commit:     d0e16d6fb24423388c5acd74e5f0b9856af08f08
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Tue Jan 25 17:25:25 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Jan 25 17:25:54 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d0e16d6f

sys-auth/polkit: fix CVE-2021-4043

Bug: https://bugs.gentoo.org/832057
Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../polkit/files/polkit-0.120-CVE-2021-4043.patch  |  72 +++++++++++++
 sys-auth/polkit/polkit-0.120-r2.ebuild             | 120 +++++++++++++++++++++
 2 files changed, 192 insertions(+)

diff --git a/sys-auth/polkit/files/polkit-0.120-CVE-2021-4043.patch 
b/sys-auth/polkit/files/polkit-0.120-CVE-2021-4043.patch
new file mode 100644
index 000000000000..22bb71d14204
--- /dev/null
+++ b/sys-auth/polkit/files/polkit-0.120-CVE-2021-4043.patch
@@ -0,0 +1,72 @@
+https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
+https://bugs.gentoo.org/832057
+https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch
+
+From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jry...@redhat.com>
+Date: Tue, 25 Jan 2022 17:21:46 +0000
+Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
+
+--- a/src/programs/pkcheck.c
++++ b/src/programs/pkcheck.c
+@@ -363,6 +363,11 @@ main (int argc, char *argv[])
+   local_agent_handle = NULL;
+   ret = 126;
+ 
++  if (argc < 1)
++    {
++      exit(126);
++    }
++
+   /* Disable remote file access from GIO. */
+   setenv ("GIO_USE_VFS", "local", 1);
+ 
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -488,6 +488,15 @@ main (int argc, char *argv[])
+   pid_t pid_of_caller;
+   gpointer local_agent_handle;
+ 
++
++  /*
++   * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't 
be nice, just bail out.
++   */
++  if (argc<1)
++    {
++      exit(127);
++    }
++
+   ret = 127;
+   authority = NULL;
+   subject = NULL;
+@@ -614,10 +623,10 @@ main (int argc, char *argv[])
+ 
+       path = g_strdup (pwstruct.pw_shell);
+       if (!path)
+-      {
++        {
+           g_printerr ("No shell configured or error retrieving pw_shell\n");
+           goto out;
+-      }
++        }
+       /* If you change this, be sure to change the if (!command_line)
+        case below too */
+       command_line = g_strdup (path);
+@@ -636,7 +645,15 @@ main (int argc, char *argv[])
+           goto out;
+         }
+       g_free (path);
+-      argv[n] = path = s;
++      path = s;
++
++      /* argc<2 and pkexec runs just shell, argv is guaranteed to be 
null-terminated.
++       * /-less shell shouldn't happen, but let's be defensive and don't 
write to null-termination
++       */
++      if (argv[n] != NULL)
++      {
++        argv[n] = path;
++      }
+     }
+   if (access (path, F_OK) != 0)
+     {
+GitLab

diff --git a/sys-auth/polkit/polkit-0.120-r2.ebuild 
b/sys-auth/polkit/polkit-0.120-r2.ebuild
new file mode 100644
index 000000000000..6af327e19f2f
--- /dev/null
+++ b/sys-auth/polkit/polkit-0.120-r2.ebuild
@@ -0,0 +1,120 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit meson pam pax-utils systemd xdg-utils
+
+DESCRIPTION="Policy framework for controlling privileges for system-wide 
services"
+HOMEPAGE="https://www.freedesktop.org/wiki/Software/polkit 
https://gitlab.freedesktop.org/polkit/polkit";
+SRC_URI="https://www.freedesktop.org/software/${PN}/releases/${P}.tar.gz";
+
+LICENSE="LGPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~mips ~ppc64 ~riscv ~s390 ~x86"
+IUSE="examples gtk +introspection kde pam selinux systemd test"
+#RESTRICT="!test? ( test )"
+# Tests currently don't work with meson. See
+#   https://gitlab.freedesktop.org/polkit/polkit/-/issues/144
+RESTRICT="test"
+
+BDEPEND="
+       acct-user/polkitd
+       app-text/docbook-xml-dtd:4.1.2
+       app-text/docbook-xsl-stylesheets
+       dev-libs/glib
+       dev-libs/gobject-introspection-common
+       dev-libs/libxslt
+       dev-util/glib-utils
+       sys-devel/gettext
+       virtual/pkgconfig
+       introspection? ( dev-libs/gobject-introspection )
+"
+DEPEND="
+       dev-lang/spidermonkey:78[-debug]
+       dev-libs/glib:2
+       dev-libs/expat
+       pam? (
+               sys-auth/pambase
+               sys-libs/pam
+       )
+       !pam? ( virtual/libcrypt:= )
+       systemd? ( sys-apps/systemd:0=[policykit] )
+       !systemd? ( sys-auth/elogind )
+"
+RDEPEND="${DEPEND}
+       acct-user/polkitd
+       selinux? ( sec-policy/selinux-policykit )
+"
+PDEPEND="
+       gtk? ( || (
+               >=gnome-extra/polkit-gnome-0.105
+               >=lxde-base/lxsession-0.5.2
+       ) )
+       kde? ( kde-plasma/polkit-kde-agent )
+"
+
+DOCS=( docs/TODO HACKING NEWS README )
+
+QA_MULTILIB_PATHS="
+       usr/lib/polkit-1/polkit-agent-helper-1
+       usr/lib/polkit-1/polkitd"
+
+src_prepare() {
+       local PATCHES=(
+               "${FILESDIR}/polkit-0.120-meson.patch"
+               "${FILESDIR}/polkit-0.120-CVE-2021-4043.patch"
+       )
+       default
+
+       sed -i -e 's|unix-group:wheel|unix-user:0|' 
src/polkitbackend/*-default.rules || die #401513
+}
+
+src_configure() {
+       xdg_environment_reset
+
+       local emesonargs=(
+               --localstatedir="${EPREFIX}"/var
+               -Dauthfw="$(usex pam pam shadow)"
+               -Dexamples=false
+               -Dgtk_doc=false
+               -Dman=true
+               -Dos_type=gentoo
+               -Dsession_tracking="$(usex systemd libsystemd-login libelogind)"
+               -Dsystemdsystemunitdir="$(systemd_get_systemunitdir)"
+               $(meson_use introspection)
+               $(meson_use test tests)
+               $(usex pam "-Dpam_module_dir=$(getpam_mod_dir)" '')
+       )
+       meson_src_configure
+}
+
+src_compile() {
+       meson_src_compile
+
+       # Required for polkitd on hardened/PaX due to spidermonkey's JIT
+       pax-mark mr src/polkitbackend/.libs/polkitd 
test/polkitbackend/.libs/polkitbackendjsauthoritytest
+}
+
+src_install() {
+       meson_src_install
+
+       if use examples ; then
+               docinto examples
+               dodoc src/examples/{*.c,*.policy*}
+       fi
+
+       diropts -m 0700 -o polkitd
+       keepdir /usr/share/polkit-1/rules.d
+
+       # meson does not install required files with SUID bit. See
+       #  https://bugs.gentoo.org/816393
+       # Remove the following lines once this has been fixed by upstream
+       fperms u+s /usr/bin/pkexec
+       fperms u+s /usr/lib/polkit-1/polkit-agent-helper-1
+}
+
+pkg_postinst() {
+       chmod 0700 "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+       chown polkitd "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+}

Reply via email to