diff options
author | Jason Zaman <perfinion@gentoo.org> | 2015-06-06 08:52:19 +0000 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2015-06-06 08:52:19 +0000 |
commit | e26a5bce8747ccf6b09666bfc42ba727b5b609fc (patch) | |
tree | a874d646bbbe08479e839a4e4678ab6426e3afcd | |
parent | amd64 stable wrt bug #551350 (diff) | |
download | gentoo-2-e26a5bce8747ccf6b09666bfc42ba727b5b609fc.tar.gz gentoo-2-e26a5bce8747ccf6b09666bfc42ba727b5b609fc.tar.bz2 gentoo-2-e26a5bce8747ccf6b09666bfc42ba727b5b609fc.zip |
fix bug 551316 CVE-2015-3218: crash authentication_agent_new with invalid object path in RegisterAuthenticationAgent
(Portage version: 2.2.18/cvs/Linux x86_64, signed Manifest commit with key 0x7EF137EC935B0EAF)
3 files changed, 237 insertions, 1 deletions
diff --git a/sys-auth/polkit/ChangeLog b/sys-auth/polkit/ChangeLog index 49796e4a8ed7..e8b221c54763 100644 --- a/sys-auth/polkit/ChangeLog +++ b/sys-auth/polkit/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for sys-auth/polkit # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/polkit/ChangeLog,v 1.192 2015/03/03 09:56:07 dlan Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/polkit/ChangeLog,v 1.193 2015/06/06 08:52:19 perfinion Exp $ + +*polkit-0.112-r3 (06 Jun 2015) + + 06 Jun 2015; Jason Zaman <perfinion@gentoo.org> +files/polkit-0.112-0001-backe + nd-Handle-invalid-object-paths-in-RegisterAuthe.patch, + +polkit-0.112-r3.ebuild: + fix bug 551316 CVE-2015-3218: crash authentication_agent_new with invalid + object path in RegisterAuthenticationAgent 03 Mar 2015; Yixun Lan <dlan@gentoo.org> polkit-0.110.ebuild: add arm64 support, tested on A53 board diff --git a/sys-auth/polkit/files/polkit-0.112-0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch b/sys-auth/polkit/files/polkit-0.112-0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch new file mode 100644 index 000000000000..5ceb2de5f9ed --- /dev/null +++ b/sys-auth/polkit/files/polkit-0.112-0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch @@ -0,0 +1,106 @@ +From 9e074421d5623b6962dc66994d519012b40334b9 Mon Sep 17 00:00:00 2001 +From: Colin Walters <walters@verbum.org> +Date: Sat, 30 May 2015 09:06:23 -0400 +Subject: [PATCH] backend: Handle invalid object paths in + RegisterAuthenticationAgent + +Properly propagate the error, otherwise we dereference a `NULL` +pointer. This is a local, authenticated DoS. + +Reported-by: Tavis Ormandy <taviso@google.com> +Signed-off-by: Colin Walters <walters@verbum.org> +--- + .../polkitbackendinteractiveauthority.c | 53 ++++++++++++---------- + 1 file changed, 30 insertions(+), 23 deletions(-) + +diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c +index 59028d5..f45fdf1 100644 +--- a/src/polkitbackend/polkitbackendinteractiveauthority.c ++++ b/src/polkitbackend/polkitbackendinteractiveauthority.c +@@ -1551,36 +1551,42 @@ authentication_agent_new (PolkitSubject *scope, + const gchar *unique_system_bus_name, + const gchar *locale, + const gchar *object_path, +- GVariant *registration_options) ++ GVariant *registration_options, ++ GError **error) + { + AuthenticationAgent *agent; +- GError *error; ++ GDBusProxy *proxy; + +- agent = g_new0 (AuthenticationAgent, 1); ++ if (!g_variant_is_object_path (object_path)) ++ { ++ g_set_error (error, POLKIT_ERROR, POLKIT_ERROR_FAILED, ++ "Invalid object path '%s'", object_path); ++ return NULL; ++ } ++ ++ proxy = g_dbus_proxy_new_for_bus_sync (G_BUS_TYPE_SYSTEM, ++ G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES | ++ G_DBUS_PROXY_FLAGS_DO_NOT_CONNECT_SIGNALS, ++ NULL, /* GDBusInterfaceInfo* */ ++ unique_system_bus_name, ++ object_path, ++ "org.freedesktop.PolicyKit1.AuthenticationAgent", ++ NULL, /* GCancellable* */ ++ error); ++ if (proxy == NULL) ++ { ++ g_prefix_error (error, "Failed to construct proxy for agent: " ); ++ return NULL; ++ } + ++ agent = g_new0 (AuthenticationAgent, 1); + agent->ref_count = 1; + agent->scope = g_object_ref (scope); + agent->object_path = g_strdup (object_path); + agent->unique_system_bus_name = g_strdup (unique_system_bus_name); + agent->locale = g_strdup (locale); + agent->registration_options = registration_options != NULL ? g_variant_ref (registration_options) : NULL; +- +- error = NULL; +- agent->proxy = g_dbus_proxy_new_for_bus_sync (G_BUS_TYPE_SYSTEM, +- G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES | +- G_DBUS_PROXY_FLAGS_DO_NOT_CONNECT_SIGNALS, +- NULL, /* GDBusInterfaceInfo* */ +- agent->unique_system_bus_name, +- agent->object_path, +- "org.freedesktop.PolicyKit1.AuthenticationAgent", +- NULL, /* GCancellable* */ +- &error); +- if (agent->proxy == NULL) +- { +- g_warning ("Error constructing proxy for agent: %s", error->message); +- g_error_free (error); +- /* TODO: Make authentication_agent_new() return NULL and set a GError */ +- } ++ agent->proxy = proxy; + + return agent; + } +@@ -2383,8 +2389,6 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken + caller_cmdline = NULL; + agent = NULL; + +- /* TODO: validate that object path is well-formed */ +- + interactive_authority = POLKIT_BACKEND_INTERACTIVE_AUTHORITY (authority); + priv = POLKIT_BACKEND_INTERACTIVE_AUTHORITY_GET_PRIVATE (interactive_authority); + +@@ -2471,7 +2475,10 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken + polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (caller)), + locale, + object_path, +- options); ++ options, ++ error); ++ if (!agent) ++ goto out; + + g_hash_table_insert (priv->hash_scope_to_authentication_agent, + g_object_ref (subject), +-- +1.8.3.1 + diff --git a/sys-auth/polkit/polkit-0.112-r3.ebuild b/sys-auth/polkit/polkit-0.112-r3.ebuild new file mode 100644 index 000000000000..cdd2932e9666 --- /dev/null +++ b/sys-auth/polkit/polkit-0.112-r3.ebuild @@ -0,0 +1,122 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-auth/polkit/polkit-0.112-r3.ebuild,v 1.1 2015/06/06 08:52:19 perfinion Exp $ + +EAPI=5 +inherit eutils multilib pam pax-utils systemd user + +DESCRIPTION="Policy framework for controlling privileges for system-wide services" +HOMEPAGE="http://www.freedesktop.org/wiki/Software/polkit" +SRC_URI="http://www.freedesktop.org/software/${PN}/releases/${P}.tar.gz" + +LICENSE="LGPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +IUSE="examples gtk +introspection jit kde nls pam selinux systemd" + +CDEPEND=" + ia64? ( =dev-lang/spidermonkey-1.8.5*[-debug] ) + hppa? ( =dev-lang/spidermonkey-1.8.5*[-debug] ) + mips? ( =dev-lang/spidermonkey-1.8.5*[-debug] ) + !hppa? ( !ia64? ( !mips? ( dev-lang/spidermonkey:17[-debug,jit=] ) ) ) + >=dev-libs/glib-2.32 + >=dev-libs/expat-2:= + introspection? ( >=dev-libs/gobject-introspection-1 ) + pam? ( + sys-auth/pambase + virtual/pam + ) + systemd? ( sys-apps/systemd:0= )" +DEPEND="${CDEPEND} + app-text/docbook-xml-dtd:4.1.2 + app-text/docbook-xsl-stylesheets + dev-libs/libxslt + dev-util/intltool + virtual/pkgconfig" +RDEPEND="${CDEPEND} + selinux? ( sec-policy/selinux-policykit ) +" +PDEPEND=" + gtk? ( || ( + >=gnome-extra/polkit-gnome-0.105 + lxde-base/lxpolkit + ) ) + kde? ( || ( + kde-plasma/polkit-kde-agent + sys-auth/polkit-kde-agent + ) ) + !systemd? ( sys-auth/consolekit[policykit] )" + +QA_MULTILIB_PATHS=" + usr/lib/polkit-1/polkit-agent-helper-1 + usr/lib/polkit-1/polkitd" + +pkg_setup() { + local u=polkitd + local g=polkitd + local h=/var/lib/polkit-1 + + enewgroup ${g} + enewuser ${u} -1 -1 ${h} ${g} + esethome ${u} ${h} +} + +src_prepare() { + epatch "${FILESDIR}/${PN}-0.112-0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch" # bug 551316 + sed -i -e 's|unix-group:wheel|unix-user:0|' src/polkitbackend/*-default.rules || die #401513 +} + +src_configure() { + econf \ + --localstatedir="${EPREFIX}"/var \ + --disable-static \ + --enable-man-pages \ + --disable-gtk-doc \ + $(use_enable systemd libsystemd-login) \ + $(use_enable introspection) \ + --disable-examples \ + $(use_enable nls) \ + $(if use hppa || use ia64 || use mips; then echo --with-mozjs=mozjs185; else echo --with-mozjs=mozjs-17.0; fi) \ + "$(systemd_with_unitdir)" \ + --with-authfw=$(usex pam pam shadow) \ + $(use pam && echo --with-pam-module-dir="$(getpam_mod_dir)") \ + --with-os-type=gentoo +} + +src_compile() { + default + + # Required for polkitd on hardened/PaX due to spidermonkey's JIT + local f='src/polkitbackend/.libs/polkitd test/polkitbackend/.libs/polkitbackendjsauthoritytest' + local m='' + # Only used when USE="jit" is enabled for 'dev-lang/spidermonkey:17' wrt #485910 + has_version 'dev-lang/spidermonkey:17[jit]' && m='m' + # hppa, ia64 and mips uses spidermonkey-1.8.5 which requires different pax-mark flags + use hppa && m='mr' + use ia64 && m='mr' + use mips && m='mr' + [ -n "$m" ] && pax-mark ${m} ${f} +} + +src_install() { + emake DESTDIR="${D}" install + + dodoc docs/TODO HACKING NEWS README + + fowners -R polkitd:root /{etc,usr/share}/polkit-1/rules.d + + diropts -m0700 -o polkitd -g polkitd + keepdir /var/lib/polkit-1 + + if use examples; then + insinto /usr/share/doc/${PF}/examples + doins src/examples/{*.c,*.policy*} + fi + + prune_libtool_files +} + +pkg_postinst() { + chown -R polkitd:root "${EROOT}"/{etc,usr/share}/polkit-1/rules.d + chown -R polkitd:polkitd "${EROOT}"/var/lib/polkit-1 +} |