pkexec: argv overflow results in local privilege esc.

This commit is contained in:
Jan Rybar 2022-01-27 17:10:23 +00:00
parent 533d69baf4
commit b46f05b958
2 changed files with 79 additions and 1 deletions

72
CVE-2021-4034.patch Normal file
View File

@ -0,0 +1,72 @@
commit a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
Author: Jan Rybar <jrybar@redhat.com>
Date: Tue Jan 25 17:21:46 2022 +0000
pkexec: local privilege escalation (CVE-2021-4034)
diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
index f1bb4e1..768525c 100644
--- a/src/programs/pkcheck.c
+++ b/src/programs/pkcheck.c
@@ -363,6 +363,11 @@ main (int argc, char *argv[])
local_agent_handle = NULL;
ret = 126;
+ if (argc < 1)
+ {
+ exit(126);
+ }
+
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
index 7698c5c..84e5ef6 100644
--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
@@ -488,6 +488,15 @@ main (int argc, char *argv[])
pid_t pid_of_caller;
gpointer local_agent_handle;
+
+ /*
+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
+ */
+ if (argc<1)
+ {
+ exit(127);
+ }
+
ret = 127;
authority = NULL;
subject = NULL;
@@ -614,10 +623,10 @@ main (int argc, char *argv[])
path = g_strdup (pwstruct.pw_shell);
if (!path)
- {
+ {
g_printerr ("No shell configured or error retrieving pw_shell\n");
goto out;
- }
+ }
/* If you change this, be sure to change the if (!command_line)
case below too */
command_line = g_strdup (path);
@@ -636,7 +645,15 @@ main (int argc, char *argv[])
goto out;
}
g_free (path);
- argv[n] = path = s;
+ path = s;
+
+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
+ */
+ if (argv[n] != NULL)
+ {
+ argv[n] = path;
+ }
}
if (access (path, F_OK) != 0)
{

View File

@ -22,7 +22,7 @@
Summary: An authorization framework
Name: polkit
Version: 0.117
Release: 7%{?dist}
Release: 8%{?dist}
License: LGPLv2+
URL: http://www.freedesktop.org/wiki/Software/polkit
Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz
@ -30,6 +30,7 @@ Source1: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.
Patch1001: mozjs78.patch
Patch1002: CVE-2021-3560.patch
Patch1003: CVE-2021-4034.patch
%if 0%{?bundled_mozjs}
Source2: https://ftp.mozilla.org/pub/firefox/releases/%{mozjs_version}esr/source/firefox-%{mozjs_version}esr.source.tar.xz
@ -175,6 +176,7 @@ Libraries files for polkit.
# Apply polkit patches
%patch1001 -p1
%patch1002 -p1
%patch1003 -p1
%if 0%{?bundled_mozjs}
# Extract mozjs archive
@ -381,6 +383,10 @@ exit 0
%endif
%changelog
* Thu Jan 27 2022 Jan Rybar <jrybar@redhat.com> - 0.117-8
- pkexec: argv overflow results in local privilege esc.
- Resolves: CVE-2021-4034
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.117-7
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688