From: Andy Wingo <wingo@igalia.com>
To: guix-devel@gnu.org
Cc: walters@redhat.com, mitr@redhat.com
Subject: [PATCH] Polkit should use cryptographically strong cookies
Date: Wed, 24 Feb 2016 16:40:14 +0100 [thread overview]
Message-ID: <874mcyf76p.fsf@pobox.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 1041 bytes --]
Hi,
[Adding Colin and Miloslav onto Cc as they landed the change in polkit
that this patch modifies.]
Our polkit installation broke when we upgraded to 0.113 because of a bug
introduced when addressing a CVE:
https://bugs.freedesktop.org/show_bug.cgi?id=90837#c20
I created this bug to address the issue:
https://bugs.freedesktop.org/show_bug.cgi?id=94269
The issue includes this patch which fixes the issue for me:
https://github.com/wingo/polkit/commit/4c9a813f3fc1ada4fcce508d286e95f965a3002a
That patch is against polkit master. This one is against 0.113:
https://github.com/wingo/polkit/commit/2b451ebf25f3d3f3f33c693213851a9ca45f1869
I admit still have a hard time understanding polkit's security model
around cookies, so I definitely need some review. Maybe Mark, if you
have any moments? Attached a patch to Guix to update our package to
include this patch. I verify that it fixes the authentication problem
described in the original bug, but it needs more review :)
Thanks in advance for the scrutiny,
Andy
[-- Attachment #2: 0001-gnu-polkit-Fix-pkexec-authentication.patch --]
[-- Type: text/plain, Size: 1373 bytes --]
From 81192534597bffd5cb1237f2c84bc0619c1c0fc2 Mon Sep 17 00:00:00 2001
From: Andy Wingo <wingo@igalia.com>
Date: Wed, 24 Feb 2016 16:31:34 +0100
Subject: [PATCH] gnu: polkit: Fix pkexec authentication
* gnu/packages/polkit.scm (polkit): Add patch from
https://bugs.freedesktop.org/show_bug.cgi?id=94269.
---
gnu/packages/polkit.scm | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm
index 0a4f70f..6adad30 100644
--- a/gnu/packages/polkit.scm
+++ b/gnu/packages/polkit.scm
@@ -48,7 +48,16 @@
(sha256
(base32
"109w86kfqrgz83g9ivggplmgc77rz8kx8646izvm2jb57h4rbh71"))
- (patches (list (search-patch "polkit-drop-test.patch")))
+ (patches
+ (list (search-patch "polkit-drop-test.patch")
+ (origin
+ (method url-fetch)
+ (uri "https://github.com/wingo/polkit/commit/\
+2b451ebf25f3d3f3f33c693213851a9ca45f1869.patch")
+ (sha256
+ (base32
+ "1dnix2pl9vj6gdv9rz0ja3gbijm632lfx7i0sbs0k8h358p06gpw"))
+ (file-name "polkit-cryptographically-strong-cookies.patch"))))
(modules '((guix build utils)))
(snippet
'(begin
--
2.6.3
next reply other threads:[~2016-02-24 15:40 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-24 15:40 Andy Wingo [this message]
-- strict thread matches above, loose matches on Subject: below --
2016-02-24 15:40 [PATCH] Polkit should use cryptographically strong cookies Andy Wingo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874mcyf76p.fsf@pobox.com \
--to=wingo@igalia.com \
--cc=guix-devel@gnu.org \
--cc=mitr@redhat.com \
--cc=walters@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.