pool/polkit
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 709799 from Base:System

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/709799
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/polkit?expand=0&rev=67
This commit is contained in:
Dominique Leuenberger 2019-06-22 09:03:16 +00:00 committed by Git OBS Bridge
commit 60d70b0d21
12 changed files with 92 additions and 282 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkexec.patch
View File

@ -6,10 +6,10 @@ running uninstalled pkexec with --help or --version. This also helps
building packages that want to check for pkexec in an emulated environment building packages that want to check for pkexec in an emulated environment
that does not support setuid invocation (eg. QEMU linux-user). that does not support setuid invocation (eg. QEMU linux-user).
Index: polkit-0.114/src/programs/pkexec.c Index: polkit-0.116/src/programs/pkexec.c
=================================================================== ===================================================================
--- polkit-0.114.orig/src/programs/pkexec.c 2018-04-03 20:16:17.000000000 +0200 --- polkit-0.116.orig/src/programs/pkexec.c 2018-05-31 13:52:53.000000000 +0200
+++ polkit-0.114/src/programs/pkexec.c 2018-04-10 02:48:03.031508016 +0200 +++ polkit-0.116/src/programs/pkexec.c 2019-05-31 22:55:58.014504104 +0200
@@ -504,27 +504,6 @@ main (int argc, char *argv[]) @@ -504,27 +504,6 @@ main (int argc, char *argv[])
/* Disable remote file access from GIO. */ /* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1); setenv ("GIO_USE_VFS", "local", 1);

3
polkit-0.115.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2f87ecdabfbd415c6306673ceadc59846f059b18ef2fce42bac63fe283f12131
size 1550932

6
polkit-0.115.tar.gz.sign
View File

@ -1,6 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iF0EABECAB0WIQTBl22e2Rp0WcvOUxRaM/Zgs4R53wUCW0S8UgAKCRBaM/Zgs4R5
3wNmAJ9YYc3MgbepSXr0mqWdiL93TmYMvwCeNf1e4EGsqndw9DP3CbpICMN7gV0=
=mAps
-----END PGP SIGNATURE-----

3
polkit-0.116.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:88170c9e711e8db305a12fdb8234fac5706c61969b94e084d0f117d8ec5d34b1
size 1548311

10
polkit-0.116.tar.gz.sign Normal file
View File

@ -0,0 +1,10 @@
-----BEGIN PGP SIGNATURE-----
iQEcBAABAgAGBQJcwtuMAAoJEIzrMDD/3OJYhGAH/27d2LGj6CaqWgSfJcL7LkKt
gXlS/jG16GpgW4K38KRK5d/3z6SXz0rgsT8LBAOSWdtpil1MFQqO2cUcQGAv5IeF
5vBVgWzCRTF2KPBDgWHuE0QEw0iRBtZL4cOsibj0IiF8JBZ5zCowrUvVF4V6XS7+
4kPYZD24ydY/vz5k6hbwqZfxbqQIOe8vZODzPelfjIDW1E0Zrovp9+KtMCVmSEJz
reUiUc1eY0NpP51NhmwykkZ9D4AZ8fB76uqfELtEd9Yec3I0pvwyvI03eLmD7liC
yI1VEIezPUgJnrGRf8uaVdaLE5TGn7hSIFCGy3xpBd2ZjTKncoed5JtpVDO1WiY=
=1bx+
-----END PGP SIGNATURE-----

