CVE-2026-4897: getline() string overflow via unsanitized input

Resolves: CVE-2026-4897
2026-05-12 13:33:47 +02:00 · 2026-05-12 13:33:47 +02:00 · db2ef82e0c
commit db2ef82e0c
parent 4cd71dd410
2 changed files with 70 additions and 1 deletions
--- a/cve-2026-4897-getline-overflow.patch
+++ b/cve-2026-4897-getline-overflow.patch
@ -0,0 +1,63 @@
+From 6a8e2ef62f807bc155033c6cba506076f95e46df Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Fri, 27 Mar 2026 15:57:01 +0100
+Subject: [PATCH] CVE-2026-4897 - getline() string overflow
+
+Report and fix by Aisle.com
+Pavel Kohout, Aisle Research
+
+Signed-off-by: Jan Rybar jrybar@redhat.com
+---
+ src/polkitagent/polkitagenthelperprivate.c | 23 +++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/src/polkitagent/polkitagenthelperprivate.c b/src/polkitagent/polkitagenthelperprivate.c
+index 35bca85..7e4f94e 100644
+--- a/src/polkitagent/polkitagenthelperprivate.c
+++ b/src/polkitagent/polkitagenthelperprivate.c
+@@ -24,6 +24,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
+#include <errno.h>
+ #include <unistd.h>
+ 
+ #ifndef HAVE_CLEARENV
+@@ -59,21 +60,25 @@ read_cookie (int argc, char **argv)
+     return strdup (argv[2]);
+   else
+     {
+-      char *ret = NULL;
+-      size_t n = 0;
+-      ssize_t r = getline (&ret, &n, stdin);
+-      if (r == -1)
+      #define POLKIT_AGENT_MAX_COOKIE 4096
+      char buf[POLKIT_AGENT_MAX_COOKIE + 2]; /* +1 for newline, +1 for NUL */
+      if (fgets (buf, sizeof(buf), stdin) == NULL)
+         {
+           if (!feof (stdin))
+-            perror ("getline");
+-          free (ret);
+            perror ("fgets");
+           return NULL;
+         }
+-      else
+      if (buf[strlen (buf) - 1] != '\n')
+         {
+-          g_strchomp (ret);
+-          return ret;
+          /* Cookie too long - drain remaining input and reject */
+          int c;
+          while ((c = getchar ()) != '\n' && c != EOF)
+            ;
+          errno = EOVERFLOW;
+          return NULL;
+         }
+      g_strchomp (buf);
+      return strdup (buf);
+     }
+ }
+ 
+-- 
+2.53.0
+
--- a/polkit.spec
+++ b/polkit.spec
@ -22,7 +22,7 @@
 Summary: An authorization framework
 Name: polkit
 Version: 0.117
-Release: 14%{?dist}
+Release: 15%{?dist}
 License: LGPLv2+
 URL: http://www.freedesktop.org/wiki/Software/polkit
 Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz
@ -36,6 +36,7 @@ Patch1005: tty-restore-flags-if-changed.patch
 Patch1006: pkttyagent-coredump-after-eof.patch
 Patch1007: session-monitor-watch-sessions-only.patch
 Patch1008: pkpermission-watch-changed-ssn-only.patch
+Patch1009: cve-2026-4897-getline-overflow.patch

 %if 0%{?bundled_mozjs}
 Source2: https://ftp.mozilla.org/pub/firefox/releases/%{mozjs_version}esr/source/firefox-%{mozjs_version}esr.source.tar.xz
@ -188,6 +189,7 @@ Libraries files for polkit.
 %patch1006 -p1
 %patch1007 -p1
 %patch1008 -p1
+%patch1009 -p1

 %if 0%{?bundled_mozjs}
 # Extract mozjs archive
@ -400,6 +402,10 @@ exit 0
 %endif

 %changelog
+* Tue May 12 2026 Jan Rybar <jrybar@redhat.com> - 0.117-15
+- CVE-2026-4897: getline() string overflow via unsanitized input
+- Resolves: CVE-2026-4897
+
 * Tue Aug 05 2025 Jan Rybar <jrybar@redhat.com> - 0.117-14
 - aarch64: test failure with undefined symbol: __aarch64_ldadd4_acq_rel
 - Resolves: RHEL-98662