From db2ef82e0cc7b43786ad603afe3e0afbec4b6a5c Mon Sep 17 00:00:00 2001 From: Jan Rybar Date: Tue, 12 May 2026 13:33:47 +0200 Subject: [PATCH] CVE-2026-4897: getline() string overflow via unsanitized input Resolves: CVE-2026-4897 --- cve-2026-4897-getline-overflow.patch | 63 ++++++++++++++++++++++++++++ polkit.spec | 8 +++- 2 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 cve-2026-4897-getline-overflow.patch diff --git a/cve-2026-4897-getline-overflow.patch b/cve-2026-4897-getline-overflow.patch new file mode 100644 index 0000000..f3dfa98 --- /dev/null +++ b/cve-2026-4897-getline-overflow.patch @@ -0,0 +1,63 @@ +From 6a8e2ef62f807bc155033c6cba506076f95e46df Mon Sep 17 00:00:00 2001 +From: Jan Rybar +Date: Fri, 27 Mar 2026 15:57:01 +0100 +Subject: [PATCH] CVE-2026-4897 - getline() string overflow + +Report and fix by Aisle.com +Pavel Kohout, Aisle Research + +Signed-off-by: Jan Rybar jrybar@redhat.com +--- + src/polkitagent/polkitagenthelperprivate.c | 23 +++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/src/polkitagent/polkitagenthelperprivate.c b/src/polkitagent/polkitagenthelperprivate.c +index 35bca85..7e4f94e 100644 +--- a/src/polkitagent/polkitagenthelperprivate.c ++++ b/src/polkitagent/polkitagenthelperprivate.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #include + + #ifndef HAVE_CLEARENV +@@ -59,21 +60,25 @@ read_cookie (int argc, char **argv) + return strdup (argv[2]); + else + { +- char *ret = NULL; +- size_t n = 0; +- ssize_t r = getline (&ret, &n, stdin); +- if (r == -1) ++ #define POLKIT_AGENT_MAX_COOKIE 4096 ++ char buf[POLKIT_AGENT_MAX_COOKIE + 2]; /* +1 for newline, +1 for NUL */ ++ if (fgets (buf, sizeof(buf), stdin) == NULL) + { + if (!feof (stdin)) +- perror ("getline"); +- free (ret); ++ perror ("fgets"); + return NULL; + } +- else ++ if (buf[strlen (buf) - 1] != '\n') + { +- g_strchomp (ret); +- return ret; ++ /* Cookie too long - drain remaining input and reject */ ++ int c; ++ while ((c = getchar ()) != '\n' && c != EOF) ++ ; ++ errno = EOVERFLOW; ++ return NULL; + } ++ g_strchomp (buf); ++ return strdup (buf); + } + } + +-- +2.53.0 + diff --git a/polkit.spec b/polkit.spec index fd6c487..58edd91 100644 --- a/polkit.spec +++ b/polkit.spec @@ -22,7 +22,7 @@ Summary: An authorization framework Name: polkit Version: 0.117 -Release: 14%{?dist} +Release: 15%{?dist} License: LGPLv2+ URL: http://www.freedesktop.org/wiki/Software/polkit Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz @@ -36,6 +36,7 @@ Patch1005: tty-restore-flags-if-changed.patch Patch1006: pkttyagent-coredump-after-eof.patch Patch1007: session-monitor-watch-sessions-only.patch Patch1008: pkpermission-watch-changed-ssn-only.patch +Patch1009: cve-2026-4897-getline-overflow.patch %if 0%{?bundled_mozjs} Source2: https://ftp.mozilla.org/pub/firefox/releases/%{mozjs_version}esr/source/firefox-%{mozjs_version}esr.source.tar.xz @@ -188,6 +189,7 @@ Libraries files for polkit. %patch1006 -p1 %patch1007 -p1 %patch1008 -p1 +%patch1009 -p1 %if 0%{?bundled_mozjs} # Extract mozjs archive @@ -400,6 +402,10 @@ exit 0 %endif %changelog +* Tue May 12 2026 Jan Rybar - 0.117-15 +- CVE-2026-4897: getline() string overflow via unsanitized input +- Resolves: CVE-2026-4897 + * Tue Aug 05 2025 Jan Rybar - 0.117-14 - aarch64: test failure with undefined symbol: __aarch64_ldadd4_acq_rel - Resolves: RHEL-98662