181
polkit-CVE-2018-19788.patch
View File

@ -1,181 +0,0 @@
commit 2cb40c4d5feeaa09325522bd7d97910f1b59e379
Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Mon Dec 3 10:28:58 2018 +0100
Allow negative uids/gids in PolkitUnixUser and Group objects
(uid_t) -1 is still used as placeholder to mean "unset". This is OK, since
there should be no users with such number, see
https://systemd.io/UIDS-GIDS#special-linux-uids.
(uid_t) -1 is used as the default value in class initialization.
When a user or group above INT32_MAX is created, the numeric uid or
gid wraps around to negative when the value is assigned to gint, and
polkit gets confused. Let's accept such gids, except for -1.
A nicer fix would be to change the underlying type to e.g. uint32 to
not have negative values. But this cannot be done without breaking the
API, so likely new functions will have to be added (a
polkit_unix_user_new variant that takes a unsigned, and the same for
_group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will
require a bigger patch.
Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74.
diff --git a/src/polkit/polkitunixgroup.c b/src/polkit/polkitunixgroup.c
index c57a1aa..309f689 100644
--- a/src/polkit/polkitunixgroup.c
+++ b/src/polkit/polkitunixgroup.c
@@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup, polkit_unix_group, G_TYPE_OBJECT,
static void
polkit_unix_group_init (PolkitUnixGroup *unix_group)
{
+ unix_group->gid = -1; /* (git_t) -1 is not a valid GID under Linux */
}
static void
@@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject *object,
GParamSpec *pspec)
{
PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object);
+ gint val;
switch (prop_id)
{
case PROP_GID:
- unix_group->gid = g_value_get_int (value);
+ val = g_value_get_int (value);
+ g_return_if_fail (val != -1);
+ unix_group->gid = val;
break;
default:
@@ -131,9 +135,9 @@ polkit_unix_group_class_init (PolkitUnixGroupClass *klass)
g_param_spec_int ("gid",
"Group ID",
"The UNIX group ID",
- 0,
+ G_MININT,
G_MAXINT,
- 0,
+ -1,
G_PARAM_CONSTRUCT |
G_PARAM_READWRITE |
G_PARAM_STATIC_NAME |
@@ -166,9 +170,10 @@ polkit_unix_group_get_gid (PolkitUnixGroup *group)
*/
void
polkit_unix_group_set_gid (PolkitUnixGroup *group,
- gint gid)
+ gint gid)
{
g_return_if_fail (POLKIT_IS_UNIX_GROUP (group));
+ g_return_if_fail (gid != -1);
group->gid = gid;
}
@@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group,
PolkitIdentity *
polkit_unix_group_new (gint gid)
{
+ g_return_val_if_fail (gid != -1, NULL);
+
return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP,
"gid", gid,
NULL));
diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
index 972b777..b02b258 100644
--- a/src/polkit/polkitunixprocess.c
+++ b/src/polkit/polkitunixprocess.c
@@ -159,9 +159,14 @@ polkit_unix_process_set_property (GObject *object,
polkit_unix_process_set_pid (unix_process, g_value_get_int (value));
break;
- case PROP_UID:
- polkit_unix_process_set_uid (unix_process, g_value_get_int (value));
+ case PROP_UID: {
+ gint val;
+
+ val = g_value_get_int (value);
+ g_return_if_fail (val != -1);
+ polkit_unix_process_set_uid (unix_process, val);
break;
+ }
case PROP_START_TIME:
polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value));
@@ -239,7 +244,7 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass)
g_param_spec_int ("uid",
"User ID",
"The UNIX user ID",
- -1,
+ G_MININT,
G_MAXINT,
-1,
G_PARAM_CONSTRUCT |
@@ -303,7 +308,6 @@ polkit_unix_process_set_uid (PolkitUnixProcess *process,
gint uid)
{
g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process));
- g_return_if_fail (uid >= -1);
process->uid = uid;
}
diff --git a/src/polkit/polkitunixuser.c b/src/polkit/polkitunixuser.c
index 8bfd3a1..234a697 100644
--- a/src/polkit/polkitunixuser.c
+++ b/src/polkit/polkitunixuser.c
@@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, polkit_unix_user, G_TYPE_OBJECT,
static void
polkit_unix_user_init (PolkitUnixUser *unix_user)
{
+ unix_user->uid = -1; /* (uid_t) -1 is not a valid UID under Linux */
unix_user->name = NULL;
}
@@ -112,11 +113,14 @@ polkit_unix_user_set_property (GObject *object,
GParamSpec *pspec)
{
PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object);
+ gint val;
switch (prop_id)
{
case PROP_UID:
- unix_user->uid = g_value_get_int (value);
+ val = g_value_get_int (value);
+ g_return_if_fail (val != -1);
+ unix_user->uid = val;
break;
default:
@@ -144,9 +148,9 @@ polkit_unix_user_class_init (PolkitUnixUserClass *klass)
g_param_spec_int ("uid",
"User ID",
"The UNIX user ID",
- 0,
+ G_MININT,
G_MAXINT,
- 0,
+ -1,
G_PARAM_CONSTRUCT |
G_PARAM_READWRITE |
G_PARAM_STATIC_NAME |
@@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
gint uid)
{
g_return_if_fail (POLKIT_IS_UNIX_USER (user));
+ g_return_if_fail (uid != -1);
user->uid = uid;
}
@@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
PolkitIdentity *
polkit_unix_user_new (gint uid)
{
+ g_return_val_if_fail (uid != -1, NULL);
+
return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER,
"uid", uid,
NULL));

