fix information disclosure CVE-2010-0750

OBS-URL: https://build.opensuse.org/package/show/Base:System/polkit?expand=0&rev=24

pkexec-information-disclosure.patch

@@ -0,0 +1,61 @@
+From 14bdfd816512a82b1ad258fa143ae5faa945df8a Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
+Date: Wed, 10 Mar 2010 17:46:19 +0000
+Subject: Bug 26982 – pkexec information disclosure vulnerability
+
+pkexec is vulnerable to a minor information disclosure vulnerability
+that allows an attacker to verify whether or not arbitrary files
+exist, violating directory permissions. I reproduced the issue on my
+Karmic installation as follows:
+
+ $ mkdir secret
+ $ sudo chown root:root secret
+ $ sudo chmod 400 secret
+ $ sudo touch secret/hidden
+ $ pkexec /home/drosenbe/secret/hidden
+ (password prompt)
+ $ pkexec /home/drosenbe/secret/doesnotexist
+ Error getting information about /home/drosenbe/secret/doesnotexist: No such
+ file or directory
+
+I've attached my patch for the issue. I replaced the stat() call
+entirely with access() using F_OK, so rather than check that the
+target exists, pkexec now checks if the user has permission to verify
+the existence of the program. There might be another way of doing
+this, such as chdir()'ing to the parent directory of the target and
+calling lstat(), but this seemed like more code than necessary to
+prevent such a minor problem.  I see no reason to allow pkexec to
+execute targets that are not accessible to the executing user because
+of directory permissions. This is such a limited use case anyway that
+this doesn't really affect functionality.
+
+http://bugs.freedesktop.org/show_bug.cgi?id=26982
+
+Signed-off-by: David Zeuthen <davidz@redhat.com>
+---
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index 860e665..17c191e 100644
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -411,7 +411,6 @@ main (int argc, char *argv[])
+   gchar *opt_user;
+   pid_t pid_of_caller;
+   uid_t uid_of_caller;
+-  struct stat statbuf;
+ 
+   ret = 127;
+   authority = NULL;
+@@ -520,9 +519,9 @@ main (int argc, char *argv[])
+       g_free (path);
+       argv[n] = path = s;
+     }
+-  if (stat (path, &statbuf) != 0)
++  if (access (path, F_OK) != 0)
+     {
+-      g_printerr ("Error getting information about %s: %s\n", path, g_strerror (errno));
++      g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno));
+       goto out;
+     }
+   command_line = g_strjoinv (" ", argv + n);
+--
+cgit v0.8.3-6-g21f6

polkit.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Fri Apr 9 19:14:09 CEST 2010 - kay.sievers@novell.com
+
+- fix pkexec information disclosure (fdo#26982, CVE-2010-0750)
+
 -------------------------------------------------------------------
 Mon Jan 18 14:20:11 CET 2010 - dmueller@suse.de
 

polkit.spec

@@ -36,6 +36,7 @@ Requires:       dbus-1
 Source0:        http://hal.freedesktop.org/releases/%{name}-%{version}.tar.bz2
 Source99:       baselibs.conf
 Requires:       libpolkit0 = %{version}-%{release}
+Patch0:         pkexec-information-disclosure.patch
 
 %description
 PolicyKit is a toolkit for defining and handling authorizations.
@@ -79,8 +80,10 @@ This package contains the libraries only.
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
+export V=1
 %configure \
   --with-os-type=suse \
   --enable-gtk-doc \