GNU bug report logs -
#33651
[PATCH] gnu: polkit: Fix CVE-2018-19788.
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Thu, 6 Dec 2018 22:34:02 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 33651 in the body.
You can then email your comments to 33651 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#33651; Package
guix-patches.
(Thu, 06 Dec 2018 22:34:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Thu, 06 Dec 2018 22:34:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/polkit-CVE-2018-19788.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/polkit.scm (polkit)[source]: Use it.
---
gnu/local.mk | 1 +
.../patches/polkit-CVE-2018-19788.patch | 197 ++++++++++++++++++
gnu/packages/polkit.scm | 1 +
3 files changed, 199 insertions(+)
create mode 100644 gnu/packages/patches/polkit-CVE-2018-19788.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index a35e5ae7e..cf1dcc2cc 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1063,6 +1063,7 @@ dist_patch_DATA = \
%D%/packages/patches/plink-endian-detection.patch \
%D%/packages/patches/plotutils-libpng-jmpbuf.patch \
%D%/packages/patches/podofo-cmake-3.12.patch \
+ %D%/packages/patches/polkit-CVE-2018-19788.patch \
%D%/packages/patches/poppler-CVE-2018-19149.patch \
%D%/packages/patches/portaudio-audacity-compat.patch \
%D%/packages/patches/portmidi-modular-build.patch \
diff --git a/gnu/packages/patches/polkit-CVE-2018-19788.patch b/gnu/packages/patches/polkit-CVE-2018-19788.patch
new file mode 100644
index 000000000..58cde6c5d
--- /dev/null
+++ b/gnu/packages/patches/polkit-CVE-2018-19788.patch
@@ -0,0 +1,197 @@
+Fix CVE-2018-19788:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19788
+https://gitlab.freedesktop.org/polkit/polkit/issues/74
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/polkit/polkit/commit/2cb40c4d5feeaa09325522bd7d97910f1b59e379
+
+From 2cb40c4d5feeaa09325522bd7d97910f1b59e379 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek <at> in.waw.pl>
+Date: Mon, 3 Dec 2018 10:28:58 +0100
+Subject: [PATCH] Allow negative uids/gids in PolkitUnixUser and Group objects
+
+(uid_t) -1 is still used as placeholder to mean "unset". This is OK, since
+there should be no users with such number, see
+https://systemd.io/UIDS-GIDS#special-linux-uids.
+
+(uid_t) -1 is used as the default value in class initialization.
+
+When a user or group above INT32_MAX is created, the numeric uid or
+gid wraps around to negative when the value is assigned to gint, and
+polkit gets confused. Let's accept such gids, except for -1.
+
+A nicer fix would be to change the underlying type to e.g. uint32 to
+not have negative values. But this cannot be done without breaking the
+API, so likely new functions will have to be added (a
+polkit_unix_user_new variant that takes a unsigned, and the same for
+_group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will
+require a bigger patch.
+
+Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74.
+---
+ src/polkit/polkitunixgroup.c | 15 +++++++++++----
+ src/polkit/polkitunixprocess.c | 12 ++++++++----
+ src/polkit/polkitunixuser.c | 13 ++++++++++---
+ 3 files changed, 29 insertions(+), 11 deletions(-)
+
+diff --git a/src/polkit/polkitunixgroup.c b/src/polkit/polkitunixgroup.c
+index c57a1aa..309f689 100644
+--- a/src/polkit/polkitunixgroup.c
++++ b/src/polkit/polkitunixgroup.c
+@@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup, polkit_unix_group, G_TYPE_OBJECT,
+ static void
+ polkit_unix_group_init (PolkitUnixGroup *unix_group)
+ {
++ unix_group->gid = -1; /* (git_t) -1 is not a valid GID under Linux */
+ }
+
+ static void
+@@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject *object,
+ GParamSpec *pspec)
+ {
+ PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object);
++ gint val;
+
+ switch (prop_id)
+ {
+ case PROP_GID:
+- unix_group->gid = g_value_get_int (value);
++ val = g_value_get_int (value);
++ g_return_if_fail (val != -1);
++ unix_group->gid = val;
+ break;
+
+ default:
+@@ -131,9 +135,9 @@ polkit_unix_group_class_init (PolkitUnixGroupClass *klass)
+ g_param_spec_int ("gid",
+ "Group ID",
+ "The UNIX group ID",
+- 0,
++ G_MININT,
+ G_MAXINT,
+- 0,
++ -1,
+ G_PARAM_CONSTRUCT |
+ G_PARAM_READWRITE |
+ G_PARAM_STATIC_NAME |
+@@ -166,9 +170,10 @@ polkit_unix_group_get_gid (PolkitUnixGroup *group)
+ */
+ void
+ polkit_unix_group_set_gid (PolkitUnixGroup *group,
+- gint gid)
++ gint gid)
+ {
+ g_return_if_fail (POLKIT_IS_UNIX_GROUP (group));
++ g_return_if_fail (gid != -1);
