diff --git a/pkexec-information-disclosure.patch b/pkexec-information-disclosure.patch new file mode 100644 index 0000000..2766429 --- /dev/null +++ b/pkexec-information-disclosure.patch @@ -0,0 +1,61 @@ +From 14bdfd816512a82b1ad258fa143ae5faa945df8a Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg +Date: Wed, 10 Mar 2010 17:46:19 +0000 +Subject: Bug 26982 – pkexec information disclosure vulnerability + +pkexec is vulnerable to a minor information disclosure vulnerability +that allows an attacker to verify whether or not arbitrary files +exist, violating directory permissions. I reproduced the issue on my +Karmic installation as follows: + + $ mkdir secret + $ sudo chown root:root secret + $ sudo chmod 400 secret + $ sudo touch secret/hidden + $ pkexec /home/drosenbe/secret/hidden + (password prompt) + $ pkexec /home/drosenbe/secret/doesnotexist + Error getting information about /home/drosenbe/secret/doesnotexist: No such + file or directory + +I've attached my patch for the issue. I replaced the stat() call +entirely with access() using F_OK, so rather than check that the +target exists, pkexec now checks if the user has permission to verify +the existence of the program. There might be another way of doing +this, such as chdir()'ing to the parent directory of the target and +calling lstat(), but this seemed like more code than necessary to +prevent such a minor problem. I see no reason to allow pkexec to +execute targets that are not accessible to the executing user because +of directory permissions. This is such a limited use case anyway that +this doesn't really affect functionality. + +http://bugs.freedesktop.org/show_bug.cgi?id=26982 + +Signed-off-by: David Zeuthen +--- +diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c +index 860e665..17c191e 100644 +--- a/src/programs/pkexec.c ++++ b/src/programs/pkexec.c +@@ -411,7 +411,6 @@ main (int argc, char *argv[]) + gchar *opt_user; + pid_t pid_of_caller; + uid_t uid_of_caller; +- struct stat statbuf; + + ret = 127; + authority = NULL; +@@ -520,9 +519,9 @@ main (int argc, char *argv[]) + g_free (path); + argv[n] = path = s; + } +- if (stat (path, &statbuf) != 0) ++ if (access (path, F_OK) != 0) + { +- g_printerr ("Error getting information about %s: %s\n", path, g_strerror (errno)); ++ g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno)); + goto out; + } + command_line = g_strjoinv (" ", argv + n); +-- +cgit v0.8.3-6-g21f6 diff --git a/polkit.changes b/polkit.changes index a549635..dce9913 100644 --- a/polkit.changes +++ b/polkit.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Apr 9 19:14:09 CEST 2010 - kay.sievers@novell.com + +- fix pkexec information disclosure (fdo#26982, CVE-2010-0750) + ------------------------------------------------------------------- Mon Jan 18 14:20:11 CET 2010 - dmueller@suse.de diff --git a/polkit.spec b/polkit.spec index 276a4d0..4e40d3f 100644 --- a/polkit.spec +++ b/polkit.spec @@ -36,6 +36,7 @@ Requires: dbus-1 Source0: http://hal.freedesktop.org/releases/%{name}-%{version}.tar.bz2 Source99: baselibs.conf Requires: libpolkit0 = %{version}-%{release} +Patch0: pkexec-information-disclosure.patch %description PolicyKit is a toolkit for defining and handling authorizations. @@ -79,8 +80,10 @@ This package contains the libraries only. %prep %setup -q +%patch0 -p1 %build +export V=1 %configure \ --with-os-type=suse \ --enable-gtk-doc \