commit 4e85edc68e217e508a991e32f86163c72dc8d0cb Author: Jakub Bogusz <qbo...@pld-linux.org> Date: Sat Sep 29 19:33:37 2018 +0200
- updated to 0.115 (fixes CVE-2018-1116) - updated systemd-fallback patch polkit.spec | 7 +-- systemd-fallback.patch | 137 +++++++++++++++++++++++++++---------------------- 2 files changed, 77 insertions(+), 67 deletions(-) --- diff --git a/polkit.spec b/polkit.spec index 0f6877a..ad30329 100644 --- a/polkit.spec +++ b/polkit.spec @@ -1,4 +1,3 @@ -# NOTE: elogind also supported (--disable-libsystemd-login --enable-libelogind) # # Conditional build: %bcond_without apidocs # build without apidocs @@ -12,14 +11,13 @@ Summary: A framework for defining policy for system-wide components Summary(pl.UTF-8): Szkielet do definiowania polityki dla komponentów systemowych Name: polkit -Version: 0.114 +Version: 0.115 Release: 1 License: LGPL v2+ Group: Libraries Source0: https://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz -# Source0-md5: 93ff41874e7df8c62ed9e41893817f04 +# Source0-md5: f03b055d6ae5fc8eac76838c7d83d082 Patch0: systemd-fallback.patch -Patch1: %{name}-format.patch URL: https://www.freedesktop.org/wiki/Software/polkit BuildRequires: autoconf >= 2.60 BuildRequires: automake >= 1:1.7 @@ -128,7 +126,6 @@ Statyczne biblioteki PolicyKit. %if %{with consolekit} && (%{with systemd} || %{with elogind}) %patch0 -p1 %endif -%patch1 -p1 %build %{?with_apidocs:%{__gtkdocize}} diff --git a/systemd-fallback.patch b/systemd-fallback.patch index 90ef297..988d2a2 100644 --- a/systemd-fallback.patch +++ b/systemd-fallback.patch @@ -759,9 +759,8 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/Makefile.am polkit-0.113/src/polki #endif /* HAVE_LIBSYSTEMD */ g_assert (POLKIT_IS_UNIX_USER (user_for_subject)); -diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polkit-0.113/src/polkitbackend/polkitbackendsessionmonitor.c ---- polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c 2015-06-06 01:24:06.000000000 +0200 -+++ polkit-0.113/src/polkitbackend/polkitbackendsessionmonitor.c 2015-09-26 23:40:39.451918791 +0200 +--- polkit-0.115/src/polkitbackend/polkitbackendsessionmonitor.c.orig 2018-06-26 15:17:52.000000000 +0200 ++++ polkit-0.115/src/polkitbackend/polkitbackendsessionmonitor.c 2018-09-29 10:42:52.104190929 +0200 @@ -26,6 +26,12 @@ #include <string.h> #include <glib/gstdio.h> @@ -773,9 +772,9 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk +#endif /* HAVE_LIBSYSTEMD */ + #include <polkit/polkit.h> + #include <polkit/polkitprivate.h> #include "polkitbackendsessionmonitor.h" - -@@ -39,6 +45,88 @@ +@@ -40,6 +46,88 @@ * The #PolkitBackendSessionMonitor class is a utility class to track and monitor sessions. */ @@ -864,7 +863,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk struct _PolkitBackendSessionMonitor { GObject parent_instance; -@@ -48,6 +136,10 @@ +@@ -49,6 +137,10 @@ GKeyFile *database; GFileMonitor *database_monitor; time_t database_mtime; @@ -875,7 +874,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk }; struct _PolkitBackendSessionMonitorClass -@@ -70,6 +162,18 @@ +@@ -71,6 +163,18 @@ /* ---------------------------------------------------------------------------------------------------- */ @@ -894,7 +893,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk static gboolean reload_database (PolkitBackendSessionMonitor *monitor, GError **error) -@@ -176,31 +280,47 @@ +@@ -177,31 +281,47 @@ g_error_free (error); } @@ -961,7 +960,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk } } -@@ -218,6 +338,12 @@ +@@ -219,6 +339,12 @@ if (monitor->database != NULL) g_key_file_free (monitor->database); @@ -974,57 +973,42 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk if (G_OBJECT_CLASS (polkit_backend_session_monitor_parent_class)->finalize != NULL) G_OBJECT_CLASS (polkit_backend_session_monitor_parent_class)->finalize (object); } -@@ -310,22 +436,38 @@ +@@ -332,6 +458,26 @@ } else if (POLKIT_IS_UNIX_SESSION (subject)) { -- if (!ensure_database (monitor, error)) +#ifdef HAVE_LIBSYSTEMD + if (monitor->sd_source != NULL) - { -- g_prefix_error (error, "Error getting user for session: Error ensuring CK database at " CKDB_PATH ": "); -- goto out; -+ if (sd_session_get_uid (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject)), &uid) < 0) -+ { -+ g_set_error (error, -+ POLKIT_ERROR, -+ POLKIT_ERROR_FAILED, -+ "Error getting uid for session"); -+ goto out; -+ } - } -- -- group = g_strdup_printf ("Session %s", polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject))); -- local_error = NULL; -- uid = g_key_file_get_integer (monitor->database, group, "uid", &local_error); -- if (local_error != NULL) ++ { ++ uid_t uid; ++ ++ if (sd_session_get_uid (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject)), &uid) < 0) ++ { ++ g_set_error (error, ++ POLKIT_ERROR, ++ POLKIT_ERROR_FAILED, ++ "Error getting uid for session"); ++ goto out; ++ } ++ ++ ret = polkit_unix_user_new (uid); ++ matches = TRUE; ++ } + else +#endif /* HAVE_LIBSYSTEMD */ - { -- g_propagate_prefixed_error (error, local_error, "Error getting uid using " CKDB_PATH ": "); -+ if (!ensure_database (monitor, error)) -+ { -+ g_prefix_error (error, "Error getting user for session: Error ensuring CK database at " CKDB_PATH ": "); -+ goto out; -+ } -+ -+ group = g_strdup_printf ("Session %s", polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject))); -+ local_error = NULL; -+ uid = g_key_file_get_integer (monitor->database, group, "uid", &local_error); -+ if (local_error != NULL) -+ { -+ g_propagate_prefixed_error (error, local_error, "Error getting uid using " CKDB_PATH ": "); -+ g_free (group); -+ goto out; -+ } - g_free (group); -- goto out; - } -- g_free (group); ++ { + gint uid; + gchar *group; + +@@ -354,6 +500,7 @@ ret = polkit_unix_user_new (uid); + matches = TRUE; ++ } } -@@ -349,35 +491,26 @@ + + out: +@@ -379,35 +526,26 @@ PolkitSubject *subject, GError **error) { @@ -1076,7 +1060,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk GVariant *result; result = g_dbus_connection_call_sync (monitor->system_bus, -@@ -395,23 +528,7 @@ +@@ -425,23 +563,7 @@ goto out; g_variant_get (result, "(u)", &pid); g_variant_unref (result); @@ -1101,7 +1085,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk } else { -@@ -420,8 +537,57 @@ +@@ -450,8 +572,57 @@ POLKIT_ERROR_NOT_SUPPORTED, "Cannot get user for subject of type %s", g_type_name (G_TYPE_FROM_INSTANCE (subject))); @@ -1159,7 +1143,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk out: return session; -@@ -472,7 +638,22 @@ +@@ -502,7 +673,22 @@ polkit_backend_session_monitor_is_session_local (PolkitBackendSessionMonitor *monitor, PolkitSubject *session) { @@ -1183,7 +1167,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk } -@@ -480,6 +661,44 @@ +@@ -510,6 +696,44 @@ polkit_backend_session_monitor_is_session_active (PolkitBackendSessionMonitor *monitor, PolkitSubject *session) { @@ -1229,10 +1213,9 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk + return get_boolean (monitor, session, "is_active"); } -diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor-systemd.c polkit-0.113/src/polkitbackend/polkitbackendsessionmonitor-systemd.c ---- polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor-systemd.c 