[PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560.

DoneSubmitted by Ludovic Courtès.
Details
2 participants
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Severity
normal
L
L
Ludovic Courtès wrote on 8 Jun 10:45 +0200
Download
(address . guix-patches@gnu.org)(name . Ludovic Courtès)(address . ludo@gnu.org)
20210608084512.29608-1-ludo@gnu.org
Download
* gnu/packages/patches/polkit-CVE-2021-3560.patch: New file.* gnu/local.mk (dist_patch_DATA): Add it.* gnu/packages/polkit.scm (polkit/fixed): New variable.(polkit)[replacement]: New field.--- gnu/local.mk | 1 + .../patches/polkit-CVE-2021-3560.patch | 21 +++++++++++++++++++ gnu/packages/polkit.scm | 9 ++++++++ 3 files changed, 31 insertions(+) create mode 100644 gnu/packages/patches/polkit-CVE-2021-3560.patch
Toggle diff (68 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex 0599df8968..42c5ee0d31 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -1555,6 +1555,7 @@ dist_patch_DATA = \ %D%/packages/patches/plib-CVE-2011-4620.patch \ %D%/packages/patches/plib-CVE-2012-4552.patch \ %D%/packages/patches/plotutils-spline-test.patch \+ %D%/packages/patches/polkit-CVE-2021-3560.patch \ %D%/packages/patches/portaudio-audacity-compat.patch \ %D%/packages/patches/portmidi-modular-build.patch \ %D%/packages/patches/postgresql-disable-resolve_symlinks.patch \diff --git a/gnu/packages/patches/polkit-CVE-2021-3560.patch b/gnu/packages/patches/polkit-CVE-2021-3560.patchnew file mode 100644index 0000000000..9aa0373fda--- /dev/null+++ b/gnu/packages/patches/polkit-CVE-2021-3560.patch@@ -0,0 +1,21 @@+This patch fixes CVE-2021-3560, "local privilege escalation using+polkit_system_bus_name_get_creds_sync()":++ https://www.openwall.com/lists/oss-security/2021/06/03/1++Patch from <https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13a>.++diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c+index 8daa12cb9093c1d765c7b83654a2b8d0d382378e..8ed13631508dd96624898df90ee2ece4dcf3e1e5 100644+--- a/src/polkit/polkitsystembusname.c++++ b/src/polkit/polkitsystembusname.c+@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus+ while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))+ g_main_context_iteration (tmp_context, TRUE);+ ++ if (data.caught_error)++ goto out;+++ if (out_uid)+ *out_uid = data.uid;+ if (out_pid)diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scmindex d868aceec2..fcd8633b7a 100644--- a/gnu/packages/polkit.scm+++ b/gnu/packages/polkit.scm@@ -44,6 +44,7 @@ (package (name "polkit") (version "0.116")+ (replacement polkit/fixed) (source (origin (method url-fetch) (uri (string-append@@ -135,6 +136,14 @@ making process with respect to granting access to privileged operations for unprivileged applications.") (license lgpl2.0+))) +(define-public polkit/fixed+ (package+ (inherit polkit)+ (version "0.11A") ;0.116 + patch+ (source (origin+ (inherit (package-source polkit))+ (patches (search-patches "polkit-CVE-2021-3560.patch"))))))+ (define-public polkit-qt (package (name "polkit-qt")-- 2.31.1
L
L
Ludovic Courtès wrote on 8 Jun 10:46 +0200
Download
control message for bug #48915
(address . control@debbugs.gnu.org)
87a6o0iw0y.fsf@gnu.org
Download
tags 48915 + securityquit
L
L
Leo Famulari wrote on 8 Jun 19:52 +0200
Download
Re: [bug#48915] [PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560.
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 48915@debbugs.gnu.org)
YL+uaU2KyAfAB9+X@jasmine.lan
Download
On Tue, Jun 08, 2021 at 10:45:12AM +0200, Ludovic Court�s wrote:
Toggle quote (8 lines)> +(define-public polkit/fixed> + (package> + (inherit polkit)> + (version "0.11A") ;0.116 + patch> + (source (origin> + (inherit (package-source polkit))> + (patches (search-patches "polkit-CVE-2021-3560.patch"))))))
Typically, we don't change the version when creating replacementpackages that apply a patch. We only change the version when thereplacement package actually updates to a new version.
Thanks for taking care of this!
L
L
Ludovic Courtès wrote on 8 Jun 23:32 +0200
Download
Re: bug#48915: [PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560.
(name . Leo Famulari)(address . leo@famulari.name)(address . 48915@debbugs.gnu.org)
87zgw0caa4.fsf_-_@gnu.org
Download
Leo Famulari <leo@famulari.name> skribis:
Toggle quote (13 lines)> On Tue, Jun 08, 2021 at 10:45:12AM +0200, Ludovic Courtès wrote:>> +(define-public polkit/fixed>> + (package>> + (inherit polkit)>> + (version "0.11A") ;0.116 + patch>> + (source (origin>> + (inherit (package-source polkit))>> + (patches (search-patches "polkit-CVE-2021-3560.patch"))))))>> Typically, we don't change the version when creating replacement> packages that apply a patch. We only change the version when the> replacement package actually updates to a new version.
Pushed as 9178566954cc7f34d2d991d31df4565adad93508!
As discussed on IRC, I ended up making ‘polkit/fixed’ private, with theversion string unchanged (inherited from ‘polkit’).
We wondered whether Cuirass would build ‘polkit/fixed’ if it’s private.Turns out it does, but this comment in (gnu ci) is still valid:
Toggle snippet (13 lines)(define (all-packages) "Return the list of packages to build." (define (adjust package result) (cond ((package-replacement package) ;; XXX: If PACKAGE and its replacement have the same name/version, ;; then both Cuirass jobs will have the same name, which ;; effectively means that the second one will be ignored. Thus, ;; return the replacement first. (cons* (package-replacement package) ;build both package result))
IOW, the replacement, and only the replacement, gets built.
The current ‘zstd’ replacement is privatehttps://ci.guix.gnu.org/search?query=system%3Ax86_64-linux+spec%3Amaster+zstdonly shows derivations for the replacement, not for the original one.That’s okay though because the original one necessarily got builtearlier.
Thanks,Ludo’.
L
L
Ludovic Courtès wrote on 8 Jun 23:32 +0200
Download
control message for bug #48915
(address . control@debbugs.gnu.org)
87y2bkca9x.fsf@gnu.org
Download
close 48915 quit
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 48915@debbugs.gnu.org