33
polkit-fix-leaking-zombie-child-processes.patch
View File

@ -1,33 +0,0 @@
From 8638ec5cd534dcc616b68e5b0744c493c0c71dc9 Mon Sep 17 00:00:00 2001
From: Jan Rybar <jrybar@redhat.com>
Date: Wed, 15 Aug 2018 16:11:22 +0200
Subject: Leaking zombie child processes Resolves: bz#106021
Subject: [PATCH] polkitd: fix zombie not reaped when js spawned process timed
out
The child watch source attached to thread context didn't work due
to the release of it's main loop and context outside. So we attach
the source to the global default main context to make it work and
avoid zombies.
---
src/polkitbackend/polkitbackendjsauthority.cpp | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
index 517f3c6..7602714 100644
--- a/src/polkitbackend/polkitbackendjsauthority.cpp
+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
@@ -1595,7 +1595,8 @@ utils_spawn_data_free (UtilsSpawnData *data)
(GSourceFunc) utils_child_watch_from_release_cb,
source,
(GDestroyNotify) g_source_destroy);
- g_source_attach (source, data->main_context);
+ /* attach source to the global default main context */
+ g_source_attach (source, NULL);
g_source_unref (source);
data->child_pid = 0;
}
--
cgit v1.1

24
polkit-fix-possible-resource-leak.patch
View File

@ -1,24 +0,0 @@
From 542c6ec832919df6a74e16aba574adaeebe35e08 Mon Sep 17 00:00:00 2001
From: Jan Rybar <jrybar@redhat.com>
Date: Thu, 9 Aug 2018 16:46:38 +0200
Subject: Possible resource leak found by static analyzer
---
src/polkitagent/polkitagentlistener.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/polkitagent/polkitagentlistener.c b/src/polkitagent/polkitagentlistener.c
index debd1bb..2e0e11e 100644
--- a/src/polkitagent/polkitagentlistener.c
+++ b/src/polkitagent/polkitagentlistener.c
@@ -439,6 +439,7 @@ polkit_agent_listener_register_with_options (PolkitAgentListener *listener,
server->thread_initialization_error = NULL;
g_thread_join (server->thread);
server_free (server);
+ server = NULL;
goto out;
}
}
--
cgit v1.1

6
polkit-no-wheel-group.patch
View File

@ -1,7 +1,7 @@
Index: polkit-0.107/src/polkitbackend/50-default.rules Index: polkit-0.116/src/polkitbackend/50-default.rules
=================================================================== ===================================================================
--- polkit-0.107.orig/src/polkitbackend/50-default.rules --- polkit-0.116.orig/src/polkitbackend/50-default.rules 2018-03-27 13:46:06.000000000 +0200
+++ polkit-0.107/src/polkitbackend/50-default.rules +++ polkit-0.116/src/polkitbackend/50-default.rules 2019-05-31 22:55:57.990503876 +0200
@@ -8,5 +8,5 @@ @@ -8,5 +8,5 @@
// about configuring polkit. // about configuring polkit.

26
polkit.changes
View File

@ -1,3 +1,29 @@
-------------------------------------------------------------------
Wed May 29 07:57:26 UTC 2019 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version 0.116:
+ Leaking zombie child processes.
+ Possible resource leak found by static analyzer.
+ Output messages tuneup.
+ Sanity fixes.
+ pkttyagent tty echo disabled on SIGINT.
+ HACKING: add link to Code of Conduct.
+ polkitbackend: comment typos fix.
+ configure.ac: fix detection of systemd with cgroups v2.
+ CVE-2018-19788 High UIDs overflow fix.
+ CVE-2019-6133 Slowfork vulnerability fix.
+ Allow unset process-uid.
+ Port the JS authority to mozjs-60.
+ Use JS_EncodeStringToUTF8.
+ Updated translations.
- Replace pkgconfig(mozjs-52) with pkgconfig(mozjs-60)
BuildRequires following upstreams changes.
- Drop patches fixed upstream:
+ polkit-fix-possible-resource-leak.patch
+ polkit-fix-leaking-zombie-child-processes.patch
+ polkit-CVE-2018-19788.patch
- Refresh patches with quilt.
------------------------------------------------------------------- -------------------------------------------------------------------
Fri May 10 14:44:20 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org> Fri May 10 14:44:20 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>

