summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJason Zaman <perfinion@gentoo.org>2015-06-06 08:52:19 +0000
committerJason Zaman <perfinion@gentoo.org>2015-06-06 08:52:19 +0000
commite26a5bce8747ccf6b09666bfc42ba727b5b609fc (patch)
treea874d646bbbe08479e839a4e4678ab6426e3afcd
parentamd64 stable wrt bug #551350 (diff)
downloadgentoo-2-e26a5bce8747ccf6b09666bfc42ba727b5b609fc.tar.gz
gentoo-2-e26a5bce8747ccf6b09666bfc42ba727b5b609fc.tar.bz2
gentoo-2-e26a5bce8747ccf6b09666bfc42ba727b5b609fc.zip
fix bug 551316 CVE-2015-3218: crash authentication_agent_new with invalid object path in RegisterAuthenticationAgent
(Portage version: 2.2.18/cvs/Linux x86_64, signed Manifest commit with key 0x7EF137EC935B0EAF)
-rw-r--r--sys-auth/polkit/ChangeLog10
-rw-r--r--sys-auth/polkit/files/polkit-0.112-0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch106
-rw-r--r--sys-auth/polkit/polkit-0.112-r3.ebuild122
3 files changed, 237 insertions, 1 deletions
diff --git a/sys-auth/polkit/ChangeLog b/sys-auth/polkit/ChangeLog
index 49796e4a8ed7..e8b221c54763 100644
--- a/sys-auth/polkit/ChangeLog
+++ b/sys-auth/polkit/ChangeLog
@@ -1,6 +1,14 @@
# ChangeLog for sys-auth/polkit
# Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-auth/polkit/ChangeLog,v 1.192 2015/03/03 09:56:07 dlan Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/polkit/ChangeLog,v 1.193 2015/06/06 08:52:19 perfinion Exp $
+
+*polkit-0.112-r3 (06 Jun 2015)
+
+ 06 Jun 2015; Jason Zaman <perfinion@gentoo.org> +files/polkit-0.112-0001-backe
+ nd-Handle-invalid-object-paths-in-RegisterAuthe.patch,
+ +polkit-0.112-r3.ebuild:
+ fix bug 551316 CVE-2015-3218: crash authentication_agent_new with invalid
+ object path in RegisterAuthenticationAgent
03 Mar 2015; Yixun Lan <dlan@gentoo.org> polkit-0.110.ebuild:
add arm64 support, tested on A53 board
diff --git a/sys-auth/polkit/files/polkit-0.112-0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch b/sys-auth/polkit/files/polkit-0.112-0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch
new file mode 100644
index 000000000000..5ceb2de5f9ed
--- /dev/null
+++ b/sys-auth/polkit/files/polkit-0.112-0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch
@@ -0,0 +1,106 @@
+From 9e074421d5623b6962dc66994d519012b40334b9 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Sat, 30 May 2015 09:06:23 -0400
+Subject: [PATCH] backend: Handle invalid object paths in
+ RegisterAuthenticationAgent
+
+Properly propagate the error, otherwise we dereference a `NULL`
+pointer. This is a local, authenticated DoS.
