From 9049ba1cdaf69f4008e912819edead04d7c48574084d13e8b9c71bf65f2bb70e Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Wed, 11 Jul 2018 10:50:47 +0000 Subject: [PATCH] - Update to version 0.115: - Fix CVE-2018-1116: Trusting client-supplied UID (bsc#1099031) - jsauthority: pass "%s" format string to remaining report function OBS-URL: https://build.opensuse.org/package/show/Base:System/polkit?expand=0&rev=123 --- polkit-0.114.tar.gz | 3 -- polkit-0.114.tar.gz.sign | 16 ----------- polkit-0.115.tar.gz | 3 ++ polkit-0.115.tar.gz.sign | 6 ++++ polkit-jsauthority-pass-format-string.patch | 32 --------------------- polkit.changes | 8 ++++++ polkit.spec | 7 ++--- 7 files changed, 19 insertions(+), 56 deletions(-) delete mode 100644 polkit-0.114.tar.gz delete mode 100644 polkit-0.114.tar.gz.sign create mode 100644 polkit-0.115.tar.gz create mode 100644 polkit-0.115.tar.gz.sign delete mode 100644 polkit-jsauthority-pass-format-string.patch diff --git a/polkit-0.114.tar.gz b/polkit-0.114.tar.gz deleted file mode 100644 index e8a46cb..0000000 --- a/polkit-0.114.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bdf4007367d758fd794de2495975c115984d206267e52d1e6ac5ceea77e8ede6 -size 1557340 diff --git a/polkit-0.114.tar.gz.sign b/polkit-0.114.tar.gz.sign deleted file mode 100644 index 89e934f..0000000 --- a/polkit-0.114.tar.gz.sign +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -wsFcBAABCAAQBQJayUecCRDptRpmWCnWVQAAtzIQAD2kwEHFTiJt4TtqBm9DDS64 -QNOE9+E4tTAQZlO+mwTtskQs/wojKDNpud+uhnhFWrMfmMGXVf2odz3PblhCmrsS -tYleKUlgV3aoBltelCvl9Xy0otrAZ0WygCKJpeyvzsN0FwiWhuVTLXofRnmUiCFP -jU847ldoawGw72tbH9qsFtEWRA+zbDT40ja1eO301JW5um6C+pKIs7MvNgSm4uEs -VnEGomUPmMY9I/6akcOBFrMovujWQKHP4sr99vWPsCwMy7Ju9+UvyhHPXFyh7yCq -AQePMOJxFnTT8tXlPyAxi+TO3ihokiqQhBY4wrRjguIm9MXaumasfuzN1LoHR7wy -Y73FAEjYWvf5BHChW5cqFjRYv29aNol/nyEKbF8HpKTt/FFOeUSlF3xWbMqP9xs7 -tle13Ax1o22XIq05kPRM2FT6WK87IMAk/6qF669aUgbl3+36N0KFyt/NpA2M6Oiq -Z9grgYtNgOZPzFM+UJOYijaSDSFtPpwbdEJQpEPxVqsDJ6lRKbAv/SyvBgvkZM3A -IiUE4GN4c2JGAj+rHDzEjzjtNfT10qVeF31j2+5/uRGyR4dBeRUBclwSIz1zGLLS -mfFRsqGnPpOxFA79NVr41aMmjv5wXfcsKQWrBUIfbkCdhZ9Hrzd8ItMO0b6xnBZ6 -348LpL6UknwI7dJA/HIv -=Yc4b ------END PGP SIGNATURE----- diff --git a/polkit-0.115.tar.gz b/polkit-0.115.tar.gz new file mode 100644 index 0000000..c7ac0d7 --- /dev/null +++ b/polkit-0.115.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2f87ecdabfbd415c6306673ceadc59846f059b18ef2fce42bac63fe283f12131 +size 1550932 diff --git a/polkit-0.115.tar.gz.sign b/polkit-0.115.tar.gz.sign new file mode 100644 index 0000000..eb1d67c --- /dev/null +++ b/polkit-0.115.tar.gz.sign @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iF0EABECAB0WIQTBl22e2Rp0WcvOUxRaM/Zgs4R53wUCW0S8UgAKCRBaM/Zgs4R5 +3wNmAJ9YYc3MgbepSXr0mqWdiL93TmYMvwCeNf1e4EGsqndw9DP3CbpICMN7gV0= +=mAps +-----END PGP SIGNATURE----- diff --git a/polkit-jsauthority-pass-format-string.patch b/polkit-jsauthority-pass-format-string.patch deleted file mode 100644 index 1f33ce4..0000000 --- a/polkit-jsauthority-pass-format-string.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 373705b35e7f6c7dc83de5e0a3ce11ecd15d0409 Mon Sep 17 00:00:00 2001 -From: Ray Strode -Date: Tue, 3 Apr 2018 15:26:37 -0400 -Subject: jsauthority: pass "%s" format string to remaining report function - -commit 00adeee1b62 attempted to add a "%s" format string to the -two JS_Report invocations that needed it, but somehow only got -one them. - -This commit gets the other one. - -https://bugzilla.gnome.org/show_bug.cgi?id=105865 ---- - src/polkitbackend/polkitbackendjsauthority.cpp | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp -index 9746c47..517f3c6 100644 ---- a/src/polkitbackend/polkitbackendjsauthority.cpp -+++ b/src/polkitbackend/polkitbackendjsauthority.cpp -@@ -1292,7 +1292,7 @@ js_polkit_log (JSContext *cx, - JS::CallArgs args = JS::CallArgsFromVp (argc, vp); - - s = JS_EncodeString (cx, args[0].toString ()); -- JS_ReportWarningUTF8 (cx, s); -+ JS_ReportWarningUTF8 (cx, "%s", s); - JS_free (cx, s); - - ret = true; --- -cgit v1.1 - diff --git a/polkit.changes b/polkit.changes index 2c154c4..1c9eadc 100644 --- a/polkit.changes +++ b/polkit.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Jul 11 10:48:37 UTC 2018 - meissner@suse.com + +- Update to version 0.115: + - Fix CVE-2018-1116: Trusting client-supplied UID (bsc#1099031) + - jsauthority: pass "%s" format string to remaining report function + (obsoletes polkit-jsauthority-pass-format-string.patch) + ------------------------------------------------------------------- Mon Apr 9 22:38:39 UTC 2018 - bjorn.lie@gmail.com diff --git a/polkit.spec b/polkit.spec index 95028af..29d6cce 100644 --- a/polkit.spec +++ b/polkit.spec @@ -17,12 +17,12 @@ Name: polkit -Version: 0.114 +Version: 0.115 Release: 0 Summary: PolicyKit Authorization Framework License: LGPL-2.1-or-later Group: System/Libraries -URL: http://www.freedesktop.org/wiki/Software/polkit/ +Url: http://www.freedesktop.org/wiki/Software/polkit/ Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz Source1: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz.sign Source2: %{name}.keyring @@ -34,8 +34,6 @@ Patch0: polkit-no-wheel-group.patch Patch1: polkit-gettext.patch # PATCH-FIX-UPSTREAM pkexec.patch schwab@suse.de -- pkexec: allow --version and --help even if not setuid Patch2: pkexec.patch -# PATCH-FIX-UPSTREAM polkit-jsauthority-pass-format-string.patch bgo#105865 bjorn.lie@gmail.com -- jsauthority: pass "%s" format string to remaining report function -Patch3: polkit-jsauthority-pass-format-string.patch BuildRequires: gcc-c++ BuildRequires: gtk-doc @@ -119,7 +117,6 @@ This package provides the GObject Introspection bindings for PolicyKit. %patch0 -p1 %patch1 -p1 %patch2 -p1 -%patch3 -p1 %build export V=1