From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id mEYrNxo38WFZCwEAgWs5BA (envelope-from ) for ; Wed, 26 Jan 2022 12:57:14 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id YNo8Lho38WFYLwAAG6o9tA (envelope-from ) for ; Wed, 26 Jan 2022 12:57:14 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E89C92EA19 for ; Wed, 26 Jan 2022 12:57:13 +0100 (CET) Received: from localhost ([::1]:36268 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nCgvI-0001E6-UI for larch@yhetil.org; Wed, 26 Jan 2022 06:57:12 -0500 Received: from eggs.gnu.org ([209.51.188.92]:36570) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nCgv9-0001Dt-7o for guix-patches@gnu.org; Wed, 26 Jan 2022 06:57:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:58210) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nCgv8-0006c2-MK for guix-patches@gnu.org; Wed, 26 Jan 2022 06:57:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nCgv8-0004bF-Hn for guix-patches@gnu.org; Wed, 26 Jan 2022 06:57:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#53549] [PATCH] gnu: polkit: Fix CVE-2021-4034. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 26 Jan 2022 11:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 53549 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 53549@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.164319820617658 (code B ref -1); Wed, 26 Jan 2022 11:57:02 +0000 Received: (at submit) by debbugs.gnu.org; 26 Jan 2022 11:56:46 +0000 Received: from localhost ([127.0.0.1]:51113 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nCguk-0004aa-Jo for submit@debbugs.gnu.org; Wed, 26 Jan 2022 06:56:46 -0500 Received: from lists.gnu.org ([209.51.188.17]:38360) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nCguh-0004aS-W7 for submit@debbugs.gnu.org; Wed, 26 Jan 2022 06:56:36 -0500 Received: from eggs.gnu.org ([209.51.188.92]:36320) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nCguh-0001Bk-Ol for guix-patches@gnu.org; Wed, 26 Jan 2022 06:56:35 -0500 Received: from [2001:470:142:3::e] (port=57110 helo=fencepost.gnu.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nCguh-0006XI-FA; Wed, 26 Jan 2022 06:56:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=LlFGjKWLbEByaf73i4fh+tMo9Rq+crJdWrXaN7N+yGw=; b=Yf1/ItgTHPWmRO STzBPWzYYnyS8chYzd5cGdZFjCLsBEMP7THtBwGY+mInwrBpHi4jkiNWH/j8OqifDLZxgozlO9Hwj wIaWT3r/5YUXhlT50x+yJr7v3g5Ed3uFcjKleJs7e7lJovu2vgpSBicpB09D9kuR9fHqTik1A38ig sYpgr7gUDMzbNAJur7UTcLhlVBUycNVIfLg9ZVa2LqJP2ZsEHgW9hPxEYUX8ZXKeXQUxqp7JRruJO RyXy3iBJKq8yz3sHhJawQVnKPjrrBxoPc9Ov4Cr+gumGkj4xGGtM8CAHpdWzMEwbwTxFJq/0cYtpm u/+nfLqSX8cQX+E0WY9w==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201]:60146 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nCgug-0005SU-EH; Wed, 26 Jan 2022 06:56:35 -0500 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Wed, 26 Jan 2022 12:56:24 +0100 Message-Id: <20220126115624.31260-1-ludo@gnu.org> X-Mailer: git-send-email 2.34.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1643198234; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=LlFGjKWLbEByaf73i4fh+tMo9Rq+crJdWrXaN7N+yGw=; b=UcOZMVrWZ/BbyzBGpf0+cu+XECzMLIHA8w46anKtbQoPfZb0meyVNeRrYFbrNUFA65Vy1f qEl9Av3L3uQrKemX7NO4Bk9JWy6nsDzaC84RIGON/Q/2nPqv5B3s08SzjDk34pC+7F/A+3 tpeeNRzn3QceBlKmN2fsaabO1vNLvWt5EAWMjfvljqAbhlGIxjoNgVtsS7HqHA8p+LOIov VCL4KKEeWsyGDmR9+xMtLGbY7CUSS/hF004qFtQXPpFFL6E0xKKGFdtG8S3v1hl3bDrXr2 a66SWsGYlcFoerBElEV4yd+uVCJolQ14WFpiaOkgZsriZYA3vQD5p6Su4ByKRw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1643198234; a=rsa-sha256; cv=none; b=QJQb4pqV9ngf/vu1LIabu9hJhqieo/fLaxJ3Oa86p8IqdxvknyBQcMfFrSoAjjwx6m9MU7 LV9nIrktFa6hcSa9gaLM+/VFeOvL5ivwneRm/HXNzUNoIRG8LquDIq2Fue7E6iurFi6Ied 28zz26QAf9w1yltNGIi/YRSqpU77a0lISJ7WYb4MYgw7MONwVcS9kkEfmbDnQQ4p1LSQY8 1XqqcmojdEJP0r3a9FRiZzg/2DuDkosyoJDFpXDAX1BoQu080uGtk3Tro9L5k/xztWqqhw eLNUtQwZPi81BStvgWLHGHjLhiT7mnqh7O3BDCSu7iWngP0WUhEdAb3LcgPe1g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b="Yf1/ItgT"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.03 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b="Yf1/ItgT"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: E89C92EA19 X-Spam-Score: -3.03 X-Migadu-Scanner: scn1.migadu.com X-TUID: 7uw5NWxN4osX * gnu/packages/patches/polkit-CVE-2021-4034.