From dbce2686a13057ada4a95455d15eb1d822eb9368 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 7 May 2019 09:55:21 -0400 Subject: [PATCH] import polkit-0.115-6.el8 --- .gitignore | 1 + .polkit.metadata | 1 + SOURCES/polkit-0.115-CVE-2018-19788.patch | 291 +++++++++ SOURCES/polkit-0.115-CVE-2019-6133.patch | 185 ++++++ SOURCES/polkit-0.115-bus-conn-msg-ssh.patch | 60 ++ ...t-0.115-pkttyagent-auth-errmsg-debug.patch | 13 + ...t-0.115-polkitagentlistener-res-leak.patch | 11 + ...lkit-0.115-spawning-zombie-processes.patch | 13 + SOURCES/polkit-0.115.tar.gz.sign | 6 + SPECS/polkit.spec | 569 ++++++++++++++++++ 10 files changed, 1150 insertions(+) create mode 100644 .gitignore create mode 100644 .polkit.metadata create mode 100644 SOURCES/polkit-0.115-CVE-2018-19788.patch create mode 100644 SOURCES/polkit-0.115-CVE-2019-6133.patch create mode 100644 SOURCES/polkit-0.115-bus-conn-msg-ssh.patch create mode 100644 SOURCES/polkit-0.115-pkttyagent-auth-errmsg-debug.patch create mode 100644 SOURCES/polkit-0.115-polkitagentlistener-res-leak.patch create mode 100644 SOURCES/polkit-0.115-spawning-zombie-processes.patch create mode 100644 SOURCES/polkit-0.115.tar.gz.sign create mode 100644 SPECS/polkit.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2b109e1 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/polkit-0.115.tar.gz diff --git a/.polkit.metadata b/.polkit.metadata new file mode 100644 index 0000000..136689d --- /dev/null +++ b/.polkit.metadata @@ -0,0 +1 @@ +208b7e44fcf0f515d067d37307af9ea1419eb305 SOURCES/polkit-0.115.tar.gz diff --git a/SOURCES/polkit-0.115-CVE-2018-19788.patch b/SOURCES/polkit-0.115-CVE-2018-19788.patch new file mode 100644 index 0000000..932975c --- /dev/null +++ b/SOURCES/polkit-0.115-CVE-2018-19788.patch @@ -0,0 +1,291 @@ +diff --git a/src/polkit/polkitunixgroup.c b/src/polkit/polkitunixgroup.c +index c57a1aaacbb13c4e4297dd812cf5904f2f427b03..309f68918895e0f8b547f8c06f89c6fb1326fe20 100644 +--- a/src/polkit/polkitunixgroup.c ++++ b/src/polkit/polkitunixgroup.c +@@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup, polkit_unix_group, G_TYPE_OBJECT, + static void + polkit_unix_group_init (PolkitUnixGroup *unix_group) + { ++ unix_group->gid = -1; /* (git_t) -1 is not a valid GID under Linux */ + } + + static void +@@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject *object, + GParamSpec *pspec) + { + PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object); ++ gint val; + + switch (prop_id) + { + case PROP_GID: +- unix_group->gid = g_value_get_int (value); ++ val = g_value_get_int (value); ++ g_return_if_fail (val != -1); ++ unix_group->gid = val; + break; + + default: +@@ -131,9 +135,9 @@ polkit_unix_group_class_init (PolkitUnixGroupClass *klass) + g_param_spec_int ("gid", + "Group ID", + "The UNIX group ID", +- 0, ++ G_MININT, + G_MAXINT, +- 0, ++ -1, + G_PARAM_CONSTRUCT | + G_PARAM_READWRITE | + G_PARAM_STATIC_NAME | +@@ -166,9 +170,10 @@ polkit_unix_group_get_gid (PolkitUnixGroup *group) + */ + void + polkit_unix_group_set_gid (PolkitUnixGroup *group, +- gint gid) ++ gint gid) + { + g_return_if_fail (POLKIT_IS_UNIX_GROUP (group)); ++ g_return_if_fail (gid != -1); + group->gid = gid; + } + +@@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group, + PolkitIdentity * + polkit_unix_group_new (gint gid) + { ++ g_return_val_if_fail (gid != -1, NULL); ++ + return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP, + "gid", gid, + NULL)); +diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c +index 972b7776825d5ccf677ed12ed620fc0c52352547..b02b25894ad120d88ea21d4c96ac8dca1821fcf2 100644 +--- a/src/polkit/polkitunixprocess.c ++++ b/src/polkit/polkitunixprocess.c +@@ -159,9 +159,14 @@ polkit_unix_process_set_property (GObject *object, + polkit_unix_process_set_pid (unix_process, g_value_get_int (value)); + break; + +- case PROP_UID: +- polkit_unix_process_set_uid (unix_process, g_value_get_int (value)); ++ case PROP_UID: { ++ gint val; ++ ++ val = g_value_get_int (value); ++ g_return_if_fail (val != -1); ++ polkit_unix_process_set_uid (unix_process, val); + break; ++ } + + case PROP_START_TIME: + polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value)); +@@ -239,7 +244,7 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass) + g_param_spec_int ("uid", + "User ID", + "The UNIX user ID", +- -1, ++ G_MININT, + G_MAXINT, + -1, + G_PARAM_CONSTRUCT | +@@ -303,7 +308,6 @@ polkit_unix_process_set_uid (PolkitUnixProcess *process, + gint uid) + { + g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process)); +- g_return_if_fail (uid >= -1); + process->uid = uid; + } + +diff --git a/src/polkit/polkitunixuser.c b/src/polkit/polkitunixuser.c +index 8bfd3a1fb05ddb56adebd097569a9977b7b922f3..234a6976c573ac65200ee08228cd50111f0c769b 100644 +--- a/src/polkit/polkitunixuser.c ++++ b/src/polkit/polkitunixuser.c +@@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, polkit_unix_user, G_TYPE_OBJECT, + static void + polkit_unix_user_init (PolkitUnixUser *unix_user) + { ++ unix_user->uid = -1; /* (uid_t) -1 is not a valid UID under Linux */ + unix_user->name = NULL; + } + +@@ -112,11 +113,14 @@ polkit_unix_user_set_property (GObject *object, + GParamSpec *pspec) + { + PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object); ++ gint val; + + switch (prop_id) + { + case PROP_UID: +- unix_user->uid = g_value_get_int (value); ++ val = g_value_get_int (value); ++ g_return_if_fail (val != -1); ++ unix_user->uid = val; + break; + + default: +@@ -144,9 +148,9 @@ polkit_unix_user_class_init (PolkitUnixUserClass *klass) + g_param_spec_int ("uid", + "User ID", + "The UNIX user ID", +- 0, ++ G_MININT, + G_MAXINT, +- 0, ++ -1, + G_PARAM_CONSTRUCT | + G_PARAM_READWRITE | + G_PARAM_STATIC_NAME | +@@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser *user, + gint uid) + { + g_return_if_fail (POLKIT_IS_UNIX_USER (user)); ++ g_return_if_fail (uid != -1); + user->uid = uid; + } + +@@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser *user, + PolkitIdentity * + polkit_unix_user_new (gint uid) + { ++ g_return_val_if_fail (uid != -1, NULL); ++ + return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER, + "uid", uid, + NULL)); +diff --git a/test/data/etc/group b/test/data/etc/group +index 12ef328b21b346ee3828ce3aaf15cca83858bd1d..b9acab97211fdf7db521dc0939b2dcfc2c9e350b 100644 +--- a/test/data/etc/group ++++ b/test/data/etc/group +@@ -5,3 +5,4 @@ john:x:500: + jane:x:501: + sally:x:502: + henry:x:503: ++highuid2:x:4000000000: +diff --git a/test/data/etc/passwd b/test/data/etc/passwd +index 8544febcd8b1720e5577dfb3f0672a6fef29e701..5cf14a5620259f79806192ca935fee84a29ac96d 100644 +--- a/test/data/etc/passwd ++++ b/test/data/etc/passwd +@@ -3,3 +3,5 @@ john:x:500:500:John Done:/home/john:/bin/bash + jane:x:501:501:Jane Smith:/home/jane:/bin/bash + sally:x:502:502:Sally Derp:/home/sally:/bin/bash + henry:x:503:503:Henry Herp:/home/henry:/bin/bash ++highuid1:x:2147483648:2147483648:The first high uid:/home/highuid1:/sbin/nologin ++highuid2:x:4000000000:4000000000:An example high uid:/home/example:/sbin/nologin +diff --git a/test/data/etc/polkit-1/rules.d/10-testing.rules b/test/data/etc/polkit-1/rules.d/10-testing.rules +index 446e62291b7fe4c5bacdceb1045350af1a9dc245..98bf062a08cb11fddb7df95d0bcdec1b1ac3587d 100644 +--- a/test/data/etc/polkit-1/rules.d/10-testing.rules ++++ b/test/data/etc/polkit-1/rules.d/10-testing.rules +@@ -53,6 +53,27 @@ polkit.addRule(function(action, subject) { + } + }); + ++polkit.addRule(function(action, subject) { ++ if (action.id == "net.company.john_action") { ++ if (subject.user == "john") { ++ return polkit.Result.YES; ++ } else { ++ return polkit.Result.NO; ++ } ++ } ++}); ++ ++polkit.addRule(function(action, subject) { ++ if (action.id == "net.company.highuid2_action") { ++ if (subject.user == "highuid2") { ++ return polkit.Result.YES; ++ } else { ++ return polkit.Result.NO; ++ } ++ } ++}); ++ ++ + // --------------------------------------------------------------------- + // variables + +diff --git a/test/polkitbackend/test-polkitbackendjsauthority.c b/test/polkitbackend/test-polkitbackendjsauthority.c +index b484a26600dbde074ee7d8491f88624fdc83c39c..71aad23e2f5d1a7b15e138f23e6581a31498bad6 100644 +--- a/test/polkitbackend/test-polkitbackendjsauthority.c ++++ b/test/polkitbackend/test-polkitbackendjsauthority.c +@@ -330,6 +330,78 @@ static const RulesTestCase rules_test_cases[] = { + NULL, + POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED, + }, ++ ++ { ++ /* highuid1 is not a member of group 'users', see test/data/etc/group */ ++ "group_membership_with_non_member(highuid22)", ++ "net.company.group.only_group_users", ++ "unix-user:highuid2", ++ NULL, ++ POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED, ++ }, ++ ++ { ++ /* highuid2 is not a member of group 'users', see test/data/etc/group */ ++ "group_membership_with_non_member(highuid21)", ++ "net.company.group.only_group_users", ++ "unix-user:highuid2", ++ NULL, ++ POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED, ++ }, ++ ++ { ++ /* highuid1 is not a member of group 'users', see test/data/etc/group */ ++ "group_membership_with_non_member(highuid24)", ++ "net.company.group.only_group_users", ++ "unix-user:2147483648", ++ NULL, ++ POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED, ++ }, ++ ++ { ++ /* highuid2 is not a member of group 'users', see test/data/etc/group */ ++ "group_membership_with_non_member(highuid23)", ++ "net.company.group.only_group_users", ++ "unix-user:4000000000", ++ NULL, ++ POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED, ++ }, ++ ++ { ++ /* john is authorized to do this, see 10-testing.rules */ ++ "john_action", ++ "net.company.john_action", ++ "unix-user:john", ++ NULL, ++ POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED, ++ }, ++ ++ { ++ /* only john is authorized to do this, see 10-testing.rules */ ++ "jane_action", ++ "net.company.john_action", ++ "unix-user:jane", ++ NULL, ++ POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED, ++ }, ++ ++ { ++ /* highuid2 is authorized to do this, see 10-testing.rules */ ++ "highuid2_action", ++ "net.company.highuid2_action", ++ "unix-user:highuid2", ++ NULL, ++ POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED, ++ }, ++ ++ { ++ /* only highuid2 is authorized to do this, see 10-testing.rules */ ++ "highuid1_action", ++ "net.company.highuid2_action", ++ "unix-user:highuid1", ++ NULL, ++ POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED, ++ }, + }; + + /* ---------------------------------------------------------------------------------------------------- */ + diff --git a/SOURCES/polkit-0.115-CVE-2019-6133.patch b/SOURCES/polkit-0.115-CVE-2019-6133.patch new file mode 100644 index 0000000..b51807a --- /dev/null +++ b/SOURCES/polkit-0.115-CVE-2019-6133.patch @@ -0,0 +1,185 @@ +From 6cc6aafee135ba44ea748250d7d29b562ca190e3 Mon Sep 17 00:00:00 2001 +From: Colin Walters +Date: Fri, 4 Jan 2019 14:24:48 -0500 +Subject: [PATCH] backend: Compare PolkitUnixProcess uids for temporary + authorizations + +It turns out that the combination of `(pid, start time)` is not +enough to be unique. For temporary authorizations, we can avoid +separate users racing on pid reuse by simply comparing the uid. + +https://bugs.chromium.org/p/project-zero/issues/detail?id=1692 + +And the above original email report is included in full in a new comment. + +Reported-by: Jann Horn + +Closes: https://gitlab.freedesktop.org/polkit/polkit/issues/75 +--- + src/polkit/polkitsubject.c | 2 + + src/polkit/polkitunixprocess.c | 71 ++++++++++++++++++- + .../polkitbackendinteractiveauthority.c | 39 +++++++++- + 3 files changed, 110 insertions(+), 2 deletions(-) + +diff --git a/src/polkit/polkitsubject.c b/src/polkit/polkitsubject.c +index d4c1182..ccabd0a 100644 +--- a/src/polkit/polkitsubject.c ++++ b/src/polkit/polkitsubject.c +@@ -99,6 +99,8 @@ polkit_subject_hash (PolkitSubject *subject) + * @b: A #PolkitSubject. + * + * Checks if @a and @b are equal, ie. represent the same subject. ++ * However, avoid calling polkit_subject_equal() to compare two processes; ++ * for more information see the `PolkitUnixProcess` documentation. + * + * This function can be used in e.g. g_hash_table_new(). + * +diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c +index b02b258..78d7251 100644 +--- a/src/polkit/polkitunixprocess.c ++++ b/src/polkit/polkitunixprocess.c +@@ -51,7 +51,10 @@ + * @title: PolkitUnixProcess + * @short_description: Unix processs + * +- * An object for representing a UNIX process. ++ * An object for representing a UNIX process. NOTE: This object as ++ * designed is now known broken; a mechanism to exploit a delay in ++ * start time in the Linux kernel was identified. Avoid ++ * calling polkit_subject_equal() to compare two processes. + * + * To uniquely identify processes, both the process id and the start + * time of the process (a monotonic increasing value representing the +@@ -66,6 +69,72 @@ + * polkit_unix_process_new_for_owner() with trusted data. + */ + ++/* See https://gitlab.freedesktop.org/polkit/polkit/issues/75 ++ ++ But quoting the original email in full here to ensure it's preserved: ++ ++ From: Jann Horn ++ Subject: [SECURITY] polkit: temporary auth hijacking via PID reuse and non-atomic fork ++ Date: Wednesday, October 10, 2018 5:34 PM ++ ++When a (non-root) user attempts to e.g. control systemd units in the system ++instance from an active session over DBus, the access is gated by a polkit ++policy that requires "auth_admin_keep" auth. This results in an auth prompt ++being shown to the user, asking the user to confirm the action by entering the ++password of an administrator account. ++ ++After the action has been confirmed, the auth decision for "auth_admin_keep" is ++cached for up to five minutes. Subject to some restrictions, similar actions can ++then be performed in this timespan without requiring re-auth: ++ ++ - The PID of the DBus client requesting the new action must match the PID of ++ the DBus client requesting the old action (based on SO_PEERCRED information ++ forwarded by the DBus daemon). ++ - The "start time" of the client's PID (as seen in /proc/$pid/stat, field 22) ++ must not have changed. The granularity of this timestamp is in the ++ millisecond range. ++ - polkit polls every two seconds whether a process with the expected start time ++ still exists. If not, the temporary auth entry is purged. ++ ++Without the start time check, this would obviously be buggy because an attacker ++could simply wait for the legitimate client to disappear, then create a new ++client with the same PID. ++ ++Unfortunately, the start time check is bypassable because fork() is not atomic. ++Looking at the source code of copy_process() in the kernel: ++ ++ p->start_time = ktime_get_ns(); ++ p->real_start_time = ktime_get_boot_ns(); ++ [...] ++ retval = copy_thread_tls(clone_flags, stack_start, stack_size, p, tls); ++ if (retval) ++ goto bad_fork_cleanup_io; ++ ++ if (pid != &init_struct_pid) { ++ pid = alloc_pid(p->nsproxy->pid_ns_for_children); ++ if (IS_ERR(pid)) { ++ retval = PTR_ERR(pid); ++ goto bad_fork_cleanup_thread; ++ } ++ } ++ ++The ktime_get_boot_ns() call is where the "start time" of the process is ++recorded. The alloc_pid() call is where a free PID is allocated. In between ++these, some time passes; and because the copy_thread_tls() call between them can ++access userspace memory when sys_clone() is invoked through the 32-bit syscall ++entry point, an attacker can even stall the kernel arbitrarily long at this ++point (by supplying a pointer into userspace memory that is associated with a ++userfaultfd or is backed by a custom FUSE filesystem). ++ ++This means that an attacker can immediately call sys_clone() when the victim ++process is created, often resulting in a process that has the exact same start ++time reported in procfs; and then the attacker can delay the alloc_pid() call ++until after the victim process has died and the PID assignment has cycled ++around. This results in an attacker process that polkit can't distinguish from ++the victim process. ++*/ ++ ++ + /** + * PolkitUnixProcess: + * +diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c +index a1630b9..80e8141 100644 +--- a/src/polkitbackend/polkitbackendinteractiveauthority.c ++++ b/src/polkitbackend/polkitbackendinteractiveauthority.c +@@ -3031,6 +3031,43 @@ temporary_authorization_store_free (TemporaryAuthorizationStore *store) + g_free (store); + } + ++/* See the comment at the top of polkitunixprocess.c */ ++static gboolean ++subject_equal_for_authz (PolkitSubject *a, ++ PolkitSubject *b) ++{ ++ if (!polkit_subject_equal (a, b)) ++ return FALSE; ++ ++ /* Now special case unix processes, as we want to protect against ++ * pid reuse by including the UID. ++ */ ++ if (POLKIT_IS_UNIX_PROCESS (a) && POLKIT_IS_UNIX_PROCESS (b)) { ++ PolkitUnixProcess *ap = (PolkitUnixProcess*)a; ++ int uid_a = polkit_unix_process_get_uid ((PolkitUnixProcess*)a); ++ PolkitUnixProcess *bp = (PolkitUnixProcess*)b; ++ int uid_b = polkit_unix_process_get_uid ((PolkitUnixProcess*)b); ++ ++ if (uid_a != -1 && uid_b != -1) ++ { ++ if (uid_a == uid_b) ++ { ++ return TRUE; ++ } ++ else ++ { ++ g_printerr ("denying slowfork; pid %d uid %d != %d!\n", ++ polkit_unix_process_get_pid (ap), ++ uid_a, uid_b); ++ return FALSE; ++ } ++ } ++ /* Fall through; one of the uids is unset so we can't reliably compare */ ++ } ++ ++ return TRUE; ++} ++ + static gboolean + temporary_authorization_store_has_authorization (TemporaryAuthorizationStore *store, + PolkitSubject *subject, +@@ -3073,7 +3110,7 @@ temporary_authorization_store_has_authorization (TemporaryAuthorizationStore *st + TemporaryAuthorization *authorization = l->data; + + if (strcmp (action_id, authorization->action_id) == 0 && +- polkit_subject_equal (subject_to_use, authorization->subject)) ++ subject_equal_for_authz (subject_to_use, authorization->subject)) + { + ret = TRUE; + if (out_tmp_authz_id != NULL) +-- +2.19.2 + diff --git a/SOURCES/polkit-0.115-bus-conn-msg-ssh.patch b/SOURCES/polkit-0.115-bus-conn-msg-ssh.patch new file mode 100644 index 0000000..f2dcb1a --- /dev/null +++ b/SOURCES/polkit-0.115-bus-conn-msg-ssh.patch @@ -0,0 +1,60 @@ +From 0ce0a7b3298d7b0fd5ce8c6775bcef9b0caf1bdb Mon Sep 17 00:00:00 2001 +From: David Herrmann +Date: Wed, 4 Jul 2018 13:51:24 +0200 +Subject: [PATCH] polkitagent: suppress disconnect messages + +The polkitagent may be used by pkexec and friends. These might very +well survive until very late during system shutdown. Hence, a +disconnect of polkitd during runtime might be expected [1]. + +This patch silences the disconnect/reconnect messages and turns them +into debug messages. This only affects the polkit-agent, it does not +affect the polkit-daemon implementation. + +[1] https://bugzilla.redhat.com/show_bug.cgi?id=1249627 +--- + src/polkitagent/polkitagentlistener.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/polkitagent/polkitagentlistener.c b/src/polkitagent/polkitagentlistener.c +index debd1bb..1c8b666 100644 +--- a/src/polkitagent/polkitagentlistener.c ++++ b/src/polkitagent/polkitagentlistener.c +@@ -178,10 +178,10 @@ on_notify_authority_owner (GObject *object, + owner = polkit_authority_get_owner (server->authority); + if (owner == NULL) + { +- g_printerr ("PolicyKit daemon disconnected from the bus.\n"); ++ g_debug ("PolicyKit daemon disconnected from the bus.\n"); + + if (server->is_registered) +- g_printerr ("We are no longer a registered authentication agent.\n"); ++ g_debug ("We are no longer a registered authentication agent.\n"); + + server->is_registered = FALSE; + } +@@ -192,17 +192,17 @@ on_notify_authority_owner (GObject *object, + { + GError *error; + +- g_printerr ("PolicyKit daemon reconnected to bus.\n"); +- g_printerr ("Attempting to re-register as an authentication agent.\n"); ++ g_debug ("PolicyKit daemon reconnected to bus.\n"); ++ g_debug ("Attempting to re-register as an authentication agent.\n"); + + error = NULL; + if (server_register (server, &error)) + { +- g_printerr ("We are now a registered authentication agent.\n"); ++ g_debug ("We are now a registered authentication agent.\n"); + } + else + { +- g_printerr ("Failed to register as an authentication agent: %s\n", error->message); ++ g_debug ("Failed to register as an authentication agent: %s\n", error->message); + g_error_free (error); + } + } +-- +2.18.0 + diff --git a/SOURCES/polkit-0.115-pkttyagent-auth-errmsg-debug.patch b/SOURCES/polkit-0.115-pkttyagent-auth-errmsg-debug.patch new file mode 100644 index 0000000..0b66c49 --- /dev/null +++ b/SOURCES/polkit-0.115-pkttyagent-auth-errmsg-debug.patch @@ -0,0 +1,13 @@ +diff -up ./src/programs/pkttyagent.c.ori ./src/programs/pkttyagent.c +--- ./src/programs/pkttyagent.c.ori 2018-08-01 15:51:28.495910434 +0200 ++++ ./src/programs/pkttyagent.c 2018-08-02 15:51:45.126311197 +0200 +@@ -150,7 +150,8 @@ main (int argc, char *argv[]) + authority = polkit_authority_get_sync (NULL /* GCancellable* */, &error); + if (authority == NULL) + { +- g_printerr ("Error getting authority: %s (%s, %d)\n", ++ g_printerr ("Authorization not available. Check if polkit service is running or see debug message for more information.