rpms/rtkit
7
0
Fork 0
Code Issues Pull Requests Releases Activity

CVE-2013-4326

Browse Source 
Resolves: #1009543
This commit is contained in:
Colin Walters 2013-09-23 17:34:55 -04:00
parent 718384f3e0
commit 77a6f58173
2 changed files with 55 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
0001-SECURITY-Pass-uid-of-caller-to-polkit.patch Normal file
View File

@ -0,0 +1,48 @@
From f44c5776b25ca2abd7569fb8532c6aede9b0c6b0 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Thu, 22 Aug 2013 16:05:22 -0400
Subject: [PATCH] [SECURITY] Pass uid of caller to polkit
Otherwise, we force polkit to look up the uid itself in /proc, which
is racy if they execve() a setuid binary.
---
rtkit-daemon.c | 11 ++++++++++-
1 files changed, 10 insertions(+), 1 deletions(-)
diff --git a/rtkit-daemon.c b/rtkit-daemon.c
index 2ebe673..3ecc1f7 100644
--- a/rtkit-daemon.c
+++ b/rtkit-daemon.c
@@ -1170,12 +1170,14 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process
DBusMessage *m = NULL, *r = NULL;
const char *unix_process = "unix-process";
const char *pid = "pid";
+ const char *uid = "uid";
const char *start_time = "start-time";
const char *cancel_id = "";
uint32_t flags = 0;
uint32_t pid_u32 = p->pid;
- uint64_t start_time_u64 = p->starttime;
+ uint32_t uid_u32 = (uint32_t)u->uid;
DBusMessageIter iter_msg, iter_struct, iter_array, iter_dict, iter_variant;
+ uint64_t start_time_u64 = p->starttime;
int ret;
dbus_bool_t authorized = FALSE;
@@ -1206,6 +1208,13 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process
assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant));
assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict));
+ assert_se(dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict));
+ assert_se(dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &uid));
+ assert_se(dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "u", &iter_variant));
+ assert_se(dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT32, &uid_u32));
+ assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant));
+ assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict));
+
assert_se(dbus_message_iter_close_container(&iter_struct, &iter_array));
assert_se(dbus_message_iter_close_container(&iter_msg, &iter_struct));
--
1.7.1

8
rtkit.spec
View File

@ -1,6 +1,6 @@
Name: rtkit Name: rtkit
Version: 0.11 Version: 0.11
Release: 6%{?dist} Release: 7%{?dist}
Summary: Realtime Policy and Watchdog Daemon Summary: Realtime Policy and Watchdog Daemon
Group: System Environment/Base Group: System Environment/Base
# The daemon itself is GPLv3+, the reference implementation for the client BSD # The daemon itself is GPLv3+, the reference implementation for the client BSD
@ -17,6 +17,7 @@ BuildRequires: polkit-devel
BuildRequires: autoconf automake libtool BuildRequires: autoconf automake libtool
Source0: http://0pointer.de/public/%{name}-%{version}.tar.xz Source0: http://0pointer.de/public/%{name}-%{version}.tar.xz
Patch1: 0001-build-Link-against-lrt.patch Patch1: 0001-build-Link-against-lrt.patch
Patch2: 0001-SECURITY-Pass-uid-of-caller-to-polkit.patch
%description %description
RealtimeKit is a D-Bus system service that changes the RealtimeKit is a D-Bus system service that changes the
@ -28,6 +29,7 @@ processes.
%prep %prep
%setup -q %setup -q
%patch1 -p1 %patch1 -p1
%patch2 -p1
%build %build
autoreconf -fvi autoreconf -fvi
@ -77,6 +79,10 @@ dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesk
%{_mandir}/man8/* %{_mandir}/man8/*
%changelog %changelog
* Mon Sep 23 2013 Colin Walters <walters@verbum.org> - 0.11-7
- CVE-2013-4326
Resolves: #1009543
* Thu Aug 22 2013 Colin Walters <walters@verbum.org> - 0.11-6 * Thu Aug 22 2013 Colin Walters <walters@verbum.org> - 0.11-6
- Add patch to make this build again - Add patch to make this build again