import polkit-0.117-10.el9_0

This commit is contained in:
CentOS Sources 2022-05-17 06:32:32 -04:00 committed by Stepan Oksanichenko
commit e3dfdee702
21 changed files with 7290 additions and 0 deletions

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
SOURCES/firefox-78.10.0esr.source.tar.xz
SOURCES/polkit-0.117.tar.gz

2
.polkit.metadata Normal file
View File

@ -0,0 +1,2 @@
547bac33732774993bd8223de9acfeedcc69a10d SOURCES/firefox-78.10.0esr.source.tar.xz
0c375fa621bc9f74f2972e00fb517a408f419adf SOURCES/polkit-0.117.tar.gz

View File

@ -0,0 +1,30 @@
From db3a0a25b97377b388532b23e73a10d246f66496 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Zatloukal?= <fzatlouk@redhat.com>
Date: Mon, 3 Aug 2020 10:27:00 +0200
Subject: [PATCH] Skip failing tests on ppc64 and s390x
ppc64 and s390x: non262/extensions/clone-errors.js
s390x: test262/built-ins/TypedArray/prototype/set/typedarray-arg-set-values-same-buffer-other-type.js
---
js/src/tests/jstests.list | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/js/src/tests/jstests.list b/js/src/tests/jstests.list
index 4085ce3..4f014f5 100644
--- a/js/src/tests/jstests.list
+++ b/js/src/tests/jstests.list
@@ -56,6 +56,11 @@ skip-if(!this.hasOwnProperty('addIntlExtras')) include test262/intl402/DisplayNa
skip-if(!this.hasOwnProperty("Atomics")) include test262/built-ins/Atomics/jstests.list
skip-if(!this.hasOwnProperty("SharedArrayBuffer")) include test262/built-ins/SharedArrayBuffer/jstests.list
+# Crashes on s390x and ppc64, avoid it
+skip-if(xulRuntime.XPCOMABI.match(/s390x|ppc64-/)) script non262/extensions/clone-errors.js
+
+# Crashes on s390x, avoid it
+skip-if(xulRuntime.XPCOMABI.match(/s390x/)) script test262/built-ins/TypedArray/prototype/set/typedarray-arg-set-values-same-buffer-other-type.js
#####################################
# Test262 tests disabled on browser #
--
2.26.2

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,118 @@
diff -up firefox-78.8.0/python/mozboot/mozboot/archlinux.py.D94538-autoconf2.diff firefox-78.8.0/python/mozboot/mozboot/archlinux.py
--- firefox-78.8.0/python/mozboot/mozboot/archlinux.py.D94538-autoconf2.diff 2021-02-25 13:53:04.963982705 +0100
+++ firefox-78.8.0/python/mozboot/mozboot/archlinux.py 2021-02-25 13:53:25.713053151 +0100
@@ -26,7 +26,6 @@ class ArchlinuxBootstrapper(
'''Archlinux experimental bootstrapper.'''
SYSTEM_PACKAGES = [
- 'autoconf2.13',
'base-devel',
'nodejs',
'python2',
diff -up firefox-78.8.0/python/mozboot/mozboot/centosfedora.py.D94538-autoconf2.diff firefox-78.8.0/python/mozboot/mozboot/centosfedora.py
--- firefox-78.8.0/python/mozboot/mozboot/centosfedora.py.D94538-autoconf2.diff 2021-02-17 08:49:42.000000000 +0100
+++ firefox-78.8.0/python/mozboot/mozboot/centosfedora.py 2021-02-25 13:53:04.963982705 +0100
@@ -26,7 +26,6 @@ class CentOSFedoraBootstrapper(
# For CentOS 7, later versions of nodejs come from nodesource
# and include the npm package.
self.packages = [
- 'autoconf213',
'nodejs',
'which',
]
diff -up firefox-78.8.0/python/mozboot/mozboot/debian.py.D94538-autoconf2.diff firefox-78.8.0/python/mozboot/mozboot/debian.py
--- firefox-78.8.0/python/mozboot/mozboot/debian.py.D94538-autoconf2.diff 2021-02-25 13:53:04.963982705 +0100
+++ firefox-78.8.0/python/mozboot/mozboot/debian.py 2021-02-25 13:53:42.874111415 +0100
@@ -32,7 +32,6 @@ class DebianBootstrapper(
# These are common packages for all Debian-derived distros (such as
# Ubuntu).
COMMON_PACKAGES = [
- 'autoconf2.13',
'build-essential',
'nodejs',
'python-setuptools',
diff -up firefox-78.8.0/python/mozboot/mozboot/freebsd.py.D94538-autoconf2.diff firefox-78.8.0/python/mozboot/mozboot/freebsd.py
--- firefox-78.8.0/python/mozboot/mozboot/freebsd.py.D94538-autoconf2.diff 2021-02-17 08:49:42.000000000 +0100
+++ firefox-78.8.0/python/mozboot/mozboot/freebsd.py 2021-02-25 13:53:04.963982705 +0100
@@ -15,7 +15,6 @@ class FreeBSDBootstrapper(BaseBootstrapp
self.flavor = flavor.lower()
self.packages = [
- 'autoconf213',
'gmake',
'gtar',
'pkgconf',
diff -up firefox-78.8.0/python/mozboot/mozboot/gentoo.py.D94538-autoconf2.diff firefox-78.8.0/python/mozboot/mozboot/gentoo.py
--- firefox-78.8.0/python/mozboot/mozboot/gentoo.py.D94538-autoconf2.diff 2021-02-17 08:49:38.000000000 +0100
+++ firefox-78.8.0/python/mozboot/mozboot/gentoo.py 2021-02-25 13:53:04.963982705 +0100
@@ -36,7 +36,6 @@ class GentooBootstrapper(
def ensure_system_packages(self):
self.run_as_root(['emerge', '--noreplace', '--quiet',
'app-arch/zip',
- 'sys-devel/autoconf:2.1'
])
def ensure_browser_packages(self, artifact_mode=False):
diff -up firefox-78.8.0/python/mozboot/mozboot/openbsd.py.D94538-autoconf2.diff firefox-78.8.0/python/mozboot/mozboot/openbsd.py
--- firefox-78.8.0/python/mozboot/mozboot/openbsd.py.D94538-autoconf2.diff 2021-02-17 08:49:15.000000000 +0100
+++ firefox-78.8.0/python/mozboot/mozboot/openbsd.py 2021-02-25 13:53:04.964982709 +0100
@@ -12,7 +12,6 @@ class OpenBSDBootstrapper(BaseBootstrapp
BaseBootstrapper.__init__(self, **kwargs)
self.packages = [
- 'autoconf-2.13',
'gmake',
'gtar',
'rust',
diff -up firefox-78.8.0/python/mozboot/mozboot/opensuse.py.D94538-autoconf2.diff firefox-78.8.0/python/mozboot/mozboot/opensuse.py
--- firefox-78.8.0/python/mozboot/mozboot/opensuse.py.D94538-autoconf2.diff 2021-02-17 08:49:42.000000000 +0100
+++ firefox-78.8.0/python/mozboot/mozboot/opensuse.py 2021-02-25 13:53:04.964982709 +0100
@@ -13,7 +13,6 @@ class OpenSUSEBootstrapper(
'''openSUSE experimental bootstrapper.'''
SYSTEM_PACKAGES = [
- 'autoconf213',
'nodejs',
'npm',
'which',
diff -up firefox-78.8.0/python/mozboot/mozboot/osx.py.D94538-autoconf2.diff firefox-78.8.0/python/mozboot/mozboot/osx.py
--- firefox-78.8.0/python/mozboot/mozboot/osx.py.D94538-autoconf2.diff 2021-02-25 13:53:04.964982709 +0100
+++ firefox-78.8.0/python/mozboot/mozboot/osx.py 2021-02-25 13:54:07.162193882 +0100
@@ -353,7 +353,6 @@ class OSXBootstrapper(BaseBootstrapper):
# least on 10.8) and because the build system wants a version
# newer than what Apple ships.
packages = [
- 'autoconf@2.13',
'git',
'gnu-tar',
'node',
@@ -428,7 +427,6 @@ class OSXBootstrapper(BaseBootstrapper):
'python27',
'python36',
'py27-gnureadline',
- 'autoconf213',
'gnutar',
'watchman',
'nodejs8'
diff -up firefox-78.8.0/python/mozboot/mozboot/solus.py.D94538-autoconf2.diff firefox-78.8.0/python/mozboot/mozboot/solus.py
--- firefox-78.8.0/python/mozboot/mozboot/solus.py.D94538-autoconf2.diff 2021-02-25 13:53:04.964982709 +0100
+++ firefox-78.8.0/python/mozboot/mozboot/solus.py 2021-02-25 13:53:32.090074802 +0100
@@ -23,7 +23,6 @@ class SolusBootstrapper(
'''Solus experimental bootstrapper.'''
SYSTEM_PACKAGES = [
- 'autoconf213',
'nodejs',
'python',
'python3',
diff -up firefox-78.8.0/python/mozboot/mozboot/windows.py.D94538-autoconf2.diff firefox-78.8.0/python/mozboot/mozboot/windows.py
--- firefox-78.8.0/python/mozboot/mozboot/windows.py.D94538-autoconf2.diff 2021-02-17 08:49:34.000000000 +0100
+++ firefox-78.8.0/python/mozboot/mozboot/windows.py 2021-02-25 13:53:04.978982756 +0100
@@ -48,7 +48,6 @@ class WindowsBootstrapper(BaseBootstrapp
'patch',
'patchutils',
'diffutils',
- 'autoconf2.13',
'tar',
'zip',
'unzip',