\n"); ++ g_debug ("Error getting authority: %s (%s, %d)\n", + error->message, g_quark_to_string (error->domain), error->code); + g_error_free (error); + ret = 127; diff --git a/SOURCES/polkit-0.115-polkitagentlistener-res-leak.patch b/SOURCES/polkit-0.115-polkitagentlistener-res-leak.patch new file mode 100644 index 0000000..b07cd2b --- /dev/null +++ b/SOURCES/polkit-0.115-polkitagentlistener-res-leak.patch @@ -0,0 +1,11 @@ +diff -up ./src/polkitagent/polkitagentlistener.c.ori ./src/polkitagent/polkitagentlistener.c +--- ./src/polkitagent/polkitagentlistener.c.ori 2018-08-10 14:58:58.555475169 +0200 ++++ ./src/polkitagent/polkitagentlistener.c 2018-08-10 14:59:15.900396570 +0200 +@@ -439,6 +439,7 @@ polkit_agent_listener_register_with_opti + server->thread_initialization_error = NULL; + g_thread_join (server->thread); + server_free (server); ++ server = NULL; + goto out; + } + } diff --git a/SOURCES/polkit-0.115-spawning-zombie-processes.patch b/SOURCES/polkit-0.115-spawning-zombie-processes.patch new file mode 100644 index 0000000..9cb1bf7 --- /dev/null +++ b/SOURCES/polkit-0.115-spawning-zombie-processes.patch @@ -0,0 +1,13 @@ +diff -up ./src/polkitbackend/polkitbackendjsauthority.cpp.ori ./src/polkitbackend/polkitbackendjsauthority.cpp +--- ./src/polkitbackend/polkitbackendjsauthority.cpp.ori 2018-04-03 22:57:57.000000000 +0200 ++++ ./src/polkitbackend/polkitbackendjsauthority.cpp 2018-08-14 16:47:48.416993302 +0200 +@@ -1595,7 +1595,8 @@ utils_spawn_data_free (UtilsSpawnData *d + (GSourceFunc) utils_child_watch_from_release_cb, + source, + (GDestroyNotify) g_source_destroy); +- g_source_attach (source, data->main_context); ++ /* attach source to the global default main context */ ++ g_source_attach (source, NULL); + g_source_unref (source); + data->child_pid = 0; + } diff --git a/SOURCES/polkit-0.115.tar.gz.sign b/SOURCES/polkit-0.115.tar.gz.sign new file mode 100644 index 0000000..cffd264 --- /dev/null +++ b/SOURCES/polkit-0.115.tar.gz.sign @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iF0EABECAB0WIQTBl22e2Rp0WcvOUxRaM/Zgs4R53wUCW0S8UgAKCRBaM/Zgs4R5 +3wNmAJ9YYc3MgbepSXr0mqWdiL93TmYMvwCeNf1e4EGsqndw9DP3CbpICMN7gV0= +=mAps +-----END PGP SIGNATURE----- diff --git a/SPECS/polkit.spec b/SPECS/polkit.spec new file mode 100644 index 0000000..407b82f --- /dev/null +++ b/SPECS/polkit.spec @@ -0,0 +1,569 @@ +# Only enable if using patches that touches configure.ac, +# Makefile.am or other build system related files +# +#define enable_autoreconf 1 + +Summary: An authorization framework +Name: polkit +Version: 0.115 +Release: 6%{?dist} +License: LGPLv2+ +URL: http://www.freedesktop.org/wiki/Software/polkit +Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz +Source1: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz.sign +Group: System Environment/Libraries + + +Patch1: polkit-0.115-bus-conn-msg-ssh.patch +Patch2: polkit-0.115-pkttyagent-auth-errmsg-debug.patch +Patch3: polkit-0.115-polkitagentlistener-res-leak.patch +Patch4: polkit-0.115-spawning-zombie-processes.patch +Patch5: polkit-0.115-CVE-2018-19788.patch +Patch6: polkit-0.115-CVE-2019-6133.patch + + +BuildRequires: gcc-c++ +BuildRequires: glib2-devel >= 2.30.0 +BuildRequires: expat-devel +BuildRequires: pam-devel +BuildRequires: gtk-doc +BuildRequires: intltool +BuildRequires: gobject-introspection-devel +BuildRequires: systemd, systemd-devel +BuildRequires: pkgconfig(mozjs-52) +BuildRequires: git + +%if 0%{?enable_autoreconf} +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +%endif + +Requires: dbus, polkit-pkla-compat +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +Requires(pre): shadow-utils +Requires(post): /sbin/ldconfig, systemd +Requires(preun): systemd +Requires(postun): /sbin/ldconfig, systemd + +Obsoletes: PolicyKit <= 0.10 +Provides: PolicyKit = 0.11 + +# polkit saw some API/ABI changes from 0.96 to 0.97 so require a +# sufficiently new polkit-gnome package +Conflicts: polkit-gnome < 0.97 + +Obsoletes: polkit-desktop-policy < 0.103 +Provides: polkit-desktop-policy = 0.103 + +Obsoletes: polkit-js-engine < 0.110-4 +Provides: polkit-js-engine = %{version}-%{release} + +# when -libs was split out, handle multilib upgrade path -- rex +Obsoletes: polkit < 0.113-3 + +%description +polkit is a toolkit for defining and handling authorizations. It is +used for allowing unprivileged processes to speak to privileged +processes. + +%package devel +Summary: Development files for polkit +Group: Development/Libraries +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: %name-docs = %{version}-%{release} +Requires: glib2-devel +Obsoletes: PolicyKit-devel <= 0.10 +Provides: PolicyKit-devel = 0.11 + +%description devel +Development files for