||||
%patch1002 -p1
|
||||
%patch1003 -p1
|
||||
|
||||
%if 0%{?bundled_mozjs}
|
||||
# Extract mozjs archive
|
||||
@ -381,6 +383,10 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Jan 27 2022 Jan Rybar <jrybar@redhat.com> - 0.117-8
|
||||
- pkexec: argv overflow results in local privilege esc.
|
||||
- Resolves: CVE-2021-4034
|
||||
|
||||
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.117-7
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
Loading…
Reference in New Issue
Block a user