[PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560.

Ludovic Courtès wrote on 8 Jun 2021 10:45

Recipients:(address . guix-patches@gnu.org)(name . Ludovic Courtès)(address . ludo@gnu.org)

Message-ID:20210608084512.29608-1-ludo@gnu.org

* gnu/packages/patches/polkit-CVE-2021-3560.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/polkit.scm (polkit/fixed): New variable.
(polkit)[replacement]: New field.
---
 gnu/local.mk                                  |  1 +
 .../patches/polkit-CVE-2021-3560.patch        | 21 +++++++++++++++++++
 gnu/packages/polkit.scm                       |  9 ++++++++
 3 files changed, 31 insertions(+)
 create mode 100644 gnu/packages/patches/polkit-CVE-2021-3560.patch

Toggle diff (68 lines)diff --git a/gnu/local.mk b/gnu/local.mk
index 0599df8968..42c5ee0d31 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1555,6 +1555,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/plib-CVE-2011-4620.patch		\
   %D%/packages/patches/plib-CVE-2012-4552.patch		\
   %D%/packages/patches/plotutils-spline-test.patch		\
+  %D%/packages/patches/polkit-CVE-2021-3560.patch		\
   %D%/packages/patches/portaudio-audacity-compat.patch		\
   %D%/packages/patches/portmidi-modular-build.patch		\
   %D%/packages/patches/postgresql-disable-resolve_symlinks.patch	\
diff --git a/gnu/packages/patches/polkit-CVE-2021-3560.patch b/gnu/packages/patches/polkit-CVE-2021-3560.patch
new file mode 100644
index 0000000000..9aa0373fda
--- /dev/null
+++ b/gnu/packages/patches/polkit-CVE-2021-3560.patch
@@ -0,0 +1,21 @@
+This patch fixes CVE-2021-3560, "local privilege escalation using
+polkit_system_bus_name_get_creds_sync()":
+
+  https://www.openwall.com/lists/oss-security/2021/06/03/1
+
+Patch from <https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13a>.
+
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8daa12cb9093c1d765c7b83654a2b8d0d382378e..8ed13631508dd96624898df90ee2ece4dcf3e1e5 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
+   while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+     g_main_context_iteration (tmp_context, TRUE);
+ 
++  if (data.caught_error)
++    goto out;
++
+   if (out_uid)
+     *out_uid = data.uid;
+   if (out_pid)
diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm
index d868aceec2..fcd8633b7a 100644
--- a/gnu/packages/polkit.scm
+++ b/gnu/packages/polkit.scm
@@ -44,6 +44,7 @@
   (package
     (name "polkit")
     (version "0.116")
+    (replacement polkit/fixed)
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -135,6 +136,14 @@ making process with respect to granting access to privileged operations
 for unprivileged applications.")
     (license lgpl2.0+)))
 
+(define-public polkit/fixed
+  (package
+    (inherit polkit)
+    (version "0.11A")                             ;0.116 + patch
+    (source (origin
+              (inherit (package-source polkit))
+              (patches (search-patches "polkit-CVE-2021-3560.patch"))))))
+
 (define-public polkit-qt
   (package
     (name "polkit-qt")
-- 
2.31.1

Ludovic Courtès wrote on 8 Jun 2021 10:46

control message for bug #48915

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87a6o0iw0y.fsf@gnu.org

tags 48915 + security

quit

Leo Famulari wrote on 8 Jun 2021 19:52

Re: [bug#48915] [PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560.

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 48915@debbugs.gnu.org)

Message-ID:YL+uaU2KyAfAB9+X@jasmine.lan

On Tue, Jun 08, 2021 at 10:45:12AM +0200, Ludovic Courtï¿½s wrote:

Toggle quote (8 lines)

> +(define-public polkit/fixed

> + (package

> + (inherit polkit)

> + (version "0.11A") ;0.116 + patch

> + (source (origin

> + (inherit (package-source polkit))

> + (patches (search-patches "polkit-CVE-2021-3560.patch"))))))

Typically, we don't change the version when creating replacement

packages that apply a patch. We only change the version when the

replacement package actually updates to a new version.

Thanks for taking care of this!

Ludovic Courtès wrote on 8 Jun 2021 23:32

Re: bug#48915: [PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560.

Recipients:(name . Leo Famulari)(address . leo@famulari.name)(address . 48915@debbugs.gnu.org)

Message-ID:87zgw0caa4.fsf_-_@gnu.org

Leo Famulari <leo@famulari.name> skribis:

Toggle quote (13 lines)> On Tue, Jun 08, 2021 at 10:45:12AM +0200, Ludovic Courtès wrote:
>> +(define-public polkit/fixed
>> +  (package
>> +    (inherit polkit)
>> +    (version "0.11A")                             ;0.116 + patch
>> +    (source (origin
>> +              (inherit (package-source polkit))
>> +              (patches (search-patches "polkit-CVE-2021-3560.patch"))))))
>
> Typically, we don't change the version when creating replacement
> packages that apply a patch. We only change the version when the
> replacement package actually updates to a new version.

Pushed as 9178566954cc7f34d2d991d31df4565adad93508!

As discussed on IRC, I ended up making ‘polkit/fixed’ private, with the

version string unchanged (inherited from ‘polkit’).

We wondered whether Cuirass would build ‘polkit/fixed’ if it’s private.

Turns out it does, but this comment in (gnu ci) is still valid:

Toggle snippet (13 lines)(define (all-packages)
  "Return the list of packages to build."
  (define (adjust package result)
    (cond ((package-replacement package)
           ;; XXX: If PACKAGE and its replacement have the same name/version,
           ;; then both Cuirass jobs will have the same name, which
           ;; effectively means that the second one will be ignored.  Thus,
           ;; return the replacement first.
           (cons* (package-replacement package)   ;build both
                  package
                  result))

IOW, the replacement, and only the replacement, gets built.

The current ‘zstd’ replacement is private

https://ci.guix.gnu.org/search?query=system%3Ax86_64-linux+spec%3Amaster+zstd

only shows derivations for the replacement, not for the original one.

That’s okay though because the original one necessarily got built

earlier.

Thanks,

Ludo’.

Ludovic Courtès wrote on 8 Jun 2021 23:32

control message for bug #48915

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87y2bkca9x.fsf@gnu.org

close 48915

quit

Your comment

This issue is archived.

To comment on this conversation send email to 48915@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date