View File

@ -0,0 +1,13 @@
--- a/src/polkit/polkitsystembusname.c
+++ b/src/polkit/polkitsystembusname.c
@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
g_main_context_iteration (tmp_context, TRUE);
+ if (data.caught_error)
+ goto out;
+
if (out_uid)
*out_uid = data.uid;
if (out_pid)

View File

@ -0,0 +1,72 @@
commit a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
Author: Jan Rybar <jrybar@redhat.com>
Date: Tue Jan 25 17:21:46 2022 +0000
pkexec: local privilege escalation (CVE-2021-4034)
diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
index f1bb4e1..768525c 100644
--- a/src/programs/pkcheck.c
+++ b/src/programs/pkcheck.c
@@ -363,6 +363,11 @@ main (int argc, char *argv[])
local_agent_handle = NULL;
ret = 126;
+ if (argc < 1)
+ {
+ exit(126);
+ }
+
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
index 7698c5c..84e5ef6 100644
--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
@@ -488,6 +488,15 @@ main (int argc, char *argv[])
pid_t pid_of_caller;
gpointer local_agent_handle;
+
+ /*
+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
+ */
+ if (argc<1)
+ {
+ exit(127);
+ }
+
ret = 127;
authority = NULL;
subject = NULL;
@@ -614,10 +623,10 @@ main (int argc, char *argv[])
path = g_strdup (pwstruct.pw_shell);
if (!path)
- {
+ {
g_printerr ("No shell configured or error retrieving pw_shell\n");
goto out;
- }
+ }
/* If you change this, be sure to change the if (!command_line)
case below too */
command_line = g_strdup (path);
@@ -636,7 +645,15 @@ main (int argc, char *argv[])
goto out;
}
g_free (path);
- argv[n] = path = s;
+ path = s;
+
+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
+ */
+ if (argv[n] != NULL)
+ {
+ argv[n] = path;
+ }
}
if (access (path, F_OK) != 0)
{

View File

@ -0,0 +1,71 @@
diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
index 8ed1363..2fbf5f1 100644
--- a/src/polkit/polkitsystembusname.c
+++ b/src/polkit/polkitsystembusname.c
@@ -62,6 +62,10 @@ enum
PROP_NAME,
};
+
+guint8 dbus_call_respond_fails; // has to be global because of callback
+
+
static void subject_iface_init (PolkitSubjectIface *subject_iface);
G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT,
@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src,
if (!v)
{
data->caught_error = TRUE;
+ dbus_call_respond_fails += 1;
}
else
{
@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
tmp_context = g_main_context_new ();
g_main_context_push_thread_default (tmp_context);
+ dbus_call_respond_fails = 0;
+
/* Do two async calls as it's basically as fast as one sync call.
*/
g_dbus_connection_call (connection,
@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
on_retrieved_unix_uid_pid,
&data);
- while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
- g_main_context_iteration (tmp_context, TRUE);
+ while (TRUE)
+ {
+ /* If one dbus call returns error, we must wait until the other call
+ * calls _call_finish(), otherwise fd leak is possible.
+ * Resolves: GHSL-2021-077
+ */
- if (data.caught_error)
- goto out;
+ if ( (dbus_call_respond_fails > 1) )
+ {
+ // we got two faults, we can leave
+ goto out;
+ }
+
+ if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid)))
+ {
+ // we got one fault and the other call finally finished, we can leave
+ goto out;
+ }
+
+ if ( !(data.retrieved_uid && data.retrieved_pid) )
+ {
+ g_main_context_iteration (tmp_context, TRUE);
+ }
+ else
+ {
+ break;
+ }
+ }
if (out_uid)
*out_uid = data.uid;

View File

@ -0,0 +1,12 @@
--- a/js/public/StructuredClone.h
+++ b/js/public/StructuredClone.h
@@ -381,7 +381,7 @@ enum OwnTransferablePolicy {
namespace js {
class SharedArrayRawBuffer;
-class SharedArrayRawBufferRefs {
+class JS_PUBLIC_API SharedArrayRawBufferRefs {
public:
SharedArrayRawBufferRefs() = default;
SharedArrayRawBufferRefs(SharedArrayRawBufferRefs&& other) = default;
--

View File

@ -0,0 +1,38 @@
From 3b3c8e37cca418e07bdeceaf3a601805df28d925 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Zatloukal?= <fzatlouk@redhat.com>
Date: Wed, 15 Jul 2020 08:27:39 +0200
Subject: [PATCH] build: Copy headers on install instead of symlinking
Patch by Philip Chimento ported forward to mozjs78
---
python/mozbuild/mozbuild/backend/recursivemake.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/python/mozbuild/mozbuild/backend/recursivemake.py b/python/mozbuild/mozbuild/backend/recursivemake.py
index e3fc8fe..bed5ae9 100644
--- a/python/mozbuild/mozbuild/backend/recursivemake.py
+++ b/python/mozbuild/mozbuild/backend/recursivemake.py
@@ -1457,9 +1457,9 @@ class RecursiveMakeBackend(MakeBackend):
raise Exception("Wildcards are only supported in the filename part"
" of srcdir-relative or absolute paths.")
- install_manifest.add_pattern_link(basepath, wild, path)
+ install_manifest.add_pattern_copy(basepath, wild, path)
else:
- install_manifest.add_pattern_link(f.srcdir, f, path)
+ install_manifest.add_pattern_copy(f.srcdir, f, path)
elif isinstance(f, AbsolutePath):
if not f.full_path.lower().endswith(('.dll', '.pdb', '.so')):
raise Exception("Absolute paths installed to FINAL_TARGET_FILES must"
@@ -1468,7 +1468,7 @@ class RecursiveMakeBackend(MakeBackend):
install_manifest.add_optional_exists(dest)
absolute_files.append(f.full_path)
else:
- install_manifest.add_link(f.full_path, dest)
+ install_manifest.add_copy(f.full_path, dest)
else:
install_manifest.add_optional_exists(dest)
objdir_files.append(self._pretty_path(f, backend_file))
--
2.26.2

