Accepting request 660356 from home:msmeissn:branches:Base:System
- polkit-CVE-2018-19788.patch: Fixed handling of UIDs over MAX_UINT (bsc#1118277 CVE-2018-19788) OBS-URL: https://build.opensuse.org/request/show/660356 OBS-URL: https://build.opensuse.org/package/show/Base:System/polkit?expand=0&rev=127
This commit is contained in:
Git OBS Bridge
parent
78f3f3ba95
commit
08b20c96ba
181
polkit-CVE-2018-19788.patch
Normal file
181
polkit-CVE-2018-19788.patch
Normal file
@ -0,0 +1,181 @@
|
||||
commit 2cb40c4d5feeaa09325522bd7d97910f1b59e379
|
||||
Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
|
||||
Date: Mon Dec 3 10:28:58 2018 +0100
|
||||
|
||||
Allow negative uids/gids in PolkitUnixUser and Group objects
|
||||
|
||||
(uid_t) -1 is still used as placeholder to mean "unset". This is OK, since
|
||||
there should be no users with such number, see
|
||||
https://systemd.io/UIDS-GIDS#special-linux-uids.
|
||||
|
||||
(uid_t) -1 is used as the default value in class initialization.
|
||||
|
||||
When a user or group above INT32_MAX is created, the numeric uid or
|
||||
gid wraps around to negative when the value is assigned to gint, and
|
||||
polkit gets confused. Let's accept such gids, except for -1.
|
||||
|
||||
A nicer fix would be to change the underlying type to e.g. uint32 to
|
||||
not have negative values. But this cannot be done without breaking the
|
||||
API, so likely new functions will have to be added (a
|
||||
polkit_unix_user_new variant that takes a unsigned, and the same for
|
||||
_group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will
|
||||
require a bigger patch.
|
||||
|
||||
Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74.
|
||||
|
||||
diff --git a/src/polkit/polkitunixgroup.c b/src/polkit/polkitunixgroup.c
|
||||
index c57a1aa..309f689 100644
|
||||
--- a/src/polkit/polkitunixgroup.c
|
||||
+++ b/src/polkit/polkitunixgroup.c
|
||||
@@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup, polkit_unix_group, G_TYPE_OBJECT,
|
||||
static void
|
||||
polkit_unix_group_init (PolkitUnixGroup *unix_group)
|
||||
{
|
||||
+ unix_group->gid = -1; /* (git_t) -1 is not a valid GID under Linux */
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject *object,
|
||||
GParamSpec *pspec)
|
||||
{
|
||||
PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object);
|
||||
+ gint val;
|
||||
|
||||
switch (prop_id)
|
||||
{
|
||||
case PROP_GID:
|
||||
- unix_group->gid = g_value_get_int (value);
|
||||
+ val = g_value_get_int (value);
|
||||
+ g_return_if_fail (val != -1);
|
||||
+ unix_group->gid = val;
|
||||
break;
|
||||
|
||||
default:
|
||||
@@ -131,9 +135,9 @@ polkit_unix_group_class_init (PolkitUnixGroupClass *klass)
|
||||
g_param_spec_int ("gid",
|
||||
"Group ID",
|
||||
"The UNIX group ID",
|
||||
- 0,
|
||||
+ G_MININT,
|
||||
G_MAXINT,
|
||||
- 0,
|
||||
+ -1,
|
||||
G_PARAM_CONSTRUCT |
|
||||
G_PARAM_READWRITE |
|
||||
G_PARAM_STATIC_NAME |
|
||||
@@ -166,9 +170,10 @@ polkit_unix_group_get_gid (PolkitUnixGroup *group)
|
||||
*/
|
||||
void
|
||||
polkit_unix_group_set_gid (PolkitUnixGroup *group,
|
||||
- gint gid)
|
||||
+ gint gid)
|
||||
{
|
||||
g_return_if_fail (POLKIT_IS_UNIX_GROUP (group));
|
||||
+ g_return_if_fail (gid != -1);
|
||||
group->gid = gid;
|
||||
}
|
||||
|
||||
@@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group,
|
||||
PolkitIdentity *
|
||||
polkit_unix_group_new (gint gid)
|
||||
{
|
||||
+ g_return_val_if_fail (gid != -1, NULL);
|
||||
+
|
||||
return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP,
|
||||
"gid", gid,
|
||||
NULL));
|
||||
diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
|
||||
index 972b777..b02b258 100644
|
||||
--- a/src/polkit/polkitunixprocess.c
|
||||
+++ b/src/polkit/polkitunixprocess.c
|
||||
@@ -159,9 +159,14 @@ polkit_unix_process_set_property (GObject *object,
|
||||
polkit_unix_process_set_pid (unix_process, g_value_get_int (value));
