* [PATCH] Polkit should use cryptographically strong cookies
@ 2016-02-24 15:40 Andy Wingo
0 siblings, 0 replies; 2+ messages in thread
From: Andy Wingo @ 2016-02-24 15:40 UTC (permalink / raw)
To: guix-devel; +Cc: walters, mitr
[-- Attachment #1: Type: text/plain, Size: 1041 bytes --]
Hi,
[Adding Colin and Miloslav onto Cc as they landed the change in polkit
that this patch modifies.]
Our polkit installation broke when we upgraded to 0.113 because of a bug
introduced when addressing a CVE:
https://bugs.freedesktop.org/show_bug.cgi?id=90837#c20
I created this bug to address the issue:
https://bugs.freedesktop.org/show_bug.cgi?id=94269
The issue includes this patch which fixes the issue for me:
https://github.com/wingo/polkit/commit/4c9a813f3fc1ada4fcce508d286e95f965a3002a
That patch is against polkit master. This one is against 0.113:
https://github.com/wingo/polkit/commit/2b451ebf25f3d3f3f33c693213851a9ca45f1869
I admit still have a hard time understanding polkit's security model
around cookies, so I definitely need some review. Maybe Mark, if you
have any moments? Attached a patch to Guix to update our package to
include this patch. I verify that it fixes the authentication problem
described in the original bug, but it needs more review :)
Thanks in advance for the scrutiny,
Andy
[-- Attachment #2: 0001-gnu-polkit-Fix-pkexec-authentication.patch --]
[-- Type: text/plain, Size: 1373 bytes --]
From 81192534597bffd5cb1237f2c84bc0619c1c0fc2 Mon Sep 17 00:00:00 2001
From: Andy Wingo <wingo@igalia.com>
Date: Wed, 24 Feb 2016 16:31:34 +0100
Subject: [PATCH] gnu: polkit: Fix pkexec authentication
* gnu/packages/polkit.scm (polkit): Add patch from
https://bugs.freedesktop.org/show_bug.cgi?id=94269.
---
gnu/packages/polkit.scm | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm
index 0a4f70f..6adad30 100644
--- a/gnu/packages/polkit.scm
+++ b/gnu/packages/polkit.scm
@@ -48,7 +48,16 @@
(sha256
(base32
"109w86kfqrgz83g9ivggplmgc77rz8kx8646izvm2jb57h4rbh71"))
- (patches (list (search-patch "polkit-drop-test.patch")))
+ (patches
+ (list (search-patch "polkit-drop-test.patch")
+ (origin
+ (method url-fetch)
+ (uri "https://github.com/wingo/polkit/commit/\
+2b451ebf25f3d3f3f33c693213851a9ca45f1869.patch")
+ (sha256
+ (base32
+ "1dnix2pl9vj6gdv9rz0ja3gbijm632lfx7i0sbs0k8h358p06gpw"))
+ (file-name "polkit-cryptographically-strong-cookies.patch"))))
(modules '((guix build utils)))
(snippet
'(begin
--
2.6.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH] Polkit should use cryptographically strong cookies
@ 2016-02-24 15:40 Andy Wingo
0 siblings, 0 replies; 2+ messages in thread
From: Andy Wingo @ 2016-02-24 15:40 UTC (permalink / raw)
To: guix-devel; +Cc: walters, mitr
[-- Attachment #1: Type: text/plain, Size: 1041 bytes --]
Hi,
[Adding Colin and Miloslav onto Cc as they landed the change in polkit
that this patch modifies.]
Our polkit installation broke when we upgraded to 0.113 because of a bug
introduced when addressing a CVE:
https://bugs.freedesktop.org/show_bug.cgi?id=90837#c20
I created this bug to address the issue:
https://bugs.freedesktop.org/show_bug.cgi?id=94269
The issue includes this patch which fixes the issue for me:
https://github.com/wingo/polkit/commit/4c9a813f3fc1ada4fcce508d286e95f965a3002a
That patch is against polkit master. This one is against 0.113:
https://github.com/wingo/polkit/commit/2b451ebf25f3d3f3f33c693213851a9ca45f1869
I admit still have a hard time understanding polkit's security model
around cookies, so I definitely need some review. Maybe Mark, if you
have any moments? Attached a patch to Guix to update our package to
include this patch. I verify that it fixes the authentication problem
described in the original bug, but it needs more review :)
Thanks in advance for the scrutiny,
Andy
[-- Attachment #2: 0001-gnu-polkit-Fix-pkexec-authentication.patch --]
[-- Type: text/plain, Size: 1373 bytes --]
From 81192534597bffd5cb1237f2c84bc0619c1c0fc2 Mon Sep 17 00:00:00 2001
From: Andy Wingo <wingo@igalia.com>
Date: Wed, 24 Feb 2016 16:31:34 +0100
Subject: [PATCH] gnu: polkit: Fix pkexec authentication
* gnu/packages/polkit.scm (polkit): Add patch from
https://bugs.freedesktop.org/show_bug.cgi?id=94269.
---
gnu/packages/polkit.scm | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm
index 0a4f70f..6adad30 100644
--- a/gnu/packages/polkit.scm
+++ b/gnu/packages/polkit.scm
@@ -48,7 +48,16 @@
(sha256
(base32
"109w86kfqrgz83g9ivggplmgc77rz8kx8646izvm2jb57h4rbh71"))
- (patches (list (search-patch "polkit-drop-test.patch")))
+ (patches
+ (list (search-patch "polkit-drop-test.patch")
+ (origin
+ (method url-fetch)
+ (uri "https://github.com/wingo/polkit/commit/\
+2b451ebf25f3d3f3f33c693213851a9ca45f1869.patch")
+ (sha256
+ (base32
+ "1dnix2pl9vj6gdv9rz0ja3gbijm632lfx7i0sbs0k8h358p06gpw"))
+ (file-name "polkit-cryptographically-strong-cookies.patch"))))
(modules '((guix build utils)))
(snippet
'(begin
--
2.6.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-02-24 15:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-24 15:40 [PATCH] Polkit should use cryptographically strong cookies Andy Wingo
-- strict thread matches above, loose matches on Subject: below --
2016-02-24 15:40 Andy Wingo
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).