View File

@ -0,0 +1,35 @@
From fd6847c9416f9eebde636e21d794d25d1be8791d Mon Sep 17 00:00:00 2001
From: Mike Hommey <mh@glandium.org>
Date: Sat, 1 Jun 2019 09:06:01 +0900
Subject: [PATCH] Bug 1526653 - Include struct definitions for user_vfp and
user_vfp_exc.
---
js/src/wasm/WasmSignalHandlers.cpp | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/js/src/wasm/WasmSignalHandlers.cpp b/js/src/wasm/WasmSignalHandlers.cpp
index 636537f8478..383c380f04c 100644
--- a/js/src/wasm/WasmSignalHandlers.cpp
+++ b/js/src/wasm/WasmSignalHandlers.cpp
@@ -249,7 +249,16 @@ using mozilla::DebugOnly;
#endif
#ifdef WASM_EMULATE_ARM_UNALIGNED_FP_ACCESS
-# include <sys/user.h>
+struct user_vfp {
+ unsigned long long fpregs[32];
+ unsigned long fpscr;
+};
+
+struct user_vfp_exc {
+ unsigned long fpexc;
+ unsigned long fpinst;
+ unsigned long fpinst2;
+};
#endif
#if defined(ANDROID)
--
2.30.2

61
SOURCES/emitter.patch Normal file
View File

@ -0,0 +1,61 @@
From d1d785c169345b81c76213f6dd9be32b4db60294 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Zatloukal?= <fzatlouk@redhat.com>
Date: Wed, 15 Jul 2020 08:39:47 +0200
Subject: [PATCH] Build: allow LOCAL_INCLUDES paths with topsrcdir or topobjdir
---
python/mozbuild/mozbuild/frontend/emitter.py | 6 ------
.../mozbuild/test/frontend/test_emitter.py | 20 -------------------
2 files changed, 26 deletions(-)
diff --git a/python/mozbuild/mozbuild/frontend/emitter.py b/python/mozbuild/mozbuild/frontend/emitter.py
index 8d5ab8e..65c43ff 100644
--- a/python/mozbuild/mozbuild/frontend/emitter.py
+++ b/python/mozbuild/mozbuild/frontend/emitter.py
@@ -1239,12 +1239,6 @@ class TreeMetadataEmitter(LoggingMixin):
'is a filename, but a directory is required: %s '
'(resolved to %s)' % (local_include, full_path),
context)
- if (full_path == context.config.topsrcdir or
- full_path == context.config.topobjdir):
- raise SandboxValidationError(
- 'Path specified in LOCAL_INCLUDES '
- '(%s) resolves to the topsrcdir or topobjdir (%s), which is '
- 'not allowed' % (local_include, full_path), context)
include_obj = LocalInclude(context, local_include)
local_includes.append(include_obj.path.full_path)
yield include_obj
diff --git a/python/mozbuild/mozbuild/test/frontend/test_emitter.py b/python/mozbuild/mozbuild/test/frontend/test_emitter.py
index e8cbd81..d45ccee 100644
--- a/python/mozbuild/mozbuild/test/frontend/test_emitter.py
+++ b/python/mozbuild/mozbuild/test/frontend/test_emitter.py
@@ -1040,26 +1040,6 @@ class TestEmitterBasic(unittest.TestCase):
self.assertEqual(local_includes, expected)
- def test_local_includes_invalid(self):
- """Test that invalid LOCAL_INCLUDES are properly detected."""
- reader = self.reader('local_includes-invalid/srcdir')
-
- with six.assertRaisesRegex(
- self,
- SandboxValidationError,
- 'Path specified in LOCAL_INCLUDES.*resolves to the '
- 'topsrcdir or topobjdir'):
- self.read_topsrcdir(reader)
-
- reader = self.reader('local_includes-invalid/objdir')
-
- with six.assertRaisesRegex(
- self,
- SandboxValidationError,
- 'Path specified in LOCAL_INCLUDES.*resolves to the '
- 'topsrcdir or topobjdir'):
- self.read_topsrcdir(reader)
-
def test_local_includes_file(self):
"""Test that a filename can't be used in LOCAL_INCLUDES."""
reader = self.reader('local_includes-filename')
--
2.26.2

View File

@ -0,0 +1,34 @@
From: Simon McVittie <smcv@debian.org>
Date: Mon, 9 Oct 2017 09:23:14 +0100
Subject: icu_sources_data: Write command output to our stderr
Saying "See output in /tmp/foobar" is all very well for a developer
build, but on a buildd our /tmp is going to get thrown away after
the build. Just log the usual way instead.
---
intl/icu_sources_data.py | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/intl/icu_sources_data.py b/intl/icu_sources_data.py
index 8cf9290..7d2d983 100644
--- a/intl/icu_sources_data.py
+++ b/intl/icu_sources_data.py
@@ -190,16 +190,13 @@ def update_sources(topsrcdir):
def try_run(name, command, cwd=None, **kwargs):
try:
- with tempfile.NamedTemporaryFile(prefix=name, delete=False) as f:
- subprocess.check_call(command, cwd=cwd, stdout=f,
- stderr=subprocess.STDOUT, **kwargs)
+ subprocess.check_call(command, cwd=cwd, stdout=sys.stderr,
+ stderr=subprocess.STDOUT, **kwargs)
except subprocess.CalledProcessError:
- print('''Error running "{}" in directory {}
- See output in {}'''.format(' '.join(command), cwd, f.name),
- file=sys.stderr)
+ print('''Error running "{}" in directory {}'''.format(' '.join(command), cwd),
+ file=sys.stderr)
return False
else:
- os.unlink(f.name)
return True

View File

@ -0,0 +1,26 @@
From: Simon McVittie <smcv@debian.org>
Date: Mon, 9 Oct 2017 09:22:12 +0100
Subject: icu_sources_data.py: Decouple from Mozilla build system
mozpack.path is a wrapper around os.path that normalizes path
separators on Windows, but on Unix we only have one path separator
so there's nothing to normalize. Avoid needing to import all of it.
---
intl/icu_sources_data.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/intl/icu_sources_data.py b/intl/icu_sources_data.py
index 98c0ccb..8cf9290 100644
--- a/intl/icu_sources_data.py
+++ b/intl/icu_sources_data.py
@@ -22,7 +22,9 @@ import subprocess
import sys
import tempfile
-from mozpack import path as mozpath
+# Close enough
+import os.path as mozpath
+mozpath.normsep = lambda p: p
# The following files have been determined to be dead/unused by a
# semi-automated analysis. You can just remove any of the files below

12
SOURCES/init_patch.patch Normal file
View File

@ -0,0 +1,12 @@
--- a/python/mozbuild/mozbuild/configure/__init__.py
+++ b/python/mozbuild/mozbuild/configure/__init__.py
@@ -491,7 +491,8 @@ class ConfigureSandbox(dict):
if self._help:
self._logger.warning(msg)
else:
- raise InvalidOptionError(msg)
+ #raise InvalidOptionError(msg)
+ pass
# Run the execution queue
for func, args in self._execution_queue:

