From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andy Wingo Subject: [PATCH] Polkit should use cryptographically strong cookies Date: Wed, 24 Feb 2016 16:40:03 +0100 Message-ID: <8760xef770.fsf@pobox.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:56033) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aYbYR-0000zq-D9 for guix-devel@gnu.org; Wed, 24 Feb 2016 10:40:44 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aYbYM-0008LY-TA for guix-devel@gnu.org; Wed, 24 Feb 2016 10:40:43 -0500 Received: from pb-sasl0.int.icgroup.com ([208.72.237.25]:62579 helo=sasl.smtp.pobox.com) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aYbYM-0008JS-QA for guix-devel@gnu.org; Wed, 24 Feb 2016 10:40:38 -0500 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel@gnu.org Cc: walters@redhat.com, mitr@redhat.com --=-=-= Content-Type: text/plain Hi, [Adding Colin and Miloslav onto Cc as they landed the change in polkit that this patch modifies.] Our polkit installation broke when we upgraded to 0.113 because of a bug introduced when addressing a CVE: https://bugs.freedesktop.org/show_bug.cgi?id=90837#c20 I created this bug to address the issue: https://bugs.freedesktop.org/show_bug.cgi?id=94269 The issue includes this patch which fixes the issue for me: https://github.com/wingo/polkit/commit/4c9a813f3fc1ada4fcce508d286e95f965a3002a That patch is against polkit master. This one is against 0.113: https://github.com/wingo/polkit/commit/2b451ebf25f3d3f3f33c693213851a9ca45f1869 I admit still have a hard time understanding polkit's security model around cookies, so I definitely need some review. Maybe Mark, if you have any moments? Attached a patch to Guix to update our package to include this patch. I verify that it fixes the authentication problem described in the original bug, but it needs more review :) Thanks in advance for the scrutiny, Andy --=-=-= Content-Type: text/plain Content-Disposition: inline; filename=0001-gnu-polkit-Fix-pkexec-authentication.patch >From 81192534597bffd5cb1237f2c84bc0619c1c0fc2 Mon Sep 17 00:00:00 2001 From: Andy Wingo Date: Wed, 24 Feb 2016 16:31:34 +0100 Subject: [PATCH] gnu: polkit: Fix pkexec authentication * gnu/packages/polkit.scm (polkit): Add patch from https://bugs.freedesktop.org/show_bug.cgi?id=94269. --- gnu/packages/polkit.scm | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm index 0a4f70f..6adad30 100644 --- a/gnu/packages/polkit.scm +++ b/gnu/packages/polkit.scm @@ -48,7 +48,16 @@ (sha256 (base32 "109w86kfqrgz83g9ivggplmgc77rz8kx8646izvm2jb57h4rbh71")) - (patches (list (search-patch "polkit-drop-test.patch"))) + (patches + (list (search-patch "polkit-drop-test.patch") + (origin + (method url-fetch) + (uri "https://github.com/wingo/polkit/commit/\ +2b451ebf25f3d3f3f33c693213851a9ca45f1869.patch") + (sha256 + (base32 + "1dnix2pl9vj6gdv9rz0ja3gbijm632lfx7i0sbs0k8h358p06gpw")) + (file-name "polkit-cryptographically-strong-cookies.patch")))) (modules '((guix build utils))) (snippet '(begin -- 2.6.3 --=-=-=--