+
+Reported-by: Tavis Ormandy <taviso@google.com>
+Signed-off-by: Colin Walters <walters@verbum.org>
+---
+ .../polkitbackendinteractiveauthority.c | 53 ++++++++++++----------
+ 1 file changed, 30 insertions(+), 23 deletions(-)
+
+diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
+index 59028d5..f45fdf1 100644
+--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
++++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
+@@ -1551,36 +1551,42 @@ authentication_agent_new (PolkitSubject *scope,
+ const gchar *unique_system_bus_name,
+ const gchar *locale,
+ const gchar *object_path,
+- GVariant *registration_options)
++ GVariant *registration_options,
++ GError **error)
+ {
+ AuthenticationAgent *agent;
+- GError *error;
++ GDBusProxy *proxy;
+
+- agent = g_new0 (AuthenticationAgent, 1);
++ if (!g_variant_is_object_path (object_path))
++ {
++ g_set_error (error, POLKIT_ERROR, POLKIT_ERROR_FAILED,
++ "Invalid object path '%s'", object_path);
++ return NULL;
++ }
++
++ proxy = g_dbus_proxy_new_for_bus_sync (G_BUS_TYPE_SYSTEM,
++ G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES |
++ G_DBUS_PROXY_FLAGS_DO_NOT_CONNECT_SIGNALS,
++ NULL, /* GDBusInterfaceInfo* */
++ unique_system_bus_name,
++ object_path,
++ "org.freedesktop.PolicyKit1.AuthenticationAgent",
++ NULL, /* GCancellable* */
++ error);
++ if (proxy == NULL)
++ {
++ g_prefix_error (error, "Failed to construct proxy for agent: " );
++ return NULL;
++ }
+
++ agent = g_new0 (AuthenticationAgent, 1);
+ agent->ref_count = 1;
+ agent->scope = g_object_ref (scope);
+ agent->object_path = g_strdup (object_path);
+ agent->unique_system_bus_name = g_strdup (unique_system_bus_name);
+ agent->locale = g_strdup (locale);
+ agent->registration_options = registration_options != NULL ? g_variant_ref (registration_options) : NULL;
+-
+- error = NULL;
+- agent->proxy = g_dbus_proxy_new_for_bus_sync (G_BUS_TYPE_SYSTEM,
+- G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES |
+- G_DBUS_PROXY_FLAGS_DO_NOT_CONNECT_SIGNALS,
+- NULL, /* GDBusInterfaceInfo* */
+- agent->unique_system_bus_name,
+- agent->object_path,
+- "org.freedesktop.PolicyKit1.AuthenticationAgent",
+- NULL, /* GCancellable* */
+- &error);
+- if (agent->proxy == NULL)
+- {
+- g_warning ("Error constructing proxy for agent: %s", error->message);
+- g_error_free (error);
+- /* TODO: Make authentication_agent_new() return NULL and set a GError */
+- }
++ agent->proxy = proxy;
+
+ return agent;
+ }
+@@ -2383,8 +2389,6 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken
+ caller_cmdline = NULL;
+ agent = NULL;
+
+- /* TODO: validate that object path is well-formed */
+-
+ interactive_authority = POLKIT_BACKEND_INTERACTIVE_AUTHORITY (authority);
+ priv = POLKIT_BACKEND_INTERACTIVE_AUTHORITY_GET_PRIVATE (interactive_authority);
+
+@@ -2471,7 +2475,10 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken
+ polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (caller)),
+ locale,
+ object_path,
+- options);
++ options,
++ error);
++ if (!agent)
++ goto out;
+
+ g_hash_table_insert (priv->hash_scope_to_authentication_agent,
+ g_object_ref (subject),
+--
+1.8.3.1
+
diff --git a/sys-auth/polkit/polkit-0.112-r3.ebuild b/sys-auth/polkit/polkit-0.112-r3.ebuild
new file mode 100644
index 000000000000..cdd2932e9666
--- /dev/null
+++ b/sys-auth/polkit/polkit-0.112-r3.ebuild
