Bug#726558: pu: package policykit-1/0.105-3+deb7u1
On Thu, Jan 22, 2015 at 11:43:05PM +0100, Michael Biebl wrote: Am 17.01.2015 um 12:46 schrieb Adam D. Barratt: On 2014-09-20 17:29, Julien Cristau wrote: Control: tag -1 confirmed On Wed, Oct 16, 2013 at 18:41:29 +0200, Michael Biebl wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu As discussed in [1], I'd like to upload a fix for CVE-2013-4288 for policykit-1 to stable. The patch itself has been applied to the unstable version as well (in 0.105-3+nmu1). Please let me know if I can proceed with the stable upload to get this fix into 7.3. [a year passes...] Hi Michael, if this is still on the cards and the libvirt maintainer is still interested please go ahead with an upload. Any news on this? Guido, as libvirt maintainer, do you still need an update of the policykit-1 package regarding this issue? Since newer libvirt has polkit enabed by default this currently affects the wheezy-backports so in case the fix is already prepared this would be awesome. Cheers, -- Guido -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726558: pu: package policykit-1/0.105-3+deb7u1
Am 17.01.2015 um 12:46 schrieb Adam D. Barratt: On 2014-09-20 17:29, Julien Cristau wrote: Control: tag -1 confirmed On Wed, Oct 16, 2013 at 18:41:29 +0200, Michael Biebl wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu As discussed in [1], I'd like to upload a fix for CVE-2013-4288 for policykit-1 to stable. The patch itself has been applied to the unstable version as well (in 0.105-3+nmu1). Please let me know if I can proceed with the stable upload to get this fix into 7.3. [a year passes...] Hi Michael, if this is still on the cards and the libvirt maintainer is still interested please go ahead with an upload. Any news on this? Guido, as libvirt maintainer, do you still need an update of the policykit-1 package regarding this issue? -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#726558: pu: package policykit-1/0.105-3+deb7u1
On 2014-09-20 17:29, Julien Cristau wrote: Control: tag -1 confirmed On Wed, Oct 16, 2013 at 18:41:29 +0200, Michael Biebl wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu As discussed in [1], I'd like to upload a fix for CVE-2013-4288 for policykit-1 to stable. The patch itself has been applied to the unstable version as well (in 0.105-3+nmu1). Please let me know if I can proceed with the stable upload to get this fix into 7.3. [a year passes...] Hi Michael, if this is still on the cards and the libvirt maintainer is still interested please go ahead with an upload. Any news on this? Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726558: pu: package policykit-1/0.105-3+deb7u1
Hi Michael, On Sat, Sep 20, 2014 at 06:29:52PM +0200, Julien Cristau wrote: Control: tag -1 confirmed On Wed, Oct 16, 2013 at 18:41:29 +0200, Michael Biebl wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu As discussed in [1], I'd like to upload a fix for CVE-2013-4288 for policykit-1 to stable. The patch itself has been applied to the unstable version as well (in 0.105-3+nmu1). Please let me know if I can proceed with the stable upload to get this fix into 7.3. [a year passes...] Hi Michael, if this is still on the cards and the libvirt maintainer is still interested please go ahead with an upload. ping? I was looking into the open CVEs for libvirt, and stumbled over this one. Is this still planned or was there some followup issues? I concretely was looking at CVE-2013-4311/libvirt which since 0.9.12.3-1 has sourcewise support for 3-arg pkcheck syntax, but needs accordingly an updated policykit-1 and an according rebuild to be fixed. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726558: pu: package policykit-1/0.105-3+deb7u1
Hi On Sat, Sep 27, 2014 at 08:20:32AM +0200, Salvatore Bonaccorso wrote: Hi Michael, On Sat, Sep 20, 2014 at 06:29:52PM +0200, Julien Cristau wrote: Control: tag -1 confirmed On Wed, Oct 16, 2013 at 18:41:29 +0200, Michael Biebl wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu As discussed in [1], I'd like to upload a fix for CVE-2013-4288 for policykit-1 to stable. The patch itself has been applied to the unstable version as well (in 0.105-3+nmu1). Please let me know if I can proceed with the stable upload to get this fix into 7.3. [a year passes...] Hi Michael, if this is still on the cards and the libvirt maintainer is still interested please go ahead with an upload. ping? I was looking into the open CVEs for libvirt, and stumbled over this one. Is this still planned or was there some followup issues? As said on IRC, I overlooked the date when Julien had sent the ping. Sorry about that, should have paid more attention to this. Once policykit-1 would be in stable where will be neede a rebuild of libvirt for having that fixed also on libvirt's side. Additionally though a libvirt upload to wheezy-security is also planned for CVE-2014-3633. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726558: pu: package policykit-1/0.105-3+deb7u1
