GNU bug report logs - #33651
[PATCH] gnu: polkit: Fix CVE-2018-19788.

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix-patches; Reported by: Leo Famulari <leo@HIDDEN>; Keywords: patch; dated Thu, 6 Dec 2018 22:34:02 UTC; Maintainer for guix-patches is guix-patches@HIDDEN.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 6 Dec 2018 22:33:50 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Dec 06 17:33:50 2018
Received: from localhost ([127.0.0.1]:36113 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1gV2DH-0005hW-9W
	for submit <at> debbugs.gnu.org; Thu, 06 Dec 2018 17:33:50 -0500
Received: from eggs.gnu.org ([208.118.235.92]:41100)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1gV2DC-0005hC-S4
 for submit <at> debbugs.gnu.org; Thu, 06 Dec 2018 17:33:39 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1gV2D6-0003na-8L
 for submit <at> debbugs.gnu.org; Thu, 06 Dec 2018 17:33:33 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:36566)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@HIDDEN>) id 1gV2D6-0003nE-3R
 for submit <at> debbugs.gnu.org; Thu, 06 Dec 2018 17:33:32 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50687)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1gV2D4-0006FM-9S
 for guix-patches@HIDDEN; Thu, 06 Dec 2018 17:33:31 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1gV2D1-0003g6-32
 for guix-patches@HIDDEN; Thu, 06 Dec 2018 17:33:30 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:34189)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@HIDDEN>) id 1gV2D0-0003eQ-R8
 for guix-patches@HIDDEN; Thu, 06 Dec 2018 17:33:26 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 0353621B0E;
 Thu,  6 Dec 2018 17:33:25 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
 by compute4.internal (MEProxy); Thu, 06 Dec 2018 17:33:25 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=from:to:subject:date:message-id:mime-version
 :content-transfer-encoding; s=mesmtp; bh=p1BDD2JRGEAwXKu/l5cqJfo
 kQgxdJnjnBY1gUsp6xjs=; b=DXJiQVZYxlBL84L2HViIqcJ6UMv+1bi34Qq8CJc
 6t5dHW0+vzygHuaBMNYUTo8vxA6bpSKLlzk9zz+DmWGcrG8OGtMHC+Y7kQfxFyNt
 WPRqSw1fm+sYaMgfBtOJxSVMxXOZfkUfqK82ojEzjJACvs6eHabiNQxTydg5/Oqi
 2YwA=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-transfer-encoding:date:from
 :message-id:mime-version:subject:to:x-me-proxy:x-me-proxy
 :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=p1BDD2JRGEAwXKu/l
 5cqJfokQgxdJnjnBY1gUsp6xjs=; b=gILOK1cIAIkPyNQEdBeh7drQ1n48Ijxwd
 9XwMYGT3Rp1wwcmPxcuNmDNKAqzyqi9QX7IU9aHViMXPoUP6i/QaGd5RdOTa2Emp
 SwgxwzOySIAvcGgdXOdYKjT43D24tu291LXTIWwXBZ1aE7vZ9/PtPpNkpd+DjZrD
 /OBsu+wR/7tQ23g5ySm8sqP+BYeNsQMp2Dckp4sBce4OEOxUYbmkRCZ3CiKTkThf
 9Q5tJnpVvipsTlr8wInwV+1DRNPKov/ZSwm6dewaehOCAvbKnHTHJ1C01R2FsvWk
 QVQfLmNHcDtqPHWoJGy0S6SVpTP+Lb1RO+ZUknb5Sax5qinbtrIdQ==
X-ME-Sender: <xms:sqMJXDoHJafaWVoego-wd8NkgdK8SmsrPDQ-hprPwoU_s0hTTfNNFA>
X-ME-Proxy: <xmx:sqMJXOYMRivo2gUBAMrfzYHJUNGNiV7mcVkORLJBM_DIMlQ-vGHt0w>
 <xmx:sqMJXPvFuRALjE6izFIvbaLTNb2IH_zN-eU2aLFgMCoSvwn6EmgyoQ>
 <xmx:sqMJXPPPAgtkGnzCrATytOJ-LUdnNX21ZtG1b_SRc2LXR4cx3okL5Q>
 <xmx:sqMJXE-VXRWB27EVzYZp4EHsziimAax5mvxBouNtSkEE6m1QwKlc0g>
 <xmx:sqMJXCsilVVDbuFaL-xP_PPcwPY050WJuZftx4G4Uqr5yL4cGxkA0w>
 <xmx:tKMJXKG670LbJMbfElHDLVQ2rGWcT4J5Di6Ro4-ibNnyzxpyArmVVQ>
Received: from jasmine.lan (c-76-124-202-137.hsd1.pa.comcast.net
 [76.124.202.137])
 by mail.messagingengine.com (Postfix) with ESMTPA id 1B93F102DD
 for <guix-patches@HIDDEN>; Thu,  6 Dec 2018 17:33:22 -0500 (EST)
From: Leo Famulari <leo@HIDDEN>
To: guix-patches@HIDDEN
Subject: [PATCH] gnu: polkit: Fix CVE-2018-19788.