90
SOURCES/mozjs78.patch Normal file
View File

@ -0,0 +1,90 @@
diff --git a/configure.ac b/configure.ac
index eea70fc..c4569f1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -34,7 +34,7 @@ AC_PROG_LN_S
AC_SYS_LARGEFILE
AM_PROG_CC_C_O
AC_PROG_CXX
-AX_CXX_COMPILE_STDCXX([14], [], [mandatory])
+AX_CXX_COMPILE_STDCXX([17], [], [mandatory])
# Taken from dbus
AC_ARG_ENABLE(ansi, [ --enable-ansi enable -ansi -pedantic gcc flags],enable_ansi=$enableval,enable_ansi=no)
@@ -80,7 +80,7 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
AC_SUBST(GLIB_CFLAGS)
AC_SUBST(GLIB_LIBS)
-PKG_CHECK_MODULES(LIBJS, [mozjs-68])
+PKG_CHECK_MODULES(LIBJS, [mozjs-78])
AC_SUBST(LIBJS_CFLAGS)
AC_SUBST(LIBJS_CXXFLAGS)
diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
index 25bd1f9..ca17108 100644
--- a/src/polkitbackend/polkitbackendjsauthority.cpp
+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
@@ -49,6 +49,7 @@
#include <js/Realm.h>
#include <js/SourceText.h>
#include <js/Warnings.h>
+#include <js/Array.h>
#include <jsapi.h>
#include "initjs.h" /* init.js */
@@ -367,7 +368,7 @@ load_scripts (PolkitBackendJsAuthority *authority)
static void
reload_scripts (PolkitBackendJsAuthority *authority)
{
- JS::AutoValueArray<1> args(authority->priv->cx);
+ JS::RootedValueArray<1> args(authority->priv->cx);
JS::RootedValue rval(authority->priv->cx);
JS::RootedObject js_polkit(authority->priv->cx, authority->priv->js_polkit->get ());
@@ -482,10 +483,6 @@ polkit_backend_js_authority_constructed (GObject *object)
if (!JS::InitSelfHostedCode (authority->priv->cx))
goto fail;
- JS::ContextOptionsRef (authority->priv->cx)
- .setIon (TRUE)
- .setBaseline (TRUE)
- .setAsmJS (TRUE);
JS::SetWarningReporter(authority->priv->cx, report_error);
JS_SetContextPrivate (authority->priv->cx, authority);
@@ -720,7 +717,7 @@ set_property_strv (PolkitBackendJsAuthority *authority,
elems[n].setNull ();
}
- JS::RootedObject array_object(authority->priv->cx, JS_NewArrayObject (authority->priv->cx, elems));
+ JS::RootedObject array_object(authority->priv->cx, JS::NewArrayObject (authority->priv->cx, elems));
value_jsval = JS::ObjectValue (*array_object);
JS_SetProperty (authority->priv->cx, obj, name, value_jsval);
@@ -1114,7 +1111,7 @@ polkit_backend_js_authority_get_admin_auth_identities (PolkitBackendInteractiveA
{
PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority);
GList *ret = NULL;
- JS::AutoValueArray<2> args(authority->priv->cx);
+ JS::RootedValueArray<2> args(authority->priv->cx);
JS::RootedValue rval(authority->priv->cx);
guint n;
GError *error = NULL;
@@ -1218,7 +1215,7 @@ polkit_backend_js_authority_check_authorization_sync (PolkitBackendInteractiveAu
{
PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority);
PolkitImplicitAuthorization ret = implicit;
- JS::AutoValueArray<2> args(authority->priv->cx);
+ JS::RootedValueArray<2> args(authority->priv->cx);
JS::RootedValue rval(authority->priv->cx);
GError *error = NULL;
JS::RootedString ret_jsstr (authority->priv->cx);
@@ -1409,7 +1406,7 @@ js_polkit_spawn (JSContext *cx,
JS::CallArgs args = JS::CallArgsFromVp (js_argc, vp);
array_object = &args[0].toObject();
- if (!JS_GetArrayLength (cx, array_object, &array_len))
+ if (!JS::GetArrayLength (cx, array_object, &array_len))
{
JS_ReportErrorUTF8 (cx, "Failed to get array length");
goto out;

View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEEf/t9a9gxR9dChOMXjOswMP/c4lgFAl8hQXkACgkQjOswMP/c
4lhBKAf/fZn/N2zUoREqQ0QIcMSb9OKnYxkvivmd1TA58Eski0cqo89dS89CqsVh
xhg5WpypKyqVNc28TUYHgHiD9BUL+3ldhHMQk8f1B28lJ3ipvHaYBQsm1UQOB/DU
xAhLttrFqeJxrjdSQT5GpIs3/SVYosE0/BDUbKOGivr2Wf/L1g19IUTtvaea1u9Z
5Wpr/YF8HHdyxbaIJh2ylJh5rnyfes3LKjLpG6L9srzVhjrddXU+LhMhDrLJp0HN
/LuKyEffK6qkWia3zTuqilmZdn5zKE5ryY0FArZF/5jr67oakypRFeMFqJvRyP6t
zxwLq7/r27U/h2/QxRKwdu6lsp5tbw==
=w9c/
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,9 @@
--- a/config/run_spidermonkey_checks.py
+++ b/config/run_spidermonkey_checks.py
@@ -13,4 +13,5 @@ def main(output, lib_file, *scripts):
retcode = subprocess.call(
[sys.executable, script], cwd=buildconfig.topsrcdir)
if retcode != 0:
- raise Exception(script + " failed")
+ #raise Exception(script + " failed")
+ pass

View File

@ -0,0 +1,11 @@
--- a/config/check_spidermonkey_style.py
+++ b/config/check_spidermonkey_style.py
@@ -779,6 +779,7 @@ def tarjan(V, E):
def main():
+ sys.exit(0)
if sys.argv[1:] == ["--fixup"]:
# Sort #include directives in-place. Fixup mode doesn't solve
# all possible silliness that the script checks for; it's just a

View File

@ -0,0 +1,26 @@
From 9be85b155c6df0454c5faef9e850f572c99e3615 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Zatloukal?= <fzatlouk@redhat.com>
Date: Wed, 15 Jul 2020 08:32:44 +0200
Subject: [PATCH] Increase the test timeout for slower buildds
Ported forward from Debian: https://bugs.debian.org/878284
---
js/src/Makefile.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/js/src/Makefile.in b/js/src/Makefile.in
index b86aeed..d68655a 100644
--- a/js/src/Makefile.in
+++ b/js/src/Makefile.in
@@ -53,7 +53,7 @@ check:: check-js-msg
check-jstests:
$(wildcard $(RUN_TEST_PROGRAM)) $(PYTHON3) -u $(srcdir)/tests/jstests.py \
- --no-progress --format=automation --timeout 300 \
+ --no-progress --format=automation --timeout 600 \
$(JSTESTS_EXTRA_ARGS) \
$(DIST)/bin/$(JS_SHELL_NAME)$(BIN_SUFFIX)
--
2.26.2