Control: tag -1 confirmed On Wed, Oct 16, 2013 at 18:41:29 +0200, Michael Biebl wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu As discussed in [1], I'd like to upload a fix for CVE-2013-4288 for policykit-1 to stable. The patch itself has been applied to the unstable version as well (in 0.105-3+nmu1). Please let me know if I can proceed with the stable upload to get this fix into 7.3. [a year passes...] Hi Michael, if this is still on the cards and the libvirt maintainer is still interested please go ahead with an upload. Thanks, Julien signature.asc Description: Digital signature
Bug#726558: pu: package policykit-1/0.105-3+deb7u1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: pu As discussed in [1], I'd like to upload a fix for CVE-2013-4288 for policykit-1 to stable. The patch itself has been applied to the unstable version as well (in 0.105-3+nmu1). Please let me know if I can proceed with the stable upload to get this fix into 7.3. Full debdiff is attached. Regards, Michael [1] https://lists.debian.org/debian-release/2013/10/msg00604.html -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff --git a/debian/changelog b/debian/changelog index c3ab45b..1644c95 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +policykit-1 (0.105-3+deb7u1) stable; urgency=low + + * Fix CVE-2013-4288: race condition in pkcheck. (Closes: #723717) + + -- Michael Biebl bi...@debian.org Wed, 16 Oct 2013 18:35:01 +0200 + policykit-1 (0.105-3) unstable; urgency=low * 07_set-XAUTHORITY-environment-variable-if-unset.patch: Set XAUTHORITY diff --git a/debian/gbp.conf b/debian/gbp.conf index c31be83..a475fbf 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,3 +1,3 @@ [DEFAULT] pristine-tar = True -debian-branch = master +debian-branch = wheezy diff --git a/debian/patches/cve-2013-4288.patch b/debian/patches/cve-2013-4288.patch new file mode 100644 index 000..2aad36c --- /dev/null +++ b/debian/patches/cve-2013-4288.patch @@ -0,0 +1,115 @@ +From 52c927893a2ab135462b616c2e00fec377da9885 Mon Sep 17 00:00:00 2001 +From: Colin Walters walt...@verbum.org +Date: Mon, 19 Aug 2013 12:16:11 -0400 +Subject: [PATCH 2/4] pkcheck: Support --process=pid,start-time,uid syntax too + +The uid is a new addition; this allows callers such as libvirt to +close a race condition in reading the uid of the process talking to +them. They can read it via getsockopt(SO_PEERCRED) or equivalent, +rather than having pkcheck look at /proc later after the fact. + +Programs which invoke pkcheck but need to know beforehand (i.e. at +compile time) whether or not it supports passing the uid can +use: + +pkcheck_supports_uid=$($PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1) +test x$pkcheck_supports_uid = xyes +--- + data/polkit-gobject-1.pc.in |3 +++ + docs/man/pkcheck.xml| 29 - + src/programs/pkcheck.c |9 +++-- + 3 files changed, 30 insertions(+), 11 deletions(-) + +Index: policykit-1-0.105/data/polkit-gobject-1.pc.in +=== +--- policykit-1-0.105.orig/data/polkit-gobject-1.pc.in 2013-09-11 09:40:56.604225567 -0400 policykit-1-0.105/data/polkit-gobject-1.pc.in 2013-09-11 09:40:56.596225567 -0400 +@@ -11,3 +11,6 @@ + Libs: -L${libdir} -lpolkit-gobject-1 + Cflags: -I${includedir}/polkit-1 + Requires: gio-2.0 = 2.18 glib-2.0 = 2.18 ++# Programs using pkcheck can use this to determine ++# whether or not it can be passed a uid. ++pkcheck_supports_uid=true +Index: policykit-1-0.105/docs/man/pkcheck.xml +=== +--- policykit-1-0.105.orig/docs/man/pkcheck.xml 2013-09-11 09:40:56.604225567 -0400 policykit-1-0.105/docs/man/pkcheck.xml 2013-09-11 09:42:28.272223569 -0400 +@@ -55,6 +55,9 @@ + arg choice=plain + replaceablepid,pid-start-time/replaceable + /arg ++arg choice=plain ++ replaceablepid,pid-start-time,uid/replaceable ++/arg + /group + /arg + arg choice=plain +@@ -90,7 +93,7 @@ + titleDESCRIPTION/title + para + commandpkcheck/command is used to check whether a process, specified by +- either option--process/option or option--system-bus-name/option, ++ either option--process/option (see below) or option--system-bus-name/option, + is authorized for replaceableaction/replaceable. The option--detail/option + option can be used zero or more times to pass details about replaceableaction/replaceable. + If option--allow-user-interaction/option is passed, commandpkcheck/command blocks +@@ -160,17 +163,25 @@ + refsect1 id=pkcheck-notes + titleNOTES/title + para +- Since process identifiers can be recycled, the caller should always use +- replaceablepid,pid-start-time/replaceable to specify the process +- to check for authorization when using the option--process/option option. +- The value of replaceablepid-start-time/replaceable +- can be determined by consulting e.g. the ++ Do not use either the bare replaceablepid/replaceable or ++ replaceablepid,start-time/replaceable syntax forms for ++ option--process/option. There are race conditions in