From eb72947750f21f50536be5c638a3caa5183503b6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 1 Mar 2022 08:13:50 -0500 Subject: [PATCH] import polkit-0.117-8.el9 --- SOURCES/CVE-2021-4034.patch | 72 +++++++++++++++++++++++++++++++++++++ SPECS/polkit.spec | 8 ++++- 2 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 SOURCES/CVE-2021-4034.patch diff --git a/SOURCES/CVE-2021-4034.patch b/SOURCES/CVE-2021-4034.patch new file mode 100644 index 0000000..652a81a --- /dev/null +++ b/SOURCES/CVE-2021-4034.patch @@ -0,0 +1,72 @@ +commit a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 +Author: Jan Rybar +Date: Tue Jan 25 17:21:46 2022 +0000 + + pkexec: local privilege escalation (CVE-2021-4034) + +diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c +index f1bb4e1..768525c 100644 +--- a/src/programs/pkcheck.c ++++ b/src/programs/pkcheck.c +@@ -363,6 +363,11 @@ main (int argc, char *argv[]) + local_agent_handle = NULL; + ret = 126; + ++ if (argc < 1) ++ { ++ exit(126); ++ } ++ + /* Disable remote file access from GIO. */ + setenv ("GIO_USE_VFS", "local", 1); + +diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c +index 7698c5c..84e5ef6 100644 +--- a/src/programs/pkexec.c ++++ b/src/programs/pkexec.c +@@ -488,6 +488,15 @@ main (int argc, char *argv[]) + pid_t pid_of_caller; + gpointer local_agent_handle; + ++ ++ /* ++ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out. ++ */ ++ if (argc<1) ++ { ++ exit(127); ++ } ++ + ret = 127; + authority = NULL; + subject = NULL; +@@ -614,10 +623,10 @@ main (int argc, char *argv[]) + + path = g_strdup (pwstruct.pw_shell); + if (!path) +- { ++ { + g_printerr ("No shell configured or error retrieving pw_shell\n"); + goto out; +- } ++ } + /* If you change this, be sure to change the if (!command_line) + case below too */ + command_line = g_strdup (path); +@@ -636,7 +645,15 @@ main (int argc, char *argv[]) + goto out; + } + g_free (path); +- argv[n] = path = s; ++ path = s; ++ ++ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated. ++ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination ++ */ ++ if (argv[n] != NULL) ++ { ++ argv[n] = path; ++ } + } + if (access (path, F_OK) != 0) + { diff --git a/SPECS/polkit.spec b/SPECS/polkit.spec index 4959e03..bec3c68 100644 --- a/SPECS/polkit.spec +++ b/SPECS/polkit.spec @@ -22,7 +22,7 @@ Summary: An authorization framework Name: polkit Version: 0.117 -Release: 7%{?dist} +Release: 8%{?dist} License: LGPLv2+ URL: http://www.freedesktop.org/wiki/Software/polkit Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz @@ -30,6 +30,7 @@ Source1: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}. Patch1001: mozjs78.patch Patch1002: CVE-2021-3560.patch +Patch1003: CVE-2021-4034.patch %if 0%{?bundled_mozjs} Source2: https://ftp.mozilla.org/pub/firefox/releases/%{mozjs_version}esr/source/firefox-%{mozjs_version}esr.source.tar.xz @@ -175,6 +176,7 @@ Libraries files for polkit. # Apply polkit patches %patch1001 -p1 %patch1002 -p1 +%patch1003 -p1 %if 0%{?bundled_mozjs} # Extract mozjs archive @@ -381,6 +383,10 @@ exit 0 %endif %changelog +* Thu Jan 27 2022 Jan Rybar - 0.117-8 +- pkexec: argv overflow results in local privilege esc. +- Resolves: CVE-2021-4034 + * Tue Aug 10 2021 Mohan Boddu - 0.117-7 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688