|
||||
break;
|
||||
|
||||
- case PROP_UID:
|
||||
- polkit_unix_process_set_uid (unix_process, g_value_get_int (value));
|
||||
+ case PROP_UID: {
|
||||
+ gint val;
|
||||
+
|
||||
+ val = g_value_get_int (value);
|
||||
+ g_return_if_fail (val != -1);
|
||||
+ polkit_unix_process_set_uid (unix_process, val);
|
||||
break;
|
||||
+ }
|
||||
|
||||
case PROP_START_TIME:
|
||||
polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value));
|
||||
@@ -239,7 +244,7 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass)
|
||||
g_param_spec_int ("uid",
|
||||
"User ID",
|
||||
"The UNIX user ID",
|
||||
- -1,
|
||||
+ G_MININT,
|
||||
G_MAXINT,
|
||||
-1,
|
||||
G_PARAM_CONSTRUCT |
|
||||
@@ -303,7 +308,6 @@ polkit_unix_process_set_uid (PolkitUnixProcess *process,
|
||||
gint uid)
|
||||
{
|
||||
g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process));
|
||||
- g_return_if_fail (uid >= -1);
|
||||
process->uid = uid;
|
||||
}
|
||||
|
||||
diff --git a/src/polkit/polkitunixuser.c b/src/polkit/polkitunixuser.c
|
||||
index 8bfd3a1..234a697 100644
|
||||
--- a/src/polkit/polkitunixuser.c
|
||||
+++ b/src/polkit/polkitunixuser.c
|
||||
@@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, polkit_unix_user, G_TYPE_OBJECT,
|
||||
static void
|
||||
polkit_unix_user_init (PolkitUnixUser *unix_user)
|
||||
{
|
||||
+ unix_user->uid = -1; /* (uid_t) -1 is not a valid UID under Linux */
|
||||
unix_user->name = NULL;
|
||||
}
|
||||
|
||||
@@ -112,11 +113,14 @@ polkit_unix_user_set_property (GObject *object,
|
||||
GParamSpec *pspec)
|
||||
{
|
||||
PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object);
|
||||
+ gint val;
|
||||
|
||||
switch (prop_id)
|
||||
{
|
||||
case PROP_UID:
|
||||
- unix_user->uid = g_value_get_int (value);
|
||||
+ val = g_value_get_int (value);
|
||||
+ g_return_if_fail (val != -1);
|
||||
+ unix_user->uid = val;
|
||||
break;
|
||||
|
||||
default:
|
||||
@@ -144,9 +148,9 @@ polkit_unix_user_class_init (PolkitUnixUserClass *klass)
|
||||
g_param_spec_int ("uid",
|
||||
"User ID",
|
||||
"The UNIX user ID",
|
||||
- 0,
|
||||
+ G_MININT,
|
||||
G_MAXINT,
|
||||
- 0,
|
||||
+ -1,
|
||||
G_PARAM_CONSTRUCT |
|
||||
G_PARAM_READWRITE |
|
||||
G_PARAM_STATIC_NAME |
|
||||
@@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
|
||||
gint uid)
|
||||
{
|
||||
g_return_if_fail (POLKIT_IS_UNIX_USER (user));
|
||||
+ g_return_if_fail (uid != -1);
|
||||
user->uid = uid;
|
||||
}
|
||||
|
||||
@@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
|
||||
PolkitIdentity *
|
||||
polkit_unix_user_new (gint uid)
|
||||
{
|
||||
+ g_return_val_if_fail (uid != -1, NULL);
|
||||
+
|
||||
return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER,
|
||||
"uid", uid,
|
||||
NULL));
|
||||
@ -1,3 +1,9 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Dec 20 17:29:58 UTC 2018 - meissner@suse.com
|
||||
|
||||
- polkit-CVE-2018-19788.patch: Fixed handling of UIDs over MAX_UINT
|
||||
(bsc#1118277 CVE-2018-19788)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Aug 17 07:56:08 UTC 2018 - bjorn.lie@gmail.com
|
||||
|
||||
|
||||
@ -38,6 +38,8 @@ Patch2: pkexec.patch
|
||||
Patch3: polkit-fix-possible-resource-leak.patch
|
||||
# PATCH-FIX-UPSTREAM polkit-fix-leaking-zombie-child-processes.patch fdo#106021 -- polkitd: fix zombie not reaped when js spawned process timed out
|
||||
Patch4: polkit-fix-leaking-zombie-child-processes.patch
|
||||
# PATCH-FIX-UPSTREAM polkit-CVE-2018-19788.patch bsc#1118277 meissner@suse.com -- 2cb40c4d5feeaa09325522bd7d97910f1b59e379
|
||||
Patch5: polkit-CVE-2018-19788.patch
|
||||
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: gtk-doc
|
||||
@ -123,6 +125,7 @@ This package provides the GObject Introspection bindings for PolicyKit.
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
|
||||
%build
|
||||
export V=1
|
||||
|
||||
Loading…
Reference in New Issue
Block a user