@@ -0,0 +1,122 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-auth/polkit/polkit-0.112-r3.ebuild,v 1.1 2015/06/06 08:52:19 perfinion Exp $
+
+EAPI=5
+inherit eutils multilib pam pax-utils systemd user
+
+DESCRIPTION="Policy framework for controlling privileges for system-wide services"
+HOMEPAGE="http://www.freedesktop.org/wiki/Software/polkit"
+SRC_URI="http://www.freedesktop.org/software/${PN}/releases/${P}.tar.gz"
+
+LICENSE="LGPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+IUSE="examples gtk +introspection jit kde nls pam selinux systemd"
+
+CDEPEND="
+ ia64? ( =dev-lang/spidermonkey-1.8.5*[-debug] )
+ hppa? ( =dev-lang/spidermonkey-1.8.5*[-debug] )
+ mips? ( =dev-lang/spidermonkey-1.8.5*[-debug] )
+ !hppa? ( !ia64? ( !mips? ( dev-lang/spidermonkey:17[-debug,jit=] ) ) )
+ >=dev-libs/glib-2.32
+ >=dev-libs/expat-2:=
+ introspection? ( >=dev-libs/gobject-introspection-1 )
+ pam? (
+ sys-auth/pambase
+ virtual/pam
+ )
+ systemd? ( sys-apps/systemd:0= )"
+DEPEND="${CDEPEND}
+ app-text/docbook-xml-dtd:4.1.2
+ app-text/docbook-xsl-stylesheets
+ dev-libs/libxslt
+ dev-util/intltool
+ virtual/pkgconfig"
+RDEPEND="${CDEPEND}
+ selinux? ( sec-policy/selinux-policykit )
+"
+PDEPEND="
+ gtk? ( || (
+ >=gnome-extra/polkit-gnome-0.105
+ lxde-base/lxpolkit
+ ) )
+ kde? ( || (
+ kde-plasma/polkit-kde-agent
+ sys-auth/polkit-kde-agent
+ ) )
+ !systemd? ( sys-auth/consolekit[policykit] )"
+
+QA_MULTILIB_PATHS="
+ usr/lib/polkit-1/polkit-agent-helper-1
+ usr/lib/polkit-1/polkitd"
+
+pkg_setup() {
+ local u=polkitd
+ local g=polkitd
+ local h=/var/lib/polkit-1
+
+ enewgroup ${g}
+ enewuser ${u} -1 -1 ${h} ${g}
+ esethome ${u} ${h}
+}
+
+src_prepare() {
+ epatch "${FILESDIR}/${PN}-0.112-0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch" # bug 551316
+ sed -i -e 's|unix-group:wheel|unix-user:0|' src/polkitbackend/*-default.rules || die #401513
+}
+
+src_configure() {
+ econf \
+ --localstatedir="${EPREFIX}"/var \
+ --disable-static \
+ --enable-man-pages \
+ --disable-gtk-doc \
+ $(use_enable systemd libsystemd-login) \
+ $(use_enable introspection) \
+ --disable-examples \
+ $(use_enable nls) \
+ $(if use hppa || use ia64 || use mips; then echo --with-mozjs=mozjs185; else echo --with-mozjs=mozjs-17.0; fi) \
+ "$(systemd_with_unitdir)" \
+ --with-authfw=$(usex pam pam shadow) \
+ $(use pam && echo --with-pam-module-dir="$(getpam_mod_dir)") \
+ --with-os-type=gentoo
+}
+
+src_compile() {
+ default
+
+ # Required for polkitd on hardened/PaX due to spidermonkey's JIT
+ local f='src/polkitbackend/.libs/polkitd test/polkitbackend/.libs/polkitbackendjsauthoritytest'
+ local m=''
+ # Only used when USE="jit" is enabled for 'dev-lang/spidermonkey:17' wrt #485910
+ has_version 'dev-lang/spidermonkey:17[jit]' && m='m'
+ # hppa, ia64 and mips uses spidermonkey-1.8.5 which requires different pax-mark flags
+ use hppa && m='mr'
+ use ia64 && m='mr'
+ use mips && m='mr'
+ [ -n "$m" ] && pax-mark ${m} ${f}
+}
+
+src_install() {
+ emake DESTDIR="${D}" install
+
+ dodoc docs/TODO HACKING NEWS README
+
+ fowners -R polkitd:root /{etc,usr/share}/polkit-1/rules.d
+
+ diropts -m0700 -o polkitd -g polkitd
+ keepdir /var/lib/polkit-1
+
+ if use examples; then
+ insinto /usr/share/doc/${PF}/examples
+ doins src/examples/{*.c,*.policy*}
+ fi
+
+ prune_libtool_files
+}
+
+pkg_postinst() {
+ chown -R polkitd:root "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+ chown -R polkitd:polkitd "${EROOT}"/var/lib/polkit-1
+}