polkit. + +%package docs +Summary: Development documentation for polkit +Group: Development/Libraries +Requires: %name-devel = %{version}-%{release} +Obsoletes: PolicyKit-docs <= 0.10 +Provides: PolicyKit-docs = 0.11 +BuildArch: noarch + +%description docs +Development documentation for polkit. + +%package libs +Summary: Libraries for polkit +Group: Development/Libraries + +%description libs +Libraries files for polkit. + + +%prep +%autosetup -S git + +%build +%if 0%{?enable_autoreconf} +autoreconf -i +%endif +# we can't use _hardened_build here, see +# https://bugzilla.redhat.com/show_bug.cgi?id=962005 +export CFLAGS='-fPIC %optflags' +export LDFLAGS='-pie -Wl,-z,now -Wl,-z,relro' +%configure --enable-gtk-doc \ + --disable-static \ + --enable-introspection \ + --disable-examples \ + --enable-libsystemd-login=yes --with-mozjs=mozjs-17.0 +make V=1 + +%install +make install DESTDIR=$RPM_BUILD_ROOT INSTALL='install -p' + +rm -f $RPM_BUILD_ROOT%{_libdir}/*.la + +%find_lang polkit-1 + +%pre +getent group polkitd >/dev/null || groupadd -r polkitd +getent passwd polkitd >/dev/null || useradd -r -g polkitd -d / -s /sbin/nologin -c "User for polkitd" polkitd +exit 0 + +%post +# The implied (systemctl preset) will fail and complain, but the macro hides +# and ignores the fact. This is in fact what we want, polkit.service does not +# have an [Install] section and it is always started on demand. +%systemd_post polkit.service + +%preun +%systemd_preun polkit.service + +%postun +%systemd_postun_with_restart polkit.service + +%files -f polkit-1.lang +%doc COPYING NEWS README +%{_datadir}/man/man1/* +%{_datadir}/man/man8/* +%{_datadir}/dbus-1/system-services/* +%{_unitdir}/polkit.service +%dir %{_datadir}/polkit-1/ +%dir %{_datadir}/polkit-1/actions +%attr(0700,polkitd,root) %dir %{_datadir}/polkit-1/rules.d +%{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy +%dir %{_sysconfdir}/polkit-1 +%{_sysconfdir}/polkit-1/rules.d/50-default.rules +%attr(0700,polkitd,root) %dir %{_sysconfdir}/polkit-1/rules.d +%{_sysconfdir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf +%{_sysconfdir}/pam.d/polkit-1 +%{_bindir}/pkaction +%{_bindir}/pkcheck +%{_bindir}/pkttyagent +%dir %{_prefix}/lib/polkit-1 +%{_prefix}/lib/polkit-1/polkitd + +# see upstream docs for why these permissions are necessary +%attr(4755,root,root) %{_bindir}/pkexec +%attr(4755,root,root) %{_prefix}/lib/polkit-1/polkit-agent-helper-1 + +%files devel +%{_libdir}/lib*.so +%{_libdir}/pkgconfig/*.pc +%{_datadir}/gir-1.0/*.gir +%{_includedir}/* +%{_datadir}/gettext/its/polkit.its +%{_datadir}/gettext/its/polkit.loc + +%files docs +%{_datadir}/gtk-doc + +%post libs -p /sbin/ldconfig +%postun libs -p /sbin/ldconfig + +%files libs +%{_libdir}/lib*.so.* +%{_libdir}/girepository-1.0/*.typelib + +%changelog +* Mon Jan 21 2019 Jan Rybar - 0.115-6 +- Fix of CVE-2019-6133, PID reuse via slow fork +- Resolves: rhbz#1667778 + +* Thu Dec 06 2018 Jan Rybar - 0.115-5 +- Fix of CVE-2018-19788, priv escalation with high UIDs +- Resolves: rhbz#1656378 + +* Thu Aug 16 2018 Jan Rybar - 0.115-4 +- Spawned zombie subprocesses not reaped +- Resolves: rhbz#1616282 + +* Fri Aug 10 2018 Jan Rybar - 0.115-3 +- Resource leak found by static analyzer +- Resolves: rhbz#1602661 + +* Tue Aug 07 2018 Jan Rybar - 0.115-2 +- Error message about getting authority is too elaborate (forward of #1342855) +- Bus disconnection report moved to debug mode (forward of #1249627) + +* Tue Jul 10 2018 Miloslav Trmač - 0.115-1 +- Update to 0.115 (CVE-2018-1116) + +* Tue Apr 03 2018 Ray Strode - 0.114-1 +- Update to 0.114 + +* Fri Feb 09 2018 Fedora Release Engineering - 0.113-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Aug 03 2017 Fedora Release Engineering - 0.113-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.113-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Apr 13 2017 Richard Hughes - 0.113-13 +- Add the its files from upstream. + +* Tue Apr 4 2017 Miloslav Trmač - 0.113-12 +- Fix a memory leak in PolkitPermission. + Patch by Rui Matos + Resolves: #1433915 + +* Tue Apr 4 2017 Miloslav Trmač - 0.113-11 +- Revert back to the state in 0.113-7, undoing the untested changes. + +* Tue Apr 4 2017 Peter Robinson 0.113-10 +- Move to an upstream snapshot, rebase patches + +* Fri Mar 31 2017 Rex Dieter - 0.113-9 +- restore Provides: polkit-desktop-policy polkit-js-engine + +* Thu Mar 30 2017 Peter Robinson 0.113-8 +- Use %%license, license needs to be in -libs as it's the only guaranteed installed package +- Move to mozjs38 +- Other upstream fixes +- Spec cleanups + +* Mon Feb 13 2017 Miloslav Trmač - 0.113-7 +- Fix memory leaks when calling authentication agents + Resolves: #1380166 + +* Sat Feb 11 2017 Fedora Release Engineering - 0.113-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Feb 04 2016 Fedora Release Engineering - 0.113-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Jul 14 2015 Miloslav Trmač - 0.113-4 +- Bump the Obsoletes: to < 0.113-3 to account for the non-split 0.113-2.fc21 + Resolves: #1243004 + +* Sun Jul 12 2015 Rex Dieter 0.113-3 +- Obsoletes: polkit < 0.112-8 (handle multilib upgrade path) + +* Fri Jul 10 2015 Miloslav Trmač - 0.113-2 +- Add a