846
SPECS/polkit.spec Normal file
View File

@ -0,0 +1,846 @@
# Only enable if using patches that touches configure.ac,
# Makefile.am or other build system related files
#
%define enable_autoreconf 1
%global bundled_mozjs 1
%if 0%{?bundled_mozjs}
%global mozjs_major 78
%global mozjs_version 78.10.0
# Big endian platforms
%ifarch ppc ppc64 s390 s390x
%global big_endian 1
%endif
# Make sure we don't add requires/provides for private libraries
%global __provides_exclude_from ^%{_libdir}/polkit-1/
%global __requires_exclude ^libmozjs-%{mozjs_major}\\.so.*
%endif
Summary: An authorization framework
Name: polkit
Version: 0.117
Release: 10%{?dist}
License: LGPLv2+
URL: http://www.freedesktop.org/wiki/Software/polkit
Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz
Source1: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz.sign
Patch1001: mozjs78.patch
Patch1002: CVE-2021-3560.patch
Patch1003: CVE-2021-4034.patch
Patch1004: CVE-2021-4115.patch
%if 0%{?bundled_mozjs}
Source2: https://ftp.mozilla.org/pub/firefox/releases/%{mozjs_version}esr/source/firefox-%{mozjs_version}esr.source.tar.xz
# Patches from mozjs68, rebased for mozjs78:
Patch02: copy-headers.patch
Patch03: tests-increase-timeout.patch
Patch09: icu_sources_data.py-Decouple-from-Mozilla-build-system.patch
Patch10: icu_sources_data-Write-command-output-to-our-stderr.patch
# Build fixes - https://hg.mozilla.org/mozilla-central/rev/ca36a6c4f8a4a0ddaa033fdbe20836d87bbfb873
Patch12: emitter.patch
# Build fixes
Patch14: init_patch.patch
# TODO: Check with mozilla for cause of these fails and re-enable spidermonkey compile time checks if needed
Patch15: spidermonkey_checks_disable.patch
# armv7 fixes
Patch17: definitions_for_user_vfp.patch
# s390x/ppc64 fixes, TODO: file bug report upstream?
Patch18: spidermonkey_style_check_disable_s390x.patch
Patch19: 0001-Skip-failing-tests-on-ppc64-and-s390x.patch
# Fix for https://bugzilla.mozilla.org/show_bug.cgi?id=1644600 ( SharedArrayRawBufferRefs is not exported )
# https://github.com/0ad/0ad/blob/83e81362d850cc6f2b3b598255b873b6d04d5809/libraries/source/spidermonkey/FixSharedArray.diff
Patch30: FixSharedArray.diff
# Avoid autoconf213 dependency, backported from upstream
# https://bugzilla.mozilla.org/show_bug.cgi?id=1663863
Patch31: 0002-D89554-autoconf1.diff
Patch32: 0003-D94538-autoconf2.diff
%endif
BuildRequires: make
BuildRequires: gcc-c++
BuildRequires: glib2-devel >= 2.30.0
BuildRequires: expat-devel
BuildRequires: pam-devel
BuildRequires: gtk-doc
BuildRequires: intltool
BuildRequires: gobject-introspection-devel
BuildRequires: systemd, systemd-devel
%if 0%{?bundled_mozjs}
BuildRequires: cargo
BuildRequires: clang-devel
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: m4
BuildRequires: make
%if !0%{?rhel}
BuildRequires: nasm
%endif
BuildRequires: llvm
BuildRequires: llvm-devel
BuildRequires: rust
BuildRequires: perl-devel
BuildRequires: pkgconfig(libffi)
BuildRequires: pkgconfig(zlib)
BuildRequires: python3-devel
BuildRequires: python3-setuptools
BuildRequires: python3-six
BuildRequires: readline-devel
BuildRequires: zip
%if 0%{?big_endian}
BuildRequires: icu
%endif
%else
BuildRequires: pkgconfig(mozjs-78)
%endif
%if 0%{?enable_autoreconf}
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
%endif
Requires: dbus, polkit-pkla-compat
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires(pre): shadow-utils
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
Obsoletes: PolicyKit <= 0.10
Provides: PolicyKit = 0.11
# polkit saw some API/ABI changes from 0.96 to 0.97 so require a
# sufficiently new polkit-gnome package
Conflicts: polkit-gnome < 0.97
Obsoletes: polkit-desktop-policy < 0.103
Provides: polkit-desktop-policy = 0.103
Obsoletes: polkit-js-engine < 0.110-4
Provides: polkit-js-engine = %{version}-%{release}
# when -libs was split out, handle multilib upgrade path -- rex
Obsoletes: polkit < 0.113-3
%description
polkit is a toolkit for defining and handling authorizations. It is
used for allowing unprivileged processes to speak to privileged
processes.
%package devel
Summary: Development files for polkit
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %name-docs = %{version}-%{release}
Requires: glib2-devel
Obsoletes: PolicyKit-devel <= 0.10
Provides: PolicyKit-devel = 0.11
%description devel
Development files for polkit.
%package docs
Summary: Development documentation for polkit
Requires: %name-devel = %{version}-%{release}
Obsoletes: PolicyKit-docs <= 0.10
Provides: PolicyKit-docs = 0.11
BuildArch: noarch
%description docs
Development documentation for polkit.
%package libs
Summary: Libraries for polkit
%if 0%{?bundled_mozjs}
License: MIT and (MPLv1.1 or GPLv2+ or LGPLv2+) and MPLv2.0 and MPLv1.1 and BSD and GPLv2+ and GPLv3+ and LGPLv2+ and AFL and ASL 2.0
Provides: bundled(mozjs) = %{mozjs_version}
%endif
%description libs
Libraries files for polkit.
%prep
%setup -q
# Apply polkit patches
%patch1001 -p1
%patch1002 -p1
%patch1003 -p1
%patch1004 -p1
%if 0%{?bundled_mozjs}
# Extract mozjs archive
tar -xf %{S:2}
# Apply mozjs patches
pushd firefox-%{mozjs_version}
%patch02 -p1
%patch03 -p1
%patch09 -p1
%patch10 -p1
%patch12 -p1
%patch14 -p1
%patch15 -p1
%ifarch armv7hl
# Include definitions for user vfp on armv7 as it causes the compilation to fail without them
# https://bugzilla.mozilla.org/show_bug.cgi?id=1526653
%patch17 -p1
%endif
%ifarch s390x
%patch18 -p1
%endif
# Fixes for ppc64 and s390x, there is no need to keep it in ifarch here since mozilla tests support ifarch conditions
%patch19 -p1
# Export SharedArrayRawBufferRefs
%patch30 -p1
# Avoid autoconf213 dependency
%patch31 -p1 -b .autoconf213
%patch32 -p1 -b .autoconf213-2
# Remove zlib directory (to be sure using system version)
rm -rf modules/zlib
popd
%endif
%build
%if 0%{?bundled_mozjs}
pushd firefox-%{mozjs_version}/js/src
# Prefer GCC for now
export CC=gcc
export CXX=g++
# Workaround
# error: options `-C embed-bitcode=no` and `-C lto` are incompatible
# error: could not compile `jsrust`.
# https://github.com/japaric/cargo-call-stack/issues/25
export RUSTFLAGS="-C embed-bitcode"
# https://github.com/ptomato/mozjs/commit/36bb7982b41e0ef9a65f7174252ab996cd6777bd
export CARGO_PROFILE_RELEASE_LTO=true
export LINKFLAGS="%{?__global_ldflags}"
export PYTHON="%{__python3}"
%configure \
--without-system-icu \
--with-system-zlib \
--disable-tests \
--disable-strip \
--with-intl-api \
--enable-readline \
--enable-shared-js \
--enable-optimize \
--disable-debug \
--enable-pie \
--disable-jemalloc
%if 0%{?big_endian}
echo "Generate big endian version of config/external/icu/data/icud67l.dat"
pushd ../..