Date: Thu,  6 Dec 2018 17:33:18 -0500
Message-Id: <10ce27c3d4f0ee6ccaa27db1a1d7fb6c0f2f2ec5.1544135598.git.leo@HIDDEN>
X-Mailer: git-send-email 2.19.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.1 (/)

* gnu/packages/patches/polkit-CVE-2018-19788.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/polkit.scm (polkit)[source]: Use it.
---
 gnu/local.mk                                  |   1 +
 .../patches/polkit-CVE-2018-19788.patch       | 197 ++++++++++++++++++
 gnu/packages/polkit.scm                       |   1 +
 3 files changed, 199 insertions(+)
 create mode 100644 gnu/packages/patches/polkit-CVE-2018-19788.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index a35e5ae7e..cf1dcc2cc 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1063,6 +1063,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/plink-endian-detection.patch		\
   %D%/packages/patches/plotutils-libpng-jmpbuf.patch		\
   %D%/packages/patches/podofo-cmake-3.12.patch			\
+  %D%/packages/patches/polkit-CVE-2018-19788.patch		\
   %D%/packages/patches/poppler-CVE-2018-19149.patch		\
   %D%/packages/patches/portaudio-audacity-compat.patch		\
   %D%/packages/patches/portmidi-modular-build.patch		\
diff --git a/gnu/packages/patches/polkit-CVE-2018-19788.patch b/gnu/packages/patches/polkit-CVE-2018-19788.patch
new file mode 100644
index 000000000..58cde6c5d
--- /dev/null
+++ b/gnu/packages/patches/polkit-CVE-2018-19788.patch
@@ -0,0 +1,197 @@
+Fix CVE-2018-19788:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19788
+https://gitlab.freedesktop.org/polkit/polkit/issues/74
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/polkit/polkit/commit/2cb40c4d5feeaa09325522bd7d97910f1b59e379
+
+From 2cb40c4d5feeaa09325522bd7d97910f1b59e379 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@HIDDEN>
+Date: Mon, 3 Dec 2018 10:28:58 +0100
+Subject: [PATCH] Allow negative uids/gids in PolkitUnixUser and Group objects
+
+(uid_t) -1 is still used as placeholder to mean "unset". This is OK, since
+there should be no users with such number, see
+https://systemd.io/UIDS-GIDS#special-linux-uids.
+
+(uid_t) -1 is used as the default value in class initialization.
+
+When a user or group above INT32_MAX is created, the numeric uid or
+gid wraps around to negative when the value is assigned to gint, and
+polkit gets confused. Let's accept such gids, except for -1.
+
+A nicer fix would be to change the underlying type to e.g. uint32 to
+not have negative values. But this cannot be done without breaking the
+API, so likely new functions will have to be added (a
+polkit_unix_user_new variant that takes a unsigned, and the same for
+_group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will
+require a bigger patch.
+
+Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74.
+---
+ src/polkit/polkitunixgroup.c   | 15 +++++++++++----
+ src/polkit/polkitunixprocess.c | 12 ++++++++----
+ src/polkit/polkitunixuser.c    | 13 ++++++++++---
+ 3 files changed, 29 insertions(+), 11 deletions(-)
+
+diff --git a/src/polkit/polkitunixgroup.c b/src/polkit/polkitunixgroup.c
+index c57a1aa..309f689 100644
+--- a/src/polkit/polkitunixgroup.c
++++ b/src/polkit/polkitunixgroup.c
+@@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup, polkit_unix_group, G_TYPE_OBJECT,
+ static void
+ polkit_unix_group_init (PolkitUnixGroup *unix_group)
+ {
++  unix_group->gid = -1; /* (git_t) -1 is not a valid GID under Linux */
+ }
+ 
+ static void
+@@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject      *object,
+                                GParamSpec   *pspec)
+ {
+   PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object);
++  gint val;
+ 
+   switch (prop_id)
+     {
+     case PROP_GID:
+-      unix_group->gid = g_value_get_int (value);
++      val = g_value_get_int (value);
++      g_return_if_fail (val != -1);
++      unix_group->gid = val;
+       break;
+ 
+     default:
+@@ -131,9 +135,9 @@ polkit_unix_group_class_init (PolkitUnixGroupClass *klass)
+                                    g_param_spec_int ("gid",
+                                                      "Group ID",
+                                                      "The UNIX group ID",
+-                                                     0,
++                                                     G_MININT,
+                                                      G_MAXINT,
+-                                                     0,
++                                                     -1,
+                                                      G_PARAM_CONSTRUCT |
+                                                      G_PARAM_READWRITE |
+                                                      G_PARAM_STATIC_NAME |
+@@ -166,9 +170,10 @@ polkit_unix_group_get_gid (PolkitUnixGroup *group)
+  */
+ void
+ polkit_unix_group_set_gid (PolkitUnixGroup *group,
+-                          gint gid)
++                           gint gid)
+ {
+   g_return_if_fail (POLKIT_IS_UNIX_GROUP (group));
++  g_return_if_fail (gid != -1);
+   group->gid = gid;
+ }
+ 
