[PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560.

  • Done
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Submitted by
Ludovic Courtès
Severity
normal
L
L
Ludovic Courtès wrote on 8 Jun 2021 10:45
Download
(address . guix-patches@gnu.org)(name . Ludovic Courtès)(address . ludo@gnu.org)
20210608084512.29608-1-ludo@gnu.org
Download
* gnu/packages/patches/polkit-CVE-2021-3560.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/polkit.scm (polkit/fixed): New variable.
(polkit)[replacement]: New field.
---
gnu/local.mk | 1 +
.../patches/polkit-CVE-2021-3560.patch | 21 +++++++++++++++++++
gnu/packages/polkit.scm | 9 ++++++++
3 files changed, 31 insertions(+)
create mode 100644 gnu/packages/patches/polkit-CVE-2021-3560.patch

Toggle diff (68 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 0599df8968..42c5ee0d31 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1555,6 +1555,7 @@ dist_patch_DATA = \
%D%/packages/patches/plib-CVE-2011-4620.patch \
%D%/packages/patches/plib-CVE-2012-4552.patch \
%D%/packages/patches/plotutils-spline-test.patch \
+ %D%/packages/patches/polkit-CVE-2021-3560.patch \
%D%/packages/patches/portaudio-audacity-compat.patch \
%D%/packages/patches/portmidi-modular-build.patch \
%D%/packages/patches/postgresql-disable-resolve_symlinks.patch \
diff --git a/gnu/packages/patches/polkit-CVE-2021-3560.patch b/gnu/packages/patches/polkit-CVE-2021-3560.patch
new file mode 100644
index 0000000000..9aa0373fda
--- /dev/null
+++ b/gnu/packages/patches/polkit-CVE-2021-3560.patch
@@ -0,0 +1,21 @@
+This patch fixes CVE-2021-3560, "local privilege escalation using
+polkit_system_bus_name_get_creds_sync()":
+
+ https://www.openwall.com/lists/oss-security/2021/06/03/1
+
+Patch from <https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13a>.
+
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8daa12cb9093c1d765c7b83654a2b8d0d382378e..8ed13631508dd96624898df90ee2ece4dcf3e1e5 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
+ while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+ g_main_context_iteration (tmp_context, TRUE);
+
++ if (data.caught_error)
++ goto out;
++
+ if (out_uid)
+ *out_uid = data.uid;
+ if (out_pid)
diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm
index d868aceec2..fcd8633b7a 100644
--- a/gnu/packages/polkit.scm
+++ b/gnu/packages/polkit.scm
@@ -44,6 +44,7 @@
(package
(name "polkit")
(version "0.116")
+ (replacement polkit/fixed)
(source (origin
(method url-fetch)
(uri (string-append
@@ -135,6 +136,14 @@ making process with respect to granting access to privileged operations
for unprivileged applications.")
(license lgpl2.0+)))
+(define-public polkit/fixed
+ (package
+ (inherit polkit)
+ (version "0.11A") ;0.116 + patch
+ (source (origin
+ (inherit (package-source polkit))
+ (patches (search-patches "polkit-CVE-2021-3560.patch"))))))
+
(define-public polkit-qt
(package
(name "polkit-qt")
--
2.31.1
L
L
Ludovic Courtès wrote on 8 Jun 2021 10:46
Download
control message for bug #48915
(address . control@debbugs.gnu.org)
87a6o0iw0y.fsf@gnu.org
Download
tags 48915 + security
quit
L
L
Leo Famulari wrote on 8 Jun 2021 19:52
Download
Re: [bug#48915] [PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560.
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 48915@debbugs.gnu.org)
YL+uaU2KyAfAB9+X@jasmine.lan
Download
On Tue, Jun 08, 2021 at 10:45:12AM +0200, Ludovic Court�s wrote:
Toggle quote (8 lines)
> +(define-public polkit/fixed
> + (package
> + (inherit polkit)
> + (version "0.11A") ;0.116 + patch
> + (source (origin
> + (inherit (package-source polkit))
> + (patches (search-patches "polkit-CVE-2021-3560.patch"))))))

Typically, we don't change the version when creating replacement
packages that apply a patch. We only change the version when the
replacement package actually updates to a new version.

Thanks for taking care of this!
L
L
Ludovic Courtès wrote on 8 Jun 2021 23:32
Download
Re: bug#48915: [PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560.
(name . Leo Famulari)(address . leo@famulari.name)(address . 48915@debbugs.gnu.org)
87zgw0caa4.fsf_-_@gnu.org
Download
Leo Famulari <leo@famulari.name> skribis:

Toggle quote (13 lines)
> On Tue, Jun 08, 2021 at 10:45:12AM +0200, Ludovic Courtès wrote:
>> +(define-public polkit/fixed
>> + (package
>> + (inherit polkit)
>> + (version "0.11A") ;0.116 + patch
>> + (source (origin
>> + (inherit (package-source polkit))
>> + (patches (search-patches "polkit-CVE-2021-3560.patch"))))))
>
> Typically, we don't change the version when creating replacement
> packages that apply a patch. We only change the version when the
> replacement package actually updates to a new version.

Pushed as 9178566954cc7f34d2d991d31df4565adad93508!

As discussed on IRC, I ended up making ‘polkit/fixed’ private, with the
version string unchanged (inherited from ‘polkit’).

We wondered whether Cuirass would build ‘polkit/fixed’ if it’s private.
Turns out it does, but this comment in (gnu ci) is still valid:

Toggle snippet (13 lines)
(define (all-packages)
"Return the list of packages to build."
(define (adjust package result)
(cond ((package-replacement package)
;; XXX: If PACKAGE and its replacement have the same name/version,
;; then both Cuirass jobs will have the same name, which
;; effectively means that the second one will be ignored. Thus,
;; return the replacement first.
(cons* (package-replacement package) ;build both
package
result))

IOW, the replacement, and only the replacement, gets built.

The current ‘zstd’ replacement is private
only shows derivations for the replacement, not for the original one.
That’s okay though because the original one necessarily got built
earlier.

Thanks,
Ludo’.
L
L
Ludovic Courtès wrote on 8 Jun 2021 23:32
Download
control message for bug #48915
(address . control@debbugs.gnu.org)
87y2bkca9x.fsf@gnu.org
Download
close 48915
quit
?