* [bug#48915] [PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560.
@ 2021-06-08 8:45 Ludovic Courtès
2021-06-08 17:52 ` Leo Famulari
0 siblings, 1 reply; 3+ messages in thread
From: Ludovic Courtès @ 2021-06-08 8:45 UTC (permalink / raw)
To: 48915; +Cc: Ludovic Courtès
* gnu/packages/patches/polkit-CVE-2021-3560.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/polkit.scm (polkit/fixed): New variable.
(polkit)[replacement]: New field.
---
gnu/local.mk | 1 +
.../patches/polkit-CVE-2021-3560.patch | 21 +++++++++++++++++++
gnu/packages/polkit.scm | 9 ++++++++
3 files changed, 31 insertions(+)
create mode 100644 gnu/packages/patches/polkit-CVE-2021-3560.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 0599df8968..42c5ee0d31 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1555,6 +1555,7 @@ dist_patch_DATA = \
%D%/packages/patches/plib-CVE-2011-4620.patch \
%D%/packages/patches/plib-CVE-2012-4552.patch \
%D%/packages/patches/plotutils-spline-test.patch \
+ %D%/packages/patches/polkit-CVE-2021-3560.patch \
%D%/packages/patches/portaudio-audacity-compat.patch \
%D%/packages/patches/portmidi-modular-build.patch \
%D%/packages/patches/postgresql-disable-resolve_symlinks.patch \
diff --git a/gnu/packages/patches/polkit-CVE-2021-3560.patch b/gnu/packages/patches/polkit-CVE-2021-3560.patch
new file mode 100644
index 0000000000..9aa0373fda
--- /dev/null
+++ b/gnu/packages/patches/polkit-CVE-2021-3560.patch
@@ -0,0 +1,21 @@
+This patch fixes CVE-2021-3560, "local privilege escalation using
+polkit_system_bus_name_get_creds_sync()":
+
+ https://www.openwall.com/lists/oss-security/2021/06/03/1
+
+Patch from <https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13a>.
+
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8daa12cb9093c1d765c7b83654a2b8d0d382378e..8ed13631508dd96624898df90ee2ece4dcf3e1e5 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
+ while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+ g_main_context_iteration (tmp_context, TRUE);
+
++ if (data.caught_error)
++ goto out;
++
+ if (out_uid)
+ *out_uid = data.uid;
+ if (out_pid)
diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm
index d868aceec2..fcd8633b7a 100644
--- a/gnu/packages/polkit.scm
+++ b/gnu/packages/polkit.scm
@@ -44,6 +44,7 @@
(package
(name "polkit")
(version "0.116")
+ (replacement polkit/fixed)
(source (origin
(method url-fetch)
(uri (string-append
@@ -135,6 +136,14 @@ making process with respect to granting access to privileged operations
for unprivileged applications.")
(license lgpl2.0+)))
+(define-public polkit/fixed
+ (package
+ (inherit polkit)
+ (version "0.11A") ;0.116 + patch
+ (source (origin
+ (inherit (package-source polkit))
+ (patches (search-patches "polkit-CVE-2021-3560.patch"))))))
+
(define-public polkit-qt
(package
(name "polkit-qt")
--
2.31.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [bug#48915] [PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560.
2021-06-08 8:45 [bug#48915] [PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560 Ludovic Courtès
@ 2021-06-08 17:52 ` Leo Famulari
2021-06-08 21:32 ` Ludovic Courtès
0 siblings, 1 reply; 3+ messages in thread
From: Leo Famulari @ 2021-06-08 17:52 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 48915
On Tue, Jun 08, 2021 at 10:45:12AM +0200, Ludovic Courtès wrote:
> +(define-public polkit/fixed
> + (package
> + (inherit polkit)
> + (version "0.11A") ;0.116 + patch
> + (source (origin
> + (inherit (package-source polkit))
> + (patches (search-patches "polkit-CVE-2021-3560.patch"))))))
Typically, we don't change the version when creating replacement
packages that apply a patch. We only change the version when the
replacement package actually updates to a new version.
Thanks for taking care of this!
^ permalink raw reply [flat|nested] 3+ messages in thread
* [bug#48915] [PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560.
2021-06-08 17:52 ` Leo Famulari
@ 2021-06-08 21:32 ` Ludovic Courtès
0 siblings, 0 replies; 3+ messages in thread
From: Ludovic Courtès @ 2021-06-08 21:32 UTC (permalink / raw)
To: Leo Famulari; +Cc: 48915
Leo Famulari <leo@famulari.name> skribis:
> On Tue, Jun 08, 2021 at 10:45:12AM +0200, Ludovic Courtès wrote:
>> +(define-public polkit/fixed
>> + (package
>> + (inherit polkit)
>> + (version "0.11A") ;0.116 + patch
>> + (source (origin
>> + (inherit (package-source polkit))
>> + (patches (search-patches "polkit-CVE-2021-3560.patch"))))))
>
> Typically, we don't change the version when creating replacement
> packages that apply a patch. We only change the version when the
> replacement package actually updates to a new version.
Pushed as 9178566954cc7f34d2d991d31df4565adad93508!
As discussed on IRC, I ended up making ‘polkit/fixed’ private, with the
version string unchanged (inherited from ‘polkit’).
We wondered whether Cuirass would build ‘polkit/fixed’ if it’s private.
Turns out it does, but this comment in (gnu ci) is still valid:
--8<---------------cut here---------------start------------->8---
(define (all-packages)
"Return the list of packages to build."
(define (adjust package result)
(cond ((package-replacement package)
;; XXX: If PACKAGE and its replacement have the same name/version,
;; then both Cuirass jobs will have the same name, which
;; effectively means that the second one will be ignored. Thus,
;; return the replacement first.
(cons* (package-replacement package) ;build both
package
result))
--8<---------------cut here---------------end--------------->8---
IOW, the replacement, and only the replacement, gets built.
The current ‘zstd’ replacement is private
<https://ci.guix.gnu.org/search?query=system%3Ax86_64-linux+spec%3Amaster+zstd>
only shows derivations for the replacement, not for the original one.
That’s okay though because the original one necessarily got built
earlier.
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-06-08 21:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-08 8:45 [bug#48915] [PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560 Ludovic Courtès
2021-06-08 17:52 ` Leo Famulari
2021-06-08 21:32 ` Ludovic Courtès
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.