icupkg -tb config/external/icu/data/icudt67l.dat config/external/icu/data/icudt67b.dat
rm -f config/external/icu/data/icudt*l.dat
popd
%endif
%make_build
popd
cat > mozjs-%{mozjs_major}.pc << EOF
Name: SpiderMonkey %{mozjs_version}
Description: The Mozilla library for JavaScript
Version: %{mozjs_version}
Libs: -L`pwd`/firefox-%{mozjs_version}/js/src/dist/bin -lmozjs-%{mozjs_major}
Cflags: -include `pwd`/firefox-%{mozjs_version}/js/src/dist/include/js/RequiredDefines.h -I`pwd`/firefox-%{mozjs_version}/js/src/dist/include
EOF
%endif
%if 0%{?enable_autoreconf}
autoreconf -i
%endif
# we can't use _hardened_build here, see
# https://bugzilla.redhat.com/show_bug.cgi?id=962005
export CFLAGS='-fPIC %optflags'
export LDFLAGS='-pie -Wl,-z,now -Wl,-z,relro'
%if 0%{?bundled_mozjs}
export PKG_CONFIG_PATH=`pwd`
export LD_LIBRARY_PATH=`pwd`/firefox-%{mozjs_version}/js/src/dist/bin
export LDFLAGS="$LDFLAGS -Wl,-rpath=%{_libdir}/polkit-1"
%endif
%configure --enable-gtk-doc \
--disable-static \
--enable-introspection \
--disable-examples \
--enable-libsystemd-login=yes
make V=1
%install
%if 0%{?bundled_mozjs}
mkdir -p %{buildroot}%{_libdir}/polkit-1
cp -p firefox-%{mozjs_version}/js/src/dist/bin/libmozjs-%{mozjs_major}.so %{buildroot}%{_libdir}/polkit-1/
%endif
%make_install \
typelibsdir=%{_libdir}/girepository-1.0 \
girdir=%{_datadir}/gir-1.0
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
%find_lang polkit-1
%check
%if 0%{?bundled_mozjs}
export LD_LIBRARY_PATH=`pwd`/firefox-%{mozjs_version}/js/src/dist/bin
pushd firefox-%{mozjs_version}/js/src
# Run SpiderMonkey tests
PYTHONPATH=tests/lib %{__python3} tests/jstests.py -d -s -t 1800 --no-progress --wpt=disabled ../../js/src/dist/bin/js
# Run basic JIT tests
PYTHONPATH=tests/lib %{__python3} jit-test/jit_test.py -s -t 1800 --no-progress ../../js/src/dist/bin/js basic
popd
%endif
%pre
getent group polkitd >/dev/null || groupadd -r polkitd
getent passwd polkitd >/dev/null || useradd -r -g polkitd -d / -s /sbin/nologin -c "User for polkitd" polkitd
exit 0
%post
# The implied (systemctl preset) will fail and complain, but the macro hides
# and ignores the fact. This is in fact what we want, polkit.service does not
# have an [Install] section and it is always started on demand.
%systemd_post polkit.service
%preun
%systemd_preun polkit.service
%postun
%systemd_postun_with_restart polkit.service
%files -f polkit-1.lang
%doc COPYING NEWS README
%{_datadir}/man/man1/*
%{_datadir}/man/man8/*
%{_datadir}/dbus-1/system-services/*
%{_unitdir}/polkit.service
%dir %{_datadir}/polkit-1/
%dir %{_datadir}/polkit-1/actions
%attr(0700,polkitd,root) %dir %{_datadir}/polkit-1/rules.d
%{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy
%dir %{_sysconfdir}/polkit-1
%{_sysconfdir}/polkit-1/rules.d/50-default.rules
%attr(0700,polkitd,root) %dir %{_sysconfdir}/polkit-1/rules.d
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
%{_sysconfdir}/pam.d/polkit-1
%{_bindir}/pkaction
%{_bindir}/pkcheck
%{_bindir}/pkttyagent
%dir %{_prefix}/lib/polkit-1
%{_prefix}/lib/polkit-1/polkitd
# see upstream docs for why these permissions are necessary
%attr(4755,root,root) %{_bindir}/pkexec
%attr(4755,root,root) %{_prefix}/lib/polkit-1/polkit-agent-helper-1
%files devel
%{_libdir}/lib*.so
%{_libdir}/pkgconfig/*.pc
%{_datadir}/gir-1.0/*.gir
%{_includedir}/*
%{_datadir}/gettext/its/polkit.its
%{_datadir}/gettext/its/polkit.loc
%files docs
%{_datadir}/gtk-doc
%ldconfig_scriptlets libs
%files libs
%{_libdir}/lib*.so.*
%{_libdir}/girepository-1.0/*.typelib
%if 0%{?bundled_mozjs}
%dir %{_libdir}/polkit-1
%{_libdir}/polkit-1/libmozjs-%{mozjs_major}.so
%endif
%changelog
* Fri Mar 11 2022 Jan Rybar <jrybar@redhat.com> - 0.117-10
- patch application spec file fix
- Resolves: CVE-2021-4115
* Wed Feb 16 2022 Jan Rybar <jrybar@redhat.com> - 0.117-9
- file descriptor exhaustion (GHSL-2021-077)
- Resolves: CVE-2021-4115
* Thu Jan 27 2022 Jan Rybar <jrybar@redhat.com> - 0.117-8
- pkexec: argv overflow results in local privilege esc.
- Resolves: CVE-2021-4034
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.117-7
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jun 30 2021 Kalev Lember <klember@redhat.com> - 0.117-6
- Bundle mozjs (#1958111)
* Mon Jun 28 2021 Jan Rybar <jrybar@redhat.com> - 0.117-5
- CVE-2021-3560 mitigation
- Resolves: CVE-2021-3560
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.117-4
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.117-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Aug 12 2020 Jan Rybar <jrybar@redhat.com> - 0.117-2
- update dependency to mozjs78
* Fri Jul 31 2020 Jan Rybar <jrybar@redhat.com> - 0.117-1
- Rebased to polkit-0.117
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.116-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jul 22 2020 Tom Stellard <tstellar@redhat.com> - 0.116-8
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.116-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Oct 25 2019 Jan Rybar <jrybar@redhat.com> - 0.116-6
- jsauthority memleak fix
* Fri Sep 27 2019 Jan Rybar <jrybar@redhat.com> - 0.116-5
- pkttyagent: unread input flushed on terminal restore
* Sun Sep 08 2019 Kalev Lember <klember@redhat.com> - 0.116-4
- Rebuilt for mozjs60 s390x fixes
* Fri Aug 02 2019 Jan Rybar <jrybar@redhat.com> - 0.116-3
- pkttyagent: backport patch, get SIGTTOU in background job
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.116-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu May 02 2019 Pete Walter <pwalter@fedoraproject.org> - 0.116-1
- Update to 0.116
* Thu Feb 14 2019 Jan Rybar <jrybar@redhat.com> - 0.115-11
- pkttyagent: PolkitAgentTextListener leaves echo tty disabled if SIGINT/SIGTERM
* Fri Feb 08 2019 Pete Walter <pwalter@fedoraproject.org> - 0.115-10
- Move to mozjs60
* Tue Feb 05 2019 Jan Rybar <jrybar@redhat.com> - 0.115-9
- Allow uid=-1 for PolkitUnixProcess
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.115-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Tue Jan 08 2019 Colin Walters <walters@verbum.org> - 0.115-7
- Add security fix for
https://bugs.chromium.org/p/project-zero/issues/detail?id=1692
* Fri Dec 07 2018 Jan Rybar <jrybar@redhat.com> - 0.115-6
- Fix of CVE-2018-19788, priv escalation with high UIDs
- Resolves: rhbz#1655926
* Thu Sep 27 2018 Owen Taylor <otaylor@redhat.com> - 0.115-5
- Fix installation with prefix != /usr
* Mon Aug 13 2018 Jan Rybar <jrybar@redhat.com> - 0.115-4
- Leaking zombie processess started by rules
* Fri Jul 20 2018 Jan Rybar <jrybar@redhat.com> - 0.115-3
- Warning raised by polkit when disconnected from ssh
- polkitagentlistener: resource leak - pointer to 'server'