30
polkit.keyring
View File

@ -624,3 +624,33 @@ uhMPUaUfZX3DaEtMtjV+6jNnfP3jFEJHYAvQpCLQEC/Jk3odKgrw/UNJY2wewFXR
xswOcJBwoxssbQmiBaFp13Frzhjwjwqer+npV6FuOLjRsnMd7h9EgiGYGqH385w0 xswOcJBwoxssbQmiBaFp13Frzhjwjwqer+npV6FuOLjRsnMd7h9EgiGYGqH385w0
=DnDa =DnDa
-----END PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname: fks.pgpkeys.eu
mQENBFtkaE8BCADL6NFIHYl5RDKRyDm2/igDWiveVFWzUZGJeBBkAcpZcstJK0mDxwWbcOwE
+XvMUux4HwZCymZb+5SctrHyQvS629BTbynfZv5JOIAKl1Hg24yklBGYJ1LX/4H140Y2cGTN
3xymGisSYMNF11Cngsw1qND8NJ6fqadHafn8s1gvphFkCs8LpoJgTBrLEUQZpnpSRcIP+/UR
2R/ErCkwE9erPHfksj+B+hGD6PKqeLPSvLq5F9L+axnMgH784QQADn3BaM2ZePtC+gbUYgsY
ra6jwsEsjZmd/nauVex2rB3MaRgiwTg6+cmDXgd5a0w2CPMFlQiWiamb7/UfCxsFRgs3ABEB
AAG0J0phbiBSeWJhciAoUmVkIEhhdCkgPGpyeWJhckByZWRoYXQuY29tPokBOAQTAQIAIgUC
W2RoTwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQjOswMP/c4lha5wf8C7+FoCIU
NE83GgnG4Vp7jJFgn1B8ea7Jvya0X37kHWBUueQv7F0M+3qUtVQNHDSIfehysiAtNncWh58V
n9JWohzvWTGnZ1bY8IeU/MxCrBrWaxqsjsWOPq1smtnIas7LLkn44oOlyOXDVOp/JOk4QxoO
gf6GIERpit/0dBNjFSkeL037ocB/f6WekG4MpYtp/U4gy3MAWhBKXxJUTgJFRSiLtGEdnUGW
wG8ZbulGRRO79rWg9ThvpPEEqZG/2bm4kWMlaaaDsJ9lbPA4rN0uU0ny3/2COwqKtpwrLvRE
duRcVG9vpnCl5zkFtNc00p2RRBrQJ/PLq2OdSrGMf0skhbkBDQRbZGhPAQgAxaVnvy+O0sUR
/P1e7CAQKg7jSXFoUIHVpT/F7Q2t3hs2I3wmQTAy92CVWDXJDDpN93VR6IJQzws0F7IV9+Js
xl4Hu6ELyaOpMD0QVb09s9C0s2nz88rn6WMoy0wuVJcB0h8aNzUBjRsgi94XTH44tlcVZj4q
/GbQaJy8kBNu5V6sAQg64h5xuU4tow8tkzL78bNOLeYXyEYOO+Dlt/879oxQca+dTHXr13NV
wKFqcduBIcsQZd5JnQFeXo+8XWpmeS/wwX0RW+J0mSYWvjP/fMeE7BIftbbolqr+HwwppVNP
ouFDPq/9bKmQs7USen6rOJ6uIqMhPkopgXXOle3EEQARAQABiQEfBBgBAgAJBQJbZGhPAhsM
AAoJEIzrMDD/3OJYmlMH/0NTd/lZ0jh0djRYlRcz0OIT9B/2gYmNoekEsciEliPS3WEN+M2s
kZM/L/lLFCbD4dOqlXqb84Yvch9iC/VzCEYCEs8Kz647H2mBnyHxxOKtgrXJpWhZoRzs9pzb
AVCEkl5+PjFRwhn7Nwpm/EG+02VgR9JC1ZdX28iN3a3axbLuI9RIZznRRL5Jr5ePMJ0nRvWY
HX4K+Wt5UhHuo1Kaj9Yn0UcTCj7WKznRjNtL6S4N4mS8OJwi8jZ8Rvb3GFCViEaVz/+ZNBaW
HGJO/6RB1aNr3SlD155eTM6H6v2lsNn4gpc7T3GL9AzEsuUef5mqo1EsO+OJeBrQv8vVybJx
GJ8=
=QrX7
-----END PGP PUBLIC KEY BLOCK-----

