Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package polkit for openSUSE:Factory checked in at 2026-03-31 15:22:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/polkit (Old) and /work/SRC/openSUSE:Factory/.polkit.new.1999 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "polkit" Tue Mar 31 15:22:04 2026 rev:101 rq:1343588 version:127 Changes: -------- --- /work/SRC/openSUSE:Factory/polkit/polkit.changes 2026-03-29 20:00:53.757935514 +0200 +++ /work/SRC/openSUSE:Factory/.polkit.new.1999/polkit.changes 2026-03-31 15:22:17.556359235 +0200 @@ -1,0 +2,6 @@ +Fri Mar 27 14:19:04 UTC 2026 - Marcus Meissner <[email protected]> + +- avoid reading endless amounts of memory (CVE-2026-4897 bsc#1260859) + 0001-CVE-2026-4897-getline-string-overflow.patch + +------------------------------------------------------------------- @@ -18,0 +25,2 @@ +- CVE-2025-7519: Fixed that a XML policy file with a large number of + nested elements may lead to crash (bsc#1246472) @@ -22,0 +31 @@ +- removed 0001-Nested-.policy-files-cause-xml-parsing-overflow-lead.patch: upstream New: ---- 0001-CVE-2026-4897-getline-string-overflow.patch ----------(New B)---------- New:- avoid reading endless amounts of memory (CVE-2026-4897 bsc#1260859) 0001-CVE-2026-4897-getline-string-overflow.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ polkit.spec ++++++ --- /var/tmp/diff_new_pack.6deUbK/_old 2026-03-31 15:22:18.724408016 +0200 +++ /var/tmp/diff_new_pack.6deUbK/_new 2026-03-31 15:22:18.728408182 +0200 @@ -48,6 +48,9 @@ # PATCH-FIX-OPENSUSE polkit-adjust-libexec-path.patch -- Adjust path to polkit-agent-helper-1 (bsc#1180474) Patch4: polkit-adjust-libexec-path.patch +# PATCH-FIX-UPSTREAM 0001-CVE-2026-4897-getline-string-overflow.patch -- bsc#1260859 ... use a limited getline buffer to avoid endless reads +Patch5: 0001-CVE-2026-4897-getline-string-overflow.patch + BuildRequires: gcc-c++ BuildRequires: gettext-devel BuildRequires: gtk-doc ++++++ 0001-CVE-2026-4897-getline-string-overflow.patch ++++++ >From 7e122c8a5120c2aae2d9d44a26796dc18f5b677c Mon Sep 17 00:00:00 2001 From: Jan Rybar <[email protected]> Date: Fri, 27 Mar 2026 15:57:01 +0100 Subject: [PATCH] CVE-2026-4897 - getline() string overflow Report and fix by Aisle.com Pavel Kohout, Aisle Research Signed-off-by: Jan Rybar [email protected] --- src/polkitagent/polkitagenthelperprivate.c | 23 +++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/src/polkitagent/polkitagenthelperprivate.c b/src/polkitagent/polkitagenthelperprivate.c index 35bca85..7e4f94e 100644 --- a/src/polkitagent/polkitagenthelperprivate.c +++ b/src/polkitagent/polkitagenthelperprivate.c @@ -24,6 +24,7 @@ #include <stdio.h> #include <string.h> #include <stdlib.h> +#include <errno.h> #include <unistd.h> #ifndef HAVE_CLEARENV @@ -59,21 +60,25 @@ read_cookie (int argc, char **argv) return strdup (argv[2]); else { - char *ret = NULL; - size_t n = 0; - ssize_t r = getline (&ret, &n, stdin); - if (r == -1) + #define POLKIT_AGENT_MAX_COOKIE 4096 + char buf[POLKIT_AGENT_MAX_COOKIE + 2]; /* +1 for newline, +1 for NUL */ + if (fgets (buf, sizeof(buf), stdin) == NULL) { if (!feof (stdin)) - perror ("getline"); - free (ret); + perror ("fgets"); return NULL; } - else + if (buf[strlen (buf) - 1] != '\n') { - g_strchomp (ret); - return ret; + /* Cookie too long - drain remaining input and reject */ + int c; + while ((c = getchar ()) != '\n' && c != EOF) + ; + errno = EOVERFLOW; + return NULL; } + g_strchomp (buf); + return strdup (buf); } } -- 2.51.0