fully versioned dependency from polkit to polkit-libs + Resolves: #1241759 +- Require polkit-libs, not polkit, in polkit-devel + +* Thu Jul 2 2015 Miloslav Trmač - 0.113-1 +- Update to polkit-0.113 (CVE-2015-3218, CVE-2015-3255, CVE-2015-3256, + CVE-2015-4625) + Resolves: #910262, #1175061, #1177930, #1194391, #1228739, #1233810 + +* Fri Jun 19 2015 Miloslav Trmač - 0.112-11 +- Add BuildRequires: systemd so that %%{_unitdir} is defined, to fix the build. + +* Thu Jun 18 2015 Fedora Release Engineering - 0.112-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sun Jan 25 2015 Rex Dieter - 0.112-9 +- polkit doesn't release reference counters of GVariant data (#1180886) +- fix ldconfig scriptlets (move to -libs subpkg) + +* Sat Nov 08 2014 Colin Walters - 0.112-8 +- Split separate -libs package, so that NetworkManager can just depend on + that, without dragging in the daemon (as well as libmozjs17). This + allows the creation of more minimal systems that want programs like NM, + but do not need the configurability of the daemon; it would be ok if only + root is authorized. + +* Sun Aug 17 2014 Fedora Release Engineering - 0.112-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Tue Jul 22 2014 Kalev Lember - 0.112-6 +- Rebuilt for gobject-introspection 1.41.4 + +* Sat Jun 07 2014 Fedora Release Engineering - 0.112-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu Jun 5 2014 Kay Sievers - 0.112-4 +- backport upstream D-Bus "user bus" changes + +* Mon Feb 10 2014 Miloslav Trmač - 0.112-3 +- Fix a PolkitAgentSession race condition + Resolves: #1063193 + +* Sat Dec 7 2013 Miloslav Trmač - 0.112-2 +- Workaround pam_systemd setting broken XDG_RUNTIME_DIR + Resolves: #1033774 +- Always use mozjs-17.0 even if js-devel is installed + +* Wed Sep 18 2013 Miloslav Trmač - 0.112-1 +- Update to polkit-0.112 +- Resolves: #1009538, CVE-2013-4288 + +* Sun Aug 04 2013 Fedora Release Engineering - 0.111-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed May 29 2013 Tomas Bzatek - 0.111-2 +- Fix a race on PolkitSubject type registration (#866718) + +* Wed May 15 2013 Miloslav Trmač - 0.111-1 +- Update to polkit-0.111 + Resolves: #917888 +- Use SpiderMonkey from mozjs17 instead of js +- Ship the signature in the srpm +- Try to preserve timestamps in (make install) + +* Fri May 10 2013 Miloslav Trmač - 0.110-4 +- Shut up rpmlint about Summary: +- Build with V=1 +- Use %%{_unitdir} instead of hard-coding the path +- Use the new systemd macros, primarily to run (systemctl daemon-reload) + Resolves: #857382 + +* Fri May 10 2013 Miloslav Trmač - 0.110-4 +- Make the JavaScript engine mandatory. The polkit-js-engine package has been + removed, main polkit package Provides:polkit-js-engine for compatibility. +- Add Requires: polkit-pkla-compat + Resolves: #908808 + +* Wed Feb 13 2013 Miloslav Trmač - 0.110-3 +- Don't ship pk-example-frobnicate in the "live" configuration + Resolves: #878112 + +* Fri Feb 8 2013 Miloslav Trmač - 0.110-2 +- Own %%{_docdir}/polkit-js-engine-* + Resolves: #907668 + +* Wed Jan 9 2013 David Zeuthen - 0.110-1%{?dist} +- Update to upstream release 0.110 + +* Mon Jan 7 2013 Matthias Clasen - 0.109-2%{?dist} +- Build with pie and stuff + +* Wed Dec 19 2012 David Zeuthen 0.109-1%{?dist} +- Update to upstream release 0.109 +- Drop upstreamed patches + +* Thu Nov 15 2012 David Zeuthen 0.108-3%{?dist} +- Attempt to open the correct libmozjs185 library, otherwise polkit + authz rules will not work unless js-devel is installed (fdo #57146) + +* Wed Nov 14 2012 David Zeuthen 0.108-2%{?dist} +- Include gmodule-2.0 to avoid build error + +* Wed Nov 14 2012 David Zeuthen 0.108-1%{?dist} +- Update to upstream release 0.108 +- Drop upstreamed patches +- This release dynamically loads the JavaScript interpreter and can + cope with it not being available. In this case, polkit authorization + rules are not processed and the defaults for an action - as defined + in its .policy file - are used for authorization decisions. +- Add new meta-package, polkit-js-engine, that pulls in the required + JavaScript bits to make polkit authorization rules work. The default + install - not the minimal install - should include this package + +* Wed Oct 10 2012 Adam Jackson 0.107-4 +- Don't crash if initializing the server object fails + +* Tue Sep 18 2012 David Zeuthen 0.107-3%{?dist} +- Authenticate as root if e.g. the wheel group is empty (#834494) + +* Fri Jul 27 2012 Fedora Release Engineering - 0.107-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jul 11 2012 David Zeuthen 0.107-1%{?dist} +- Update to upstream release 0.107 + +* Fri Jun 29 2012 David Zeuthen 0.106-2%{?dist} +- Add forgotten Requires(pre): shadow-utils + +* Thu Jun 07 2012 David Zeuthen 0.106-1%{?dist} +- Update to upstream release 0.106 +- Authorizations are no longer controlled by .pkla files - from now + on, use the new .rules files described in the polkit(8) man page + +* Tue Apr 24 2012 David Zeuthen 0.105-1%{?dist} +- Update to upstream release 0.105 +- Nuke patches that are now upstream +- Change 'PolicyKit' to 'polkit' in summary and descriptions + +* Thu Mar 08 2012 David Zeuthen 0.104-6%{?dist} +- Don't leak file descriptors (bgo #671486) + +* Mon Feb 13 2012 Matthias Clasen - 0.104-5%{?dist} +- Make the -docs subpackage noarch + +* Mon Feb 06 2012 David Zeuthen 0.104-4%{?dist} +- Set error if we cannot obtain a PolkitUnixSession for a given PID (#787222) + +* Sat Jan 14 2012 Fedora Release Engineering - 0.104-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Jan 03 2012 David Zeuthen 0.104-2%{?dist} +- Nuke the ConsoleKit run-time requirement + +* Tue Jan 03 2012 David Zeuthen 0.104-1%{?dist} +- Update to upstream release 0.104 +- Force usage of systemd (instead of ConsoleKit) for session tracking + +* Tue Dec 06 2011 David Zeuthen 0.103-1%{?dist} +- Update to upstream release 0.103 +- Drop upstreamed patch +- Drop Fedora-specific policy, it is now upstream (fdo #41008) + +* Wed Oct 26 2011 Fedora Release Engineering - 0.102-3 +- Rebuilt for glibc bug#747377 + +* Tue Oct 18 2011 David Zeuthen 0.102-2%{?dist} +- Add patch to neuter the annoying systemd behavior where stdout/stderr + is sent to the system logs + +* Thu Aug 04 2011 David Zeuthen 0.102-1 +- Update to 0.102 release + +* Fri May 13 2011 Bastien Nocera 0.101-7 +- Allow setting the pretty hostname without a password for wheel, + change matches systemd in git + +* Mon May 2 2011 Matthias Clasen - 0.101-6 +- Update the action id of the datetime mechanism + +* Tue Apr 19 2011 David Zeuthen - 0.101-5 +- CVE-2011-1485 (#697951) + +* Tue Mar 22 2011 Kevin Kofler - 0.101-4 +- Also allow org.kde.kcontrol.kcmclock.save without password for wheel + +* Thu Mar 17 2011 David Zeuthen - 0.101-3 +- Fix typo in pkla file (thanks notting) + +* Thu Mar 17 2011 David Zeuthen - 0.101-2 +- Nuke desktop_admin_r and desktop_user_r groups - just use the + wheel group instead (#688363) +- Update the set of configuration directives that gives users + in the wheel group extra privileges + +* Thu Mar 03 2011 David Zeuthen - 0.101-1 +- New upstream version + +* Mon Feb 21 2011 David Zeuthen - 0.100-1 +- New upstream version + +* Wed Feb 09 2011 Fedora Release Engineering - 0.98-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Jan 28 2011 Matthias Clasen - 0.98-6 +- Own /usr/libexec/polkit-1 + +* Fri Nov 12 2010 Matthias Clasen - 0.98-5 +- Enable introspection + +* Thu Sep 02 2010 David Zeuthen - 0.98-4 +- Fix #629515 in a way that doesn't require autoreconf + +* Thu Sep 02 2010 David Zeuthen - 0.98-2 +- Include polkitagentenumtypes.h (#629515) + +* Mon Aug 23 2010 Matthias Clasen - 0.98-1 +- Update to upstream release 0.98 +- Co-own /usr/share/gtk-doc (#604410) + +* Wed Aug 18 2010 Matthias Clasen - 0.97-5 +- Rebuid to work around bodhi limitations + +* Wed Aug 18 2010 Matthias Clasen - 0.97-4 +- Fix a ConsoleKit interaction bug + +* Fri Aug 13 2010 David Zeuthen - 0.97-3 +- Add a patch to make pkcheck(1) work the way libvirtd uses it (#623257) +- Require GLib >= 2.25.12 instead of 2.25.11 +- Ensure polkit-gnome packages earlier than 0.97 are not used with + these packages + +* Mon Aug 09 2010 David Zeuthen - 0.97-2 +- Rebuild + +* Mon Aug 09 2010 David Zeuthen - 0.97-1 +- Update to 0.97. This release contains a port from EggDBus to the + GDBus code available in recent GLib releases. + +* Fri Jan 15 2010 David Zeuthen - 0.96-1 +- Update to 0.96 +- Disable introspection support for the time being + +* Fri Nov 13 2009 David Zeuthen - 0.95-2 +- Rebuild + +* Fri Nov 13 2009 David Zeuthen - 0.95-1 +- Update to 0.95 +- Drop upstreamed patches + +* Tue Oct 20 2009 Matthias Clasen - 0.95-0.git20090913.3 +- Fix a typo in pklocalauthority(8) + +* Mon Sep 14 2009 David Zeuthen - 0.95-0.git20090913.2 +- Refine how Obsolete: is used and also add Provides: (thanks Jesse + Keating and nim-nim) + +* Mon Sep 14 2009 David Zeuthen - 0.95-0.git20090913.1 +- Add bugfix for polkit_unix_process_new_full() (thanks Bastien Nocera) +- Obsolete old PolicyKit packages + +* Sun Sep 13 2009 David Zeuthen - 0.95-0.git20090913 +- Update to git snapshot +- Drop upstreamed patches +- Turn on GObject introspection +- Don't delete desktop_admin_r and desktop_user_r groups when + uninstalling polkit-desktop-policy + +* Fri Sep 11 2009 David Zeuthen - 0.94-4 +- Add some patches from git master +- Sort pkaction(1) output +- Bug 23867 – UnixProcess vs. SystemBusName aliasing + +* Thu Aug 13 2009 David Zeuthen - 0.94-3 +- Add desktop_admin_r and desktop_user_r groups along with a first cut + of default authorizations for users in these groups. + +* Wed Aug 12 2009 David Zeuthen - 0.94-2 +- Disable GObject Introspection for now as it breaks the build + +* Wed Aug 12 2009 David Zeuthen - 0.94-1 +- Update to upstream release 0.94 + +* Sun Jul 26 2009 Fedora Release Engineering - 0.93-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Jul 20 2009 David Zeuthen - 0.93-2 +- Rebuild + +* Mon Jul 20 2009 David Zeuthen - 0.93-1 +- Update to 0.93 + +* Tue Jun 09 2009 David Zeuthen - 0.92-3 +- Don't make docs noarch (I *heart* multilib) +- Change license to LGPLv2+ + +* Mon Jun 08 2009 David Zeuthen - 0.92-2 +- Rebuild + +* Mon Jun 08 2009 David Zeuthen - 0.92-1 +- Update to 0.92 release + +* Wed May 27 2009 David Zeuthen - 0.92-0.git20090527 +- Update to 0.92 snapshot + +* Mon Feb 9 2009 David Zeuthen - 0.91-1 +- Initial spec file.