46
polkit.spec
View File

@ -12,12 +12,12 @@
# license that conforms to the Open Source Definition (Version 1.9) # license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative. # published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/ # Please submit bugfixes or comments via https://bugs.opensuse.org/
# #
Name: polkit Name: polkit
Version: 0.115 Version: 0.116
Release: 0 Release: 0
Summary: PolicyKit Authorization Framework Summary: PolicyKit Authorization Framework
License: LGPL-2.1-or-later License: LGPL-2.1-or-later
@ -34,12 +34,6 @@ Patch0: polkit-no-wheel-group.patch
Patch1: polkit-gettext.patch Patch1: polkit-gettext.patch
# PATCH-FIX-UPSTREAM pkexec.patch schwab@suse.de -- pkexec: allow --version and --help even if not setuid # PATCH-FIX-UPSTREAM pkexec.patch schwab@suse.de -- pkexec: allow --version and --help even if not setuid
Patch2: pkexec.patch Patch2: pkexec.patch
# PATCH-FIX-UPSTREAM polkit-fix-possible-resource-leak.patch -- Fix possible resource leak found by static analyzer
Patch3: polkit-fix-possible-resource-leak.patch
# PATCH-FIX-UPSTREAM polkit-fix-leaking-zombie-child-processes.patch fdo#106021 -- polkitd: fix zombie not reaped when js spawned process timed out
Patch4: polkit-fix-leaking-zombie-child-processes.patch
# PATCH-FIX-UPSTREAM polkit-CVE-2018-19788.patch bsc#1118277 meissner@suse.com -- 2cb40c4d5feeaa09325522bd7d97910f1b59e379
Patch5: polkit-CVE-2018-19788.patch
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: gtk-doc BuildRequires: gtk-doc
@ -49,11 +43,11 @@ BuildRequires: libexpat-devel
BuildRequires: libtool BuildRequires: libtool
BuildRequires: pam-devel BuildRequires: pam-devel
BuildRequires: systemd-rpm-macros BuildRequires: systemd-rpm-macros
BuildRequires: pkgconfig(gio-unix-2.0) >= 2.30.0 BuildRequires: pkgconfig(gio-unix-2.0) >= 2.32.0
BuildRequires: pkgconfig(gmodule-2.0) >= 2.30.0 BuildRequires: pkgconfig(gmodule-2.0) >= 2.32.0
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 0.6.2 BuildRequires: pkgconfig(gobject-introspection-1.0) >= 0.6.2
BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(mozjs-52) BuildRequires: pkgconfig(mozjs-60)
BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(systemd)
# gtk-doc drags indirectyly ruby in for one of the helpers. This in turn causes a build cycle. # gtk-doc drags indirectyly ruby in for one of the helpers. This in turn causes a build cycle.
#!BuildIgnore: ruby #!BuildIgnore: ruby
@ -118,30 +112,24 @@ processes.
This package provides the GObject Introspection bindings for PolicyKit. This package provides the GObject Introspection bindings for PolicyKit.
%prep %prep
%setup -q %autosetup -p1
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build %build
export V=1 # Needed for patch1 and patch2
# needed for patch1 and patch2
autoreconf -fi autoreconf -fi
export SUID_CFLAGS="-fPIE" export SUID_CFLAGS="-fPIE"
export SUID_LDFLAGS="-z now -pie" export SUID_LDFLAGS="-z now -pie"
%configure \ %configure \
--with-os-type=suse \ --with-os-type=suse \
--enable-gtk-doc \ --enable-gtk-doc \
--with-pic \ --with-pic \
--disable-static \ --disable-static \
--enable-introspection \ --enable-introspection \
--enable-examples \ --enable-examples \
--enable-libsystemd-login \ --enable-libsystemd-login \
--libexecdir=%{_libexecdir}/polkit-1 --libexecdir=%{_libexecdir}/polkit-1 \
make %{?_smp_mflags} %{nil}
%make_build
%install %install
%make_install %make_install