+ group->gid = gid;
+ }
+
+@@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group,
+ PolkitIdentity *
+ polkit_unix_group_new (gint gid)
+ {
++ g_return_val_if_fail (gid != -1, NULL);
++
+ return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP,
+ "gid", gid,
+ NULL));
+diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
+index 972b777..b02b258 100644
+--- a/src/polkit/polkitunixprocess.c
++++ b/src/polkit/polkitunixprocess.c
+@@ -159,9 +159,14 @@ polkit_unix_process_set_property (GObject *object,
+ polkit_unix_process_set_pid (unix_process, g_value_get_int (value));
+ break;
+
+- case PROP_UID:
+- polkit_unix_process_set_uid (unix_process, g_value_get_int (value));
++ case PROP_UID: {
++ gint val;
++
++ val = g_value_get_int (value);
++ g_return_if_fail (val != -1);
++ polkit_unix_process_set_uid (unix_process, val);
+ break;
++ }
+
+ case PROP_START_TIME:
+ polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value));
+@@ -239,7 +244,7 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass)
+ g_param_spec_int ("uid",
+ "User ID",
+ "The UNIX user ID",
+- -1,
++ G_MININT,
+ G_MAXINT,
+ -1,
+ G_PARAM_CONSTRUCT |
+@@ -303,7 +308,6 @@ polkit_unix_process_set_uid (PolkitUnixProcess *process,
+ gint uid)
+ {
+ g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process));
+- g_return_if_fail (uid >= -1);
+ process->uid = uid;
+ }
+
+diff --git a/src/polkit/polkitunixuser.c b/src/polkit/polkitunixuser.c
+index 8bfd3a1..234a697 100644
+--- a/src/polkit/polkitunixuser.c
++++ b/src/polkit/polkitunixuser.c
+@@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, polkit_unix_user, G_TYPE_OBJECT,
+ static void
+ polkit_unix_user_init (PolkitUnixUser *unix_user)
+ {
++ unix_user->uid = -1; /* (uid_t) -1 is not a valid UID under Linux */
+ unix_user->name = NULL;
+ }
+
+@@ -112,11 +113,14 @@ polkit_unix_user_set_property (GObject *object,
+ GParamSpec *pspec)
+ {
+ PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object);
++ gint val;
+
+ switch (prop_id)
+ {
+ case PROP_UID:
+- unix_user->uid = g_value_get_int (value);
++ val = g_value_get_int (value);
++ g_return_if_fail (val != -1);
++ unix_user->uid = val;
+ break;
+
+ default:
+@@ -144,9 +148,9 @@ polkit_unix_user_class_init (PolkitUnixUserClass *klass)
+ g_param_spec_int ("uid",
+ "User ID",
+ "The UNIX user ID",
+- 0,
++ G_MININT,
+ G_MAXINT,
+- 0,
++ -1,
+ G_PARAM_CONSTRUCT |
+ G_PARAM_READWRITE |
+ G_PARAM_STATIC_NAME |
+@@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
+ gint uid)
+ {
+ g_return_if_fail (POLKIT_IS_UNIX_USER (user));
++ g_return_if_fail (uid != -1);
+ user->uid = uid;
+ }
+
+@@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
+ PolkitIdentity *
+ polkit_unix_user_new (gint uid)
+ {
++ g_return_val_if_fail (uid != -1, NULL);
++
+ return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER,
+ "uid", uid,
+ NULL));
+--
+2.18.1
+
diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm
index 7cc5205fa..830006d43 100644
--- a/gnu/packages/polkit.scm
+++ b/gnu/packages/polkit.scm
@@ -49,6 +49,7 @@
(uri (string-append
"https://www.freedesktop.org/software/polkit/releases/"
name "-" version ".tar.gz"))
+ (patches (search-patches "polkit-CVE-2018-19788.patch"))
(sha256
(base32
"0c91y61y4gy6p91cwbzg32dhavw4b7fflg370rimqhdxpzdfr1rg"))
--
2.19.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#33651; Package
guix-patches.
(Sat, 08 Dec 2018 23:01:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 33651 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:
> * gnu/packages/patches/polkit-CVE-2018-19788.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/polkit.scm (polkit)[source]: Use it.
LGTM, thank you!
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Sun, 09 Dec 2018 05:24:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Sun, 09 Dec 2018 05:24:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 33651-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sun, Dec 09, 2018 at 12:00:26AM +0100, Marius Bakke wrote:
> Leo Famulari <leo <at> famulari.name> writes:
>
> > * gnu/packages/patches/polkit-CVE-2018-19788.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > * gnu/packages/polkit.scm (polkit)[source]: Use it.
>
> LGTM, thank you!
Pushed as 5d3f673db4f866564b4226046a266de36dc21dbd
Thanks for the review!
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sun, 06 Jan 2019 12:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 105 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.