2015-06-19 22:31:02.000000000 +0200 -+++ polkit-0.113/src/polkitbackend/polkitbackendsessionmonitor-systemd.c 1970-01-01 01:00:00.000000000 +0100 -@@ -1,425 +0,0 @@ +--- polkit-0.115/src/polkitbackend/polkitbackendsessionmonitor-systemd.c.orig 2018-09-29 09:48:19.240894967 +0200 ++++ polkit-0.115/src/polkitbackend/polkitbackendsessionmonitor-systemd.c 1970-01-01 01:00:00.000000000 +0100 +@@ -1,455 +0,0 @@ -/* - * Copyright (C) 2011 Red Hat, Inc. - * @@ -1264,6 +1247,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor-system -#include <stdlib.h> - -#include <polkit/polkit.h> +-#include <polkit/polkitprivate.h> -#include "polkitbackendsessionmonitor.h" - -/* <internal> @@ -1481,26 +1465,40 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor-system - * polkit_backend_session_monitor_get_user: - * @monitor: A #PolkitBackendSessionMonitor. - * @subject: A #PolkitSubject. +- * @result_matches: If not %NULL, set to indicate whether the return value matches current (RACY) state. - * @error: Return location for error. - * - * Gets the user corresponding to @subject or %NULL if no user exists. - * +- * NOTE: For a #PolkitUnixProcess, the UID is read from @subject (which may +- * come from e.g. a D-Bus client), so it may not correspond to the actual UID +- * of the referenced process (at any point in time). This is indicated by +- * setting @result_matches to %FALSE; the caller may reject such subjects or +- * require additional privileges. @result_matches == %TRUE only indicates that +- * the UID matched the underlying process at ONE point in time, it may not match +- * later. +- * - * Returns: %NULL if @error is set otherwise a #PolkitUnixUser that should be freed with g_object_unref(). - */ -PolkitIdentity * -polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor *monitor, - PolkitSubject *subject, +- gboolean *result_matches, - GError **error) -{ - PolkitIdentity *ret; -- guint32 uid; +- gboolean matches; - - ret = NULL; +- matches = FALSE; - - if (POLKIT_IS_UNIX_PROCESS (subject)) - { -- uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)); -- if ((gint) uid == -1) +- gint subject_uid, current_uid; +- GError *local_error; +- +- subject_uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)); +- if (subject_uid == -1) - { - g_set_error (error, - POLKIT_ERROR, @@ -1508,14 +1506,24 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor-system - "Unix process subject does not have uid set"); - goto out; - } -- ret = polkit_unix_user_new (uid); +- local_error = NULL; +- current_uid = polkit_unix_process_get_racy_uid__ (POLKIT_UNIX_PROCESS (subject), &local_error); +- if (local_error != NULL) +- { +- g_propagate_error (error, local_error); +- goto out; +- } +- ret = polkit_unix_user_new (subject_uid); +- matches = (subject_uid == current_uid); - } - else if (POLKIT_IS_SYSTEM_BUS_NAME (subject)) - { - ret = (PolkitIdentity*)polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error); +- matches = TRUE; - } - else if (POLKIT_IS_UNIX_SESSION (subject)) - { +- uid_t uid; - - if (sd_session_get_uid (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject)), &uid) < 0) - { @@ -1527,9 +1535,14 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor-system - } - - ret = polkit_unix_user_new (uid); +- matches = TRUE; - } - - out: +- if (result_matches != NULL) +- { +- *result_matches = matches; +- } - return ret; -} - ================================================================ ---- gitweb: http://git.pld-linux.org/gitweb.cgi/packages/polkit.git/commitdiff/4e85edc68e217e508a991e32f86163c72dc8d0cb _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit