From 2cce5d85fab4419db645d41459f36c4c0b8dbb3fdf042d3462fc853defb1a2f4 Mon Sep 17 00:00:00 2001 From: OBS User buildservice-autocommit Date: Thu, 18 Mar 2010 15:22:16 +0000 Subject: [PATCH 1/5] Updating link to change in openSUSE:Factory/polkit revision 7.0 OBS-URL: https://build.opensuse.org/package/show/Base:System/polkit?expand=0&rev=30d447718612918142858b09774a1f99 --- ready | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 ready diff --git a/ready b/ready deleted file mode 100644 index 473a0f4..0000000 From 559ff528cf4a023889e32ed659f6bb942300292d9ac2a53749bd3234a3d8091c Mon Sep 17 00:00:00 2001 From: Kay Sievers Date: Fri, 9 Apr 2010 17:18:25 +0000 Subject: [PATCH 2/5] fix information disclosure CVE-2010-0750 OBS-URL: https://build.opensuse.org/package/show/Base:System/polkit?expand=0&rev=24 --- pkexec-information-disclosure.patch | 61 +++++++++++++++++++++++++++++ polkit.changes | 5 +++ polkit.spec | 3 ++ 3 files changed, 69 insertions(+) create mode 100644 pkexec-information-disclosure.patch diff --git a/pkexec-information-disclosure.patch b/pkexec-information-disclosure.patch new file mode 100644 index 0000000..2766429 --- /dev/null +++ b/pkexec-information-disclosure.patch @@ -0,0 +1,61 @@ +From 14bdfd816512a82b1ad258fa143ae5faa945df8a Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg +Date: Wed, 10 Mar 2010 17:46:19 +0000 +Subject: Bug 26982 – pkexec information disclosure vulnerability + +pkexec is vulnerable to a minor information disclosure vulnerability +that allows an attacker to verify whether or not arbitrary files +exist, violating directory permissions. I reproduced the issue on my +Karmic installation as follows: + + $ mkdir secret + $ sudo chown root:root secret + $ sudo chmod 400 secret + $ sudo touch secret/hidden + $ pkexec /home/drosenbe/secret/hidden + (password prompt) + $ pkexec /home/drosenbe/secret/doesnotexist + Error getting information about /home/drosenbe/secret/doesnotexist: No such + file or directory + +I've attached my patch for the issue. I replaced the stat() call +entirely with access() using F_OK, so rather than check that the +target exists, pkexec now checks if the user has permission to verify +the existence of the program. There might be another way of doing +this, such as chdir()'ing to the parent directory of the target and +calling lstat(), but this seemed like more code than necessary to +prevent such a minor problem. I see no reason to allow pkexec to +execute targets that are not accessible to the executing user because +of directory permissions. This is such a limited use case anyway that +this doesn't really affect functionality. + +http://bugs.freedesktop.org/show_bug.cgi?id=26982 + +Signed-off-by: David Zeuthen +--- +diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c +index 860e665..17c191e 100644 +--- a/src/programs/pkexec.c ++++ b/src/programs/pkexec.c +@@ -411,7 +411,6 @@ main (int argc, char *argv[]) + gchar *opt_user; + pid_t pid_of_caller; + uid_t uid_of_caller; +- struct stat statbuf; + + ret = 127; + authority = NULL; +@@ -520,9 +519,9 @@ main (int argc, char *argv[]) + g_free (path); + argv[n] = path = s; + } +- if (stat (path, &statbuf) != 0) ++ if (access (path, F_OK) != 0) + { +- g_printerr ("Error getting information about %s: %s\n", path, g_strerror (errno)); ++ g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno)); + goto out; + } + command_line = g_strjoinv (" ", argv + n); +-- +cgit v0.8.3-6-g21f6 diff --git a/polkit.changes b/polkit.changes index a549635..dce9913 100644 --- a/polkit.changes +++ b/polkit.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Apr 9 19:14:09 CEST 2010 - kay.sievers@novell.com + +- fix pkexec information disclosure (fdo#26982, CVE-2010-0750) + ------------------------------------------------------------------- Mon Jan 18 14:20:11 CET 2010 - dmueller@suse.de diff --git a/polkit.spec b/polkit.spec index 276a4d0..4e40d3f 100644 --- a/polkit.spec +++ b/polkit.spec @@ -36,6 +36,7 @@ Requires: dbus-1 Source0: http://hal.freedesktop.org/releases/%{name}-%{version}.tar.bz2 Source99: baselibs.conf Requires: libpolkit0 = %{version}-%{release} +Patch0: pkexec-information-disclosure.patch %description PolicyKit is a toolkit for defining and handling authorizations. @@ -79,8 +80,10 @@ This package contains the libraries only. %prep %setup -q +%patch0 -p1 %build +export V=1 %configure \ --with-os-type=suse \ --enable-gtk-doc \ From fa8495e8c962b518cea12bbb6914f0756f74c9da2f8b5e0c56db3a0bf1644256 Mon Sep 17 00:00:00 2001 From: Kay Sievers Date: Wed, 14 Apr 2010 13:46:06 +0000 Subject: [PATCH 3/5] fix pkexec information disclosure OBS-URL: https://build.opensuse.org/package/show/Base:System/polkit?expand=0&rev=25 --- polkit.changes | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/polkit.changes b/polkit.changes index dce9913..f21c856 100644 --- a/polkit.changes +++ b/polkit.changes @@ -1,7 +1,8 @@ ------------------------------------------------------------------- Fri Apr 9 19:14:09 CEST 2010 - kay.sievers@novell.com -- fix pkexec information disclosure (fdo#26982, CVE-2010-0750) +- fix pkexec information disclosure + (fdo#26982, CVE-2010-0750, bnc#593959) ------------------------------------------------------------------- Mon Jan 18 14:20:11 CET 2010 - dmueller@suse.de From 7bb7fa509fea28bb984be04b12ce270ffc594f4783eec3095eaded03bb7d90a5 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Thu, 15 Apr 2010 23:31:10 +0000 Subject: [PATCH 4/5] Accepting request 37929 from Base:System checked in (request 37929) OBS-URL: https://build.opensuse.org/request/show/37929 OBS-URL: https://build.opensuse.org/package/show/Base:System/polkit?expand=0&rev=26 --- pkexec-information-disclosure.patch | 61 ----------------------------- polkit.changes | 6 --- polkit.spec | 3 -- 3 files changed, 70 deletions(-) delete mode 100644 pkexec-information-disclosure.patch diff --git a/pkexec-information-disclosure.patch b/pkexec-information-disclosure.patch deleted file mode 100644 index 2766429..0000000 --- a/pkexec-information-disclosure.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 14bdfd816512a82b1ad258fa143ae5faa945df8a Mon Sep 17 00:00:00 2001 -From: Dan Rosenberg -Date: Wed, 10 Mar 2010 17:46:19 +0000 -Subject: Bug 26982 – pkexec information disclosure vulnerability - -pkexec is vulnerable to a minor information disclosure vulnerability -that allows an attacker to verify whether or not arbitrary files -exist, violating directory permissions. I reproduced the issue on my -Karmic installation as follows: - - $ mkdir secret - $ sudo chown root:root secret - $ sudo chmod 400 secret - $ sudo touch secret/hidden - $ pkexec /home/drosenbe/secret/hidden - (password prompt) - $ pkexec /home/drosenbe/secret/doesnotexist - Error getting information about /home/drosenbe/secret/doesnotexist: No such - file or directory - -I've attached my patch for the issue. I replaced the stat() call -entirely with access() using F_OK, so rather than check that the -target exists, pkexec now checks if the user has permission to verify -the existence of the program. There might be another way of doing -this, such as chdir()'ing to the parent directory of the target and -calling lstat(), but this seemed like more code than necessary to -prevent such a minor problem. I see no reason to allow pkexec to -execute targets that are not accessible to the executing user because -of directory permissions. This is such a limited use case anyway that -this doesn't really affect functionality. - -http://bugs.freedesktop.org/show_bug.cgi?id=26982 - -Signed-off-by: David Zeuthen ---- -diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c -index 860e665..17c191e 100644 ---- a/src/programs/pkexec.c -+++ b/src/programs/pkexec.c -@@ -411,7 +411,6 @@ main (int argc, char *argv[]) - gchar *opt_user; - pid_t pid_of_caller; - uid_t uid_of_caller; -- struct stat statbuf; - - ret = 127; - authority = NULL; -@@ -520,9 +519,9 @@ main (int argc, char *argv[]) - g_free (path); - argv[n] = path = s; - } -- if (stat (path, &statbuf) != 0) -+ if (access (path, F_OK) != 0) - { -- g_printerr ("Error getting information about %s: %s\n", path, g_strerror (errno)); -+ g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno)); - goto out; - } - command_line = g_strjoinv (" ", argv + n); --- -cgit v0.8.3-6-g21f6 diff --git a/polkit.changes b/polkit.changes index f21c856..a549635 100644 --- a/polkit.changes +++ b/polkit.changes @@ -1,9 +1,3 @@ -------------------------------------------------------------------- -Fri Apr 9 19:14:09 CEST 2010 - kay.sievers@novell.com - -- fix pkexec information disclosure - (fdo#26982, CVE-2010-0750, bnc#593959) - ------------------------------------------------------------------- Mon Jan 18 14:20:11 CET 2010 - dmueller@suse.de diff --git a/polkit.spec b/polkit.spec index 4e40d3f..276a4d0 100644 --- a/polkit.spec +++ b/polkit.spec @@ -36,7 +36,6 @@ Requires: dbus-1 Source0: http://hal.freedesktop.org/releases/%{name}-%{version}.tar.bz2 Source99: baselibs.conf Requires: libpolkit0 = %{version}-%{release} -Patch0: pkexec-information-disclosure.patch %description PolicyKit is a toolkit for defining and handling authorizations. @@ -80,10 +79,8 @@ This package contains the libraries only. %prep %setup -q -%patch0 -p1 %build -export V=1 %configure \ --with-os-type=suse \ --enable-gtk-doc \ From 94cd941ed117192c03270d03456ee8d852216efe59d757c8df55484aae994529 Mon Sep 17 00:00:00 2001 From: OBS User buildservice-autocommit Date: Thu, 15 Apr 2010 23:31:12 +0000 Subject: [PATCH 5/5] Updating link to change in openSUSE:Factory/polkit revision 8.0 OBS-URL: https://build.opensuse.org/package/show/Base:System/polkit?expand=0&rev=e2454747306b6695ac34fd9eefb30e1b --- pkexec-information-disclosure.patch | 61 +++++++++++++++++++++++++++++ polkit.changes | 6 +++ polkit.spec | 5 ++- 3 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 pkexec-information-disclosure.patch diff --git a/pkexec-information-disclosure.patch b/pkexec-information-disclosure.patch new file mode 100644 index 0000000..2766429 --- /dev/null +++ b/pkexec-information-disclosure.patch @@ -0,0 +1,61 @@ +From 14bdfd816512a82b1ad258fa143ae5faa945df8a Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg +Date: Wed, 10 Mar 2010 17:46:19 +0000 +Subject: Bug 26982 – pkexec information disclosure vulnerability + +pkexec is vulnerable to a minor information disclosure vulnerability +that allows an attacker to verify whether or not arbitrary files +exist, violating directory permissions. I reproduced the issue on my +Karmic installation as follows: + + $ mkdir secret + $ sudo chown root:root secret + $ sudo chmod 400 secret + $ sudo touch secret/hidden + $ pkexec /home/drosenbe/secret/hidden + (password prompt) + $ pkexec /home/drosenbe/secret/doesnotexist + Error getting information about /home/drosenbe/secret/doesnotexist: No such + file or directory + +I've attached my patch for the issue. I replaced the stat() call +entirely with access() using F_OK, so rather than check that the +target exists, pkexec now checks if the user has permission to verify +the existence of the program. There might be another way of doing +this, such as chdir()'ing to the parent directory of the target and +calling lstat(), but this seemed like more code than necessary to +prevent such a minor problem. I see no reason to allow pkexec to +execute targets that are not accessible to the executing user because +of directory permissions. This is such a limited use case anyway that +this doesn't really affect functionality. + +http://bugs.freedesktop.org/show_bug.cgi?id=26982 + +Signed-off-by: David Zeuthen +--- +diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c +index 860e665..17c191e 100644 +--- a/src/programs/pkexec.c ++++ b/src/programs/pkexec.c +@@ -411,7 +411,6 @@ main (int argc, char *argv[]) + gchar *opt_user; + pid_t pid_of_caller; + uid_t uid_of_caller; +- struct stat statbuf; + + ret = 127; + authority = NULL; +@@ -520,9 +519,9 @@ main (int argc, char *argv[]) + g_free (path); + argv[n] = path = s; + } +- if (stat (path, &statbuf) != 0) ++ if (access (path, F_OK) != 0) + { +- g_printerr ("Error getting information about %s: %s\n", path, g_strerror (errno)); ++ g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno)); + goto out; + } + command_line = g_strjoinv (" ", argv + n); +-- +cgit v0.8.3-6-g21f6 diff --git a/polkit.changes b/polkit.changes index a549635..f21c856 100644 --- a/polkit.changes +++ b/polkit.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Apr 9 19:14:09 CEST 2010 - kay.sievers@novell.com + +- fix pkexec information disclosure + (fdo#26982, CVE-2010-0750, bnc#593959) + ------------------------------------------------------------------- Mon Jan 18 14:20:11 CET 2010 - dmueller@suse.de diff --git a/polkit.spec b/polkit.spec index 276a4d0..6abbe82 100644 --- a/polkit.spec +++ b/polkit.spec @@ -20,7 +20,7 @@ Name: polkit Summary: PolicyKit Authorization Framework Version: 0.96 -Release: 1 +Release: 2 License: LGPLv2+ Url: http://www.freedesktop.org/wiki/Software/PolicyKit BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -36,6 +36,7 @@ Requires: dbus-1 Source0: http://hal.freedesktop.org/releases/%{name}-%{version}.tar.bz2 Source99: baselibs.conf Requires: libpolkit0 = %{version}-%{release} +Patch0: pkexec-information-disclosure.patch %description PolicyKit is a toolkit for defining and handling authorizations. @@ -79,8 +80,10 @@ This package contains the libraries only. %prep %setup -q +%patch0 -p1 %build +export V=1 %configure \ --with-os-type=suse \ --enable-gtk-doc \