+@@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group,
+ PolkitIdentity *
+ polkit_unix_group_new (gint gid)
+ {
++  g_return_val_if_fail (gid != -1, NULL);
++
+   return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP,
+                                        "gid", gid,
+                                        NULL));
+diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
+index 972b777..b02b258 100644
+--- a/src/polkit/polkitunixprocess.c
++++ b/src/polkit/polkitunixprocess.c
+@@ -159,9 +159,14 @@ polkit_unix_process_set_property (GObject      *object,
+       polkit_unix_process_set_pid (unix_process, g_value_get_int (value));
+       break;
+ 
+-    case PROP_UID:
+-      polkit_unix_process_set_uid (unix_process, g_value_get_int (value));
++    case PROP_UID: {
++      gint val;
++
++      val = g_value_get_int (value);
++      g_return_if_fail (val != -1);
++      polkit_unix_process_set_uid (unix_process, val);
+       break;
++    }
+ 
+     case PROP_START_TIME:
+       polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value));
+@@ -239,7 +244,7 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass)
+                                    g_param_spec_int ("uid",
+                                                      "User ID",
+                                                      "The UNIX user ID",
+-                                                     -1,
++                                                     G_MININT,
+                                                      G_MAXINT,
+                                                      -1,
+                                                      G_PARAM_CONSTRUCT |
+@@ -303,7 +308,6 @@ polkit_unix_process_set_uid (PolkitUnixProcess *process,
+                              gint               uid)
+ {
+   g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process));
+-  g_return_if_fail (uid >= -1);
+   process->uid = uid;
+ }
+ 
+diff --git a/src/polkit/polkitunixuser.c b/src/polkit/polkitunixuser.c
+index 8bfd3a1..234a697 100644
+--- a/src/polkit/polkitunixuser.c
++++ b/src/polkit/polkitunixuser.c
+@@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, polkit_unix_user, G_TYPE_OBJECT,
+ static void
+ polkit_unix_user_init (PolkitUnixUser *unix_user)
+ {
++  unix_user->uid = -1;  /* (uid_t) -1 is not a valid UID under Linux */
+   unix_user->name = NULL;
+ }
+ 
+@@ -112,11 +113,14 @@ polkit_unix_user_set_property (GObject      *object,
+                                GParamSpec   *pspec)
+ {
+   PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object);
++  gint val;
+ 
+   switch (prop_id)
+     {
+     case PROP_UID:
+-      unix_user->uid = g_value_get_int (value);
++      val = g_value_get_int (value);
++      g_return_if_fail (val != -1);
++      unix_user->uid = val;
+       break;
+ 
+     default:
+@@ -144,9 +148,9 @@ polkit_unix_user_class_init (PolkitUnixUserClass *klass)
+                                    g_param_spec_int ("uid",
+                                                      "User ID",
+                                                      "The UNIX user ID",
+-                                                     0,
++                                                     G_MININT,
+                                                      G_MAXINT,
+-                                                     0,
++                                                     -1,
+                                                      G_PARAM_CONSTRUCT |
+                                                      G_PARAM_READWRITE |
+                                                      G_PARAM_STATIC_NAME |
+@@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
+                           gint uid)
+ {
+   g_return_if_fail (POLKIT_IS_UNIX_USER (user));
++  g_return_if_fail (uid != -1);
+   user->uid = uid;
+ }
+ 
+@@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
+ PolkitIdentity *
+ polkit_unix_user_new (gint uid)
+ {
++  g_return_val_if_fail (uid != -1, NULL);
++
+   return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER,
+                                         "uid", uid,
+                                         NULL));
+-- 
+2.18.1
+
diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm
index 7cc5205fa..830006d43 100644
--- a/gnu/packages/polkit.scm
+++ b/gnu/packages/polkit.scm
@@ -49,6 +49,7 @@
              (uri (string-append
                    "https://www.freedesktop.org/software/polkit/releases/"
                    name "-" version ".tar.gz"))
+             (patches (search-patches "polkit-CVE-2018-19788.patch"))
              (sha256
               (base32
                "0c91y61y4gy6p91cwbzg32dhavw4b7fflg370rimqhdxpzdfr1rg"))
-- 
2.19.2





Acknowledgement sent to Leo Famulari <leo@HIDDEN>:
New bug report received and forwarded. Copy sent to guix-patches@HIDDEN. Full text available.
Report forwarded to guix-patches@HIDDEN:
bug#33651; Package guix-patches. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Thu, 6 Dec 2018 22:45:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.