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/polkit.scm (polkit-mozjs)[replacement]: New field. * gnu/packages/polkit.scm (polkit-mozjs/fixed): New variable. --- gnu/local.mk | 1 + .../patches/polkit-CVE-2021-4034.patch | 82 +++++++++++++++++++ gnu/packages/polkit.scm | 13 ++- 3 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/polkit-CVE-2021-4034.patch Hi! We could avoid grafting and instead use 'polkit/fixed' in 'setuid-programs', but it seems safer and less error-prone to graft. Thoughts? Ludo'. diff --git a/gnu/local.mk b/gnu/local.mk index dceaa53145..eb07842775 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1645,6 +1645,7 @@ dist_patch_DATA = \ %D%/packages/patches/plib-CVE-2011-4620.patch \ %D%/packages/patches/plib-CVE-2012-4552.patch \ %D%/packages/patches/plotutils-spline-test.patch \ + %D%/packages/patches/polkit-CVE-2021-4034.patch \ %D%/packages/patches/polkit-configure-elogind.patch \ %D%/packages/patches/polkit-use-duktape.patch \ %D%/packages/patches/portaudio-audacity-compat.patch \ diff --git a/gnu/packages/patches/polkit-CVE-2021-4034.patch b/gnu/packages/patches/polkit-CVE-2021-4034.patch new file mode 100644 index 0000000000..ca766cb3be --- /dev/null +++ b/gnu/packages/patches/polkit-CVE-2021-4034.patch @@ -0,0 +1,82 @@ +Fixes CVE-2021-4034, local privilege escalation with 'pkexec': + + https://www.openwall.com/lists/oss-security/2022/01/25/11 + +Patch from . + +From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001 +From: Jan Rybar +Date: Tue, 25 Jan 2022 17:21:46 +0000 +Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034) + +--- + src/programs/pkcheck.c | 5 +++++ + src/programs/pkexec.c | 23 ++++++++++++++++++++--- + 2 files changed, 25 insertions(+), 3 deletions(-) + +diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c +index f1bb4e1..768525c 100644 +--- a/src/programs/pkcheck.c ++++ b/src/programs/pkcheck.c +@@ -363,6 +363,11 @@ main (int argc, char *argv[]) + local_agent_handle = NULL; + ret = 126; + ++ if (argc < 1) ++ { ++ exit(126); ++ } ++ + /* Disable remote file access from GIO. */ + setenv ("GIO_USE_VFS", "local", 1); + +diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c +index 7698c5c..84e5ef6 100644 +--- a/src/programs/pkexec.c ++++ b/src/programs/pkexec.c +@@ -488,6 +488,15 @@ main (int argc, char *argv[]) + pid_t pid_of_caller; + gpointer local_agent_handle; + ++ ++ /* ++ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out. ++ */ ++ if (argc<1) ++ { ++ exit(127); ++ } ++ + ret = 127; + authority = NULL; + subject = NULL; +@@ -614,10 +623,10 @@ main (int argc, char *argv[]) + + path = g_strdup (pwstruct.pw_shell); + if (!path) +- { ++ { + g_printerr ("No shell configured or error retrieving pw_shell\n"); + goto out; +- } ++ } + /* If you change this, be sure to change the if (!command_line) + case below too */ + command_line = g_strdup (path); +@@ -636,7 +645,15 @@ main (int argc, char *argv[]) + goto out; + } + g_free (path); +- argv[n] = path = s; ++ path = s; ++ ++ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated. ++ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination ++ */ ++ if (argv[n] != NULL) ++ { ++ argv[n] = path; ++ } + } + if (access (path, F_OK) != 0) + { diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm index e4f4b1276f..1ae94be751 100644 --- a/gnu/packages/polkit.scm +++ b/gnu/packages/polkit.scm @@ -1,7 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2014 Andreas Enge ;;; Copyright © 2015 Andy Wingo -;;; Copyright © 2015, 2021 Ludovic Courtès +;;; Copyright © 2015, 2021-2022 Ludovic Courtès ;;; Copyright © 2015 Mark H Weaver ;;; Copyright © 2016 Efraim Flashner ;;; Copyright © 2017 Huang Ying @@ -54,6 +54,7 @@ (define-public polkit-mozjs (package (name "polkit") (version "0.120") + (replacement polkit-mozjs/fixed) (source (origin (method url-fetch) (uri (string-append @@ -146,6 +147,16 @@ (define-public polkit-mozjs for unprivileged applications.") (license lgpl2.0+))) +(define-public polkit-mozjs/fixed + (package + (inherit polkit-mozjs) + (version "0.121") + (source (origin + (inherit (package-source polkit-mozjs)) + (patches (cons (search-patch "polkit-CVE-2021-4034.patch") + (origin-patches + (package-source polkit-mozjs)))))))) + ;;; Variant of polkit built with Duktape, a lighter JavaScript engine compared ;;; to mozjs. (define-public polkit-duktape base-commit: 1402c6abe150ced4cbb4fa0721fe7c8796fe2c38 prerequisite-patch-id: 6ecfe5930fe8847a954c16425713d4a6ac515a04 -- 2.34.0