- Error message raised on every 'systemctl start' in emergency.target
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.115-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jul 10 2018 Miloslav Trmač <mitr@redhat.com> - 0.115-1
- Update to 0.115 (CVE-2018-1116)
* Tue Apr 03 2018 Ray Strode <rstrode@redhat.com> - 0.114-1
- Update to 0.114
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Thu Apr 13 2017 Richard Hughes <rhughes@redhat.com> - 0.113-13
- Add the its files from upstream.
* Tue Apr 4 2017 Miloslav Trmač <mitr@redhat.com> - 0.113-12
- Fix a memory leak in PolkitPermission.
Patch by Rui Matos <tiagomatos@gmail.com>
Resolves: #1433915
* Tue Apr 4 2017 Miloslav Trmač <mitr@redhat.com> - 0.113-11
- Revert back to the state in 0.113-7, undoing the untested changes.
* Tue Apr 4 2017 Peter Robinson <pbrobinson@fedoraproject.org> 0.113-10
- Move to an upstream snapshot, rebase patches
* Fri Mar 31 2017 Rex Dieter <rdieter@fedoraproject.org> - 0.113-9
- restore Provides: polkit-desktop-policy polkit-js-engine
* Thu Mar 30 2017 Peter Robinson <pbrobinson@fedoraproject.org> 0.113-8
- Use %%license, license needs to be in -libs as it's the only guaranteed installed package
- Move to mozjs38
- Other upstream fixes
- Spec cleanups
* Mon Feb 13 2017 Miloslav Trmač <mitr@redhat.com> - 0.113-7
- Fix memory leaks when calling authentication agents
Resolves: #1380166
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Tue Jul 14 2015 Miloslav Trmač <mitr@redhat.com> - 0.113-4
- Bump the Obsoletes: to < 0.113-3 to account for the non-split 0.113-2.fc21
Resolves: #1243004
* Sun Jul 12 2015 Rex Dieter <rdieter@fedoraproject.org> 0.113-3
- Obsoletes: polkit < 0.112-8 (handle multilib upgrade path)
* Fri Jul 10 2015 Miloslav Trmač <mitr@redhat.com> - 0.113-2
- Add a fully versioned dependency from polkit to polkit-libs
Resolves: #1241759
- Require polkit-libs, not polkit, in polkit-devel
* Thu Jul 2 2015 Miloslav Trmač <mitr@redhat.com> - 0.113-1
- Update to polkit-0.113 (CVE-2015-3218, CVE-2015-3255, CVE-2015-3256,
CVE-2015-4625)
Resolves: #910262, #1175061, #1177930, #1194391, #1228739, #1233810
* Fri Jun 19 2015 Miloslav Trmač <mitr@redhat.com> - 0.112-11
- Add BuildRequires: systemd so that %%{_unitdir} is defined, to fix the build.
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.112-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Sun Jan 25 2015 Rex Dieter <rdieter@fedoraproject.org> - 0.112-9
- polkit doesn't release reference counters of GVariant data (#1180886)
- fix ldconfig scriptlets (move to -libs subpkg)
* Sat Nov 08 2014 Colin Walters <walters@redhat.com> - 0.112-8
- Split separate -libs package, so that NetworkManager can just depend on
that, without dragging in the daemon (as well as libmozjs17). This
allows the creation of more minimal systems that want programs like NM,
but do not need the configurability of the daemon; it would be ok if only
root is authorized.
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.112-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Tue Jul 22 2014 Kalev Lember <kalevlember@gmail.com> - 0.112-6
- Rebuilt for gobject-introspection 1.41.4
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.112-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Thu Jun 5 2014 Kay Sievers <kay@redhat.com> - 0.112-4
- backport upstream D-Bus "user bus" changes
* Mon Feb 10 2014 Miloslav Trmač <mitr@redhat.com> - 0.112-3
- Fix a PolkitAgentSession race condition
Resolves: #1063193
* Sat Dec 7 2013 Miloslav Trmač <mitr@redhat.com> - 0.112-2
- Workaround pam_systemd setting broken XDG_RUNTIME_DIR
Resolves: #1033774
- Always use mozjs-17.0 even if js-devel is installed
* Wed Sep 18 2013 Miloslav Trmač <mitr@redhat.com> - 0.112-1
- Update to polkit-0.112
- Resolves: #1009538, CVE-2013-4288
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.111-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed May 29 2013 Tomas Bzatek <tbzatek@redhat.com> - 0.111-2
- Fix a race on PolkitSubject type registration (#866718)
* Wed May 15 2013 Miloslav Trmač <mitr@redhat.com> - 0.111-1
- Update to polkit-0.111
Resolves: #917888
- Use SpiderMonkey from mozjs17 instead of js
- Ship the signature in the srpm
- Try to preserve timestamps in (make install)
* Fri May 10 2013 Miloslav Trmač <mitr@redhat.com> - 0.110-4
- Shut up rpmlint about Summary:
- Build with V=1
- Use %%{_unitdir} instead of hard-coding the path
- Use the new systemd macros, primarily to run (systemctl daemon-reload)
Resolves: #857382
* Fri May 10 2013 Miloslav Trmač <mitr@redhat.com> - 0.110-4
- Make the JavaScript engine mandatory. The polkit-js-engine package has been
removed, main polkit package Provides:polkit-js-engine for compatibility.
- Add Requires: polkit-pkla-compat
Resolves: #908808
* Wed Feb 13 2013 Miloslav Trmač <mitr@redhat.com> - 0.110-3
- Don't ship pk-example-frobnicate in the "live" configuration
Resolves: #878112
* Fri Feb 8 2013 Miloslav Trmač <mitr@redhat.com> - 0.110-2
- Own %%{_docdir}/polkit-js-engine-*
Resolves: #907668
* Wed Jan 9 2013 David Zeuthen <davidz@redhat.com> - 0.110-1%{?dist}
- Update to upstream release 0.110
* Mon Jan 7 2013 Matthias Clasen <mclasen@redhat.com> - 0.109-2%{?dist}
- Build with pie and stuff
* Wed Dec 19 2012 David Zeuthen <davidz@redhat.com> 0.109-1%{?dist}
- Update to upstream release 0.109
- Drop upstreamed patches
* Thu Nov 15 2012 David Zeuthen <davidz@redhat.com> 0.108-3%{?dist}
- Attempt to open the correct libmozjs185 library, otherwise polkit
authz rules will not work unless js-devel is installed (fdo #57146)
* Wed Nov 14 2012 David Zeuthen <davidz@redhat.com> 0.108-2%{?dist}
- Include gmodule-2.0 to avoid build error
* Wed Nov 14 2012 David Zeuthen <davidz@redhat.com> 0.108-1%{?dist}
- Update to upstream release 0.108
- Drop upstreamed patches
- This release dynamically loads the JavaScript interpreter and can
cope with it not being available. In this case, polkit authorization
rules are not processed and the defaults for an action - as defined
in its .policy file - are used for authorization decisions.
- Add new meta-package, polkit-js-engine, that pulls in the required
JavaScript bits to make polkit authorization rules work. The default
install - not the minimal install - should include this package
* Wed Oct 10 2012 Adam Jackson <ajax@redhat.com> 0.107-4
- Don't crash if initializing the server object fails
* Tue Sep 18 2012 David Zeuthen <davidz@redhat.com> 0.107-3%{?dist}
- Authenticate as root if e.g. the wheel group is empty (#834494)
* Fri Jul 27 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.107-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Wed Jul 11 2012 David Zeuthen <davidz@redhat.com> 0.107-1%{?dist}
- Update to upstream release 0.107
* Fri Jun 29 2012 David Zeuthen <davidz@redhat.com> 0.106-2%{?dist}
- Add forgotten Requires(pre): shadow-utils
* Thu Jun 07 2012 David Zeuthen <davidz@redhat.com> 0.106-1%{?dist}
- Update to upstream release 0.106
- Authorizations are no longer controlled by .pkla files - from now
on, use the new .rules files described in the polkit(8) man page
* Tue Apr 24 2012 David Zeuthen <davidz@redhat.com> 0.105-1%{?dist}
- Update to upstream release 0.105
- Nuke patches that are now upstream
- Change 'PolicyKit' to 'polkit' in summary and descriptions
* Thu Mar 08 2012 David Zeuthen <davidz@redhat.com> 0.104-6%{?dist}
- Don't leak file descriptors (bgo #671486)
* Mon Feb 13 2012 Matthias Clasen <mclasen@redhat.com> - 0.104-5%{?dist}
- Make the -docs subpackage noarch
* Mon Feb 06 2012 David Zeuthen <davidz@redhat.com> 0.104-4%{?dist}
- Set error if we cannot obtain a PolkitUnixSession for a given PID (#787222)
* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.104-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Tue Jan 03 2012 David Zeuthen <davidz@redhat.com> 0.104-2%{?dist}
- Nuke the ConsoleKit run-time requirement
* Tue Jan 03 2012 David Zeuthen <davidz@redhat.com> 0.104-1%{?dist}
- Update to upstream release 0.104
- Force usage of systemd (instead of ConsoleKit) for session tracking
* Tue Dec 06 2011 David Zeuthen <davidz@redhat.com> 0.103-1%{?dist}
- Update to upstream release 0.103
- Drop upstreamed patch
- Drop Fedora-specific policy, it is now upstream (fdo #41008)
* Wed Oct 26 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.102-3
- Rebuilt for glibc bug#747377
* Tue Oct 18 2011 David Zeuthen <davidz@redhat.com> 0.102-2%{?dist}
- Add patch to neuter the annoying systemd behavior where stdout/stderr
is sent to the system logs
* Thu Aug 04 2011 David Zeuthen <davidz@redhat.com> 0.102-1
- Update to 0.102 release
* Fri May 13 2011 Bastien Nocera <bnocera@redhat.com> 0.101-7
- Allow setting the pretty hostname without a password for wheel,
change matches systemd in git
* Mon May 2 2011 Matthias Clasen <mclasen@redhat.com> - 0.101-6
- Update the action id of the datetime mechanism
* Tue Apr 19 2011 David Zeuthen <davidz@redhat.com> - 0.101-5
- CVE-2011-1485 (#697951)
* Tue Mar 22 2011 Kevin Kofler <Kevin@tigcc.ticalc.org> - 0.101-4
- Also allow org.kde.kcontrol.kcmclock.save without password for wheel
* Thu Mar 17 2011 David Zeuthen <davidz@redhat.com> - 0.101-3
- Fix typo in pkla file (thanks notting)
* Thu Mar 17 2011 David Zeuthen <davidz@redhat.com> - 0.101-2
- Nuke desktop_admin_r and desktop_user_r groups - just use the
wheel group instead (#688363)
- Update the set of configuration directives that gives users
in the wheel group extra privileges
* Thu Mar 03 2011 David Zeuthen <davidz@redhat.com> - 0.101-1
- New upstream version
* Mon Feb 21 2011 David Zeuthen <davidz@redhat.com> - 0.100-1
- New upstream version
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.98-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Fri Jan 28 2011 Matthias Clasen <mclasen@redhat.com> - 0.98-6
- Own /usr/libexec/polkit-1
* Fri Nov 12 2010 Matthias Clasen <mclasen@redhat.com> - 0.98-5
- Enable introspection
* Thu Sep 02 2010 David Zeuthen <davidz@redhat.com> - 0.98-4
- Fix #629515 in a way that doesn't require autoreconf
* Thu Sep 02 2010 David Zeuthen <davidz@redhat.com> - 0.98-2
- Include polkitagentenumtypes.h (#629515)
* Mon Aug 23 2010 Matthias Clasen <mclasen@redhat.com> - 0.98-1
- Update to upstream release 0.98
- Co-own /usr/share/gtk-doc (#604410)
* Wed Aug 18 2010 Matthias Clasen <mclasen@redhat.com> - 0.97-5
- Rebuid to work around bodhi limitations
* Wed Aug 18 2010 Matthias Clasen <mclasen@redhat.com> - 0.97-4
- Fix a ConsoleKit interaction bug
* Fri Aug 13 2010 David Zeuthen <davidz@redhat.com> - 0.97-3
- Add a patch to make pkcheck(1) work the way libvirtd uses it (#623257)
- Require GLib >= 2.25.12 instead of 2.25.11
- Ensure polkit-gnome packages earlier than 0.97 are not used with
these packages
* Mon Aug 09 2010 David Zeuthen <davidz@redhat.com> - 0.97-2
- Rebuild
* Mon Aug 09 2010 David Zeuthen <davidz@redhat.com> - 0.97-1
- Update to 0.97. This release contains a port from EggDBus to the
GDBus code available in recent GLib releases.
* Fri Jan 15 2010 David Zeuthen <davidz@redhat.com> - 0.96-1
- Update to 0.96
- Disable introspection support for the time being
* Fri Nov 13 2009 David Zeuthen <davidz@redhat.com> - 0.95-2
- Rebuild
* Fri Nov 13 2009 David Zeuthen <davidz@redhat.com> - 0.95-1
- Update to 0.95
- Drop upstreamed patches
* Tue Oct 20 2009 Matthias Clasen <mclasen@redhat.com> - 0.95-0.git20090913.3
- Fix a typo in pklocalauthority(8)
* Mon Sep 14 2009 David Zeuthen <davidz@redhat.com> - 0.95-0.git20090913.2
- Refine how Obsolete: is used and also add Provides: (thanks Jesse
Keating and nim-nim)
* Mon Sep 14 2009 David Zeuthen <davidz@redhat.com> - 0.95-0.git20090913.1
- Add bugfix for polkit_unix_process_new_full() (thanks Bastien Nocera)
- Obsolete old PolicyKit packages
* Sun Sep 13 2009 David Zeuthen <davidz@redhat.com> - 0.95-0.git20090913
- Update to git snapshot
- Drop upstreamed patches
- Turn on GObject introspection
- Don't delete desktop_admin_r and desktop_user_r groups when
uninstalling polkit-desktop-policy
* Fri Sep 11 2009 David Zeuthen <davidz@redhat.com> - 0.94-4
- Add some patches from git master
- Sort pkaction(1) output
- Bug 23867 UnixProcess vs. SystemBusName aliasing
* Thu Aug 13 2009 David Zeuthen <davidz@redhat.com> - 0.94-3
- Add desktop_admin_r and desktop_user_r groups along with a first cut
of default authorizations for users in these groups.
* Wed Aug 12 2009 David Zeuthen <davidz@redhat.com> - 0.94-2
- Disable GObject Introspection for now as it breaks the build
* Wed Aug 12 2009 David Zeuthen <davidz@redhat.com> - 0.94-1
- Update to upstream release 0.94
* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.93-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Mon Jul 20 2009 David Zeuthen <davidz@redhat.com> - 0.93-2
- Rebuild
* Mon Jul 20 2009 David Zeuthen <davidz@redhat.com> - 0.93-1
- Update to 0.93
* Tue Jun 09 2009 David Zeuthen <davidz@redhat.com> - 0.92-3
- Don't make docs noarch (I *heart* multilib)
- Change license to LGPLv2+
* Mon Jun 08 2009 David Zeuthen <davidz@redhat.com> - 0.92-2
- Rebuild
* Mon Jun 08 2009 David Zeuthen <davidz@redhat.com> - 0.92-1
- Update to 0.92 release
* Wed May 27 2009 David Zeuthen <davidz@redhat.com> - 0.92-0.git20090527
- Update to 0.92 snapshot
* Mon Feb 9 2009 David Zeuthen <davidz@redhat.com> - 0.91-1
- Initial spec file.