[gentoo-commits] gentoo-x86 commit in sys-auth/polkit/files: polkit-0.112-0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch

Sat, 06 Jun 2015 01:52:53 -0700 

perfinion    15/06/06 08:52:20

  Added:               
                        
polkit-0.112-0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch
  Log:
  fix bug 551316 CVE-2015-3218: crash authentication_agent_new with invalid 
object path in RegisterAuthenticationAgent
  
  (Portage version: 2.2.18/cvs/Linux x86_64, signed Manifest commit with key 
0x7EF137EC935B0EAF)

Revision  Changes    Path
1.1                  
sys-auth/polkit/files/polkit-0.112-0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/polkit/files/polkit-0.112-0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-auth/polkit/files/polkit-0.112-0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch?rev=1.1&content-type=text/plain

Index: 
polkit-0.112-0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch
===================================================================
>From 9e074421d5623b6962dc66994d519012b40334b9 Mon Sep 17 00:00:00 2001
From: Colin Walters <walt...@verbum.org>
Date: Sat, 30 May 2015 09:06:23 -0400
Subject: [PATCH] backend: Handle invalid object paths in
 RegisterAuthenticationAgent

Properly propagate the error, otherwise we dereference a `NULL`
pointer.  This is a local, authenticated DoS.

Reported-by: Tavis Ormandy <tav...@google.com>
Signed-off-by: Colin Walters <walt...@verbum.org>
---
 .../polkitbackendinteractiveauthority.c            | 53 ++++++++++++----------
 1 file changed, 30 insertions(+), 23 deletions(-)

diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c 
b/src/polkitbackend/polkitbackendinteractiveauthority.c
index 59028d5..f45fdf1 100644
--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
@@ -1551,36 +1551,42 @@ authentication_agent_new (PolkitSubject *scope,
                           const gchar *unique_system_bus_name,
                           const gchar *locale,
                           const gchar *object_path,
-                          GVariant    *registration_options)
+                          GVariant    *registration_options,
+                         GError     **error)
 {
   AuthenticationAgent *agent;
-  GError *error;
+  GDBusProxy *proxy;
 
-  agent = g_new0 (AuthenticationAgent, 1);
+  if (!g_variant_is_object_path (object_path))
+    {
+      g_set_error (error, POLKIT_ERROR, POLKIT_ERROR_FAILED,
+                  "Invalid object path '%s'", object_path);
+      return NULL;
+    }
+
+  proxy = g_dbus_proxy_new_for_bus_sync (G_BUS_TYPE_SYSTEM,
+                                        
G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES |
+                                        
G_DBUS_PROXY_FLAGS_DO_NOT_CONNECT_SIGNALS,
+                                        NULL, /* GDBusInterfaceInfo* */
+                                        unique_system_bus_name,
+                                        object_path,
+                                        
"org.freedesktop.PolicyKit1.AuthenticationAgent",
+                                        NULL, /* GCancellable* */
+                                        error);
+  if (proxy == NULL)
+    {
+      g_prefix_error (error, "Failed to construct proxy for agent: " );
+      return NULL;
+    }
 
+  agent = g_new0 (AuthenticationAgent, 1);
   agent->ref_count = 1;
   agent->scope = g_object_ref (scope);
   agent->object_path = g_strdup (object_path);
   agent->unique_system_bus_name = g_strdup (unique_system_bus_name);
   agent->locale = g_strdup (locale);
   agent->registration_options = registration_options != NULL ? g_variant_ref 
(registration_options) : NULL;
-
-  error = NULL;
-  agent->proxy = g_dbus_proxy_new_for_bus_sync (G_BUS_TYPE_SYSTEM,
-                                                
G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES |
-                                                
G_DBUS_PROXY_FLAGS_DO_NOT_CONNECT_SIGNALS,
-                                                NULL, /* GDBusInterfaceInfo* */
-                                                agent->unique_system_bus_name,
-                                                agent->object_path,
-                                                
"org.freedesktop.PolicyKit1.AuthenticationAgent",
-                                                NULL, /* GCancellable* */
-                                                &error);
-  if (agent->proxy == NULL)
-    {
-      g_warning ("Error constructing proxy for agent: %s", error->message);
-      g_error_free (error);
-      /* TODO: Make authentication_agent_new() return NULL and set a GError */
-    }
+  agent->proxy = proxy;
 
   return agent;
 }
@@ -2383,8 +2389,6 @@ 
polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken
   caller_cmdline = NULL;
   agent = NULL;
 
-  /* TODO: validate that object path is well-formed */
-
   interactive_authority = POLKIT_BACKEND_INTERACTIVE_AUTHORITY (authority);
   priv = POLKIT_BACKEND_INTERACTIVE_AUTHORITY_GET_PRIVATE 
(interactive_authority);
 
@@ -2471,7 +2475,10 @@ 
polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken
                                     polkit_system_bus_name_get_name 
(POLKIT_SYSTEM_BUS_NAME (caller)),
                                     locale,
                                     object_path,
-                                    options);
+                                    options,
+                                   error);
+  if (!agent)
+    goto out;
 
   g_hash_table_insert (priv->hash_scope_to_authentication_agent,
                        g_object_ref (subject),
-- 
1.8.3.1

Reply via email to