Accepting request 46290 from Base:System
Copy from Base:System/polkit based on submit request 46290 from user vuntz OBS-URL: https://build.opensuse.org/request/show/46290 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/polkit?expand=0&rev=12
This commit is contained in:
commit
c89d0c3d16
@ -1,61 +0,0 @@
|
||||
From 14bdfd816512a82b1ad258fa143ae5faa945df8a Mon Sep 17 00:00:00 2001
|
||||
From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
|
||||
Date: Wed, 10 Mar 2010 17:46:19 +0000
|
||||
Subject: Bug 26982 – pkexec information disclosure vulnerability
|
||||
|
||||
pkexec is vulnerable to a minor information disclosure vulnerability
|
||||
that allows an attacker to verify whether or not arbitrary files
|
||||
exist, violating directory permissions. I reproduced the issue on my
|
||||
Karmic installation as follows:
|
||||
|
||||
$ mkdir secret
|
||||
$ sudo chown root:root secret
|
||||
$ sudo chmod 400 secret
|
||||
$ sudo touch secret/hidden
|
||||
$ pkexec /home/drosenbe/secret/hidden
|
||||
(password prompt)
|
||||
$ pkexec /home/drosenbe/secret/doesnotexist
|
||||
Error getting information about /home/drosenbe/secret/doesnotexist: No such
|
||||
file or directory
|
||||
|
||||
I've attached my patch for the issue. I replaced the stat() call
|
||||
entirely with access() using F_OK, so rather than check that the
|
||||
target exists, pkexec now checks if the user has permission to verify
|
||||
the existence of the program. There might be another way of doing
|
||||
this, such as chdir()'ing to the parent directory of the target and
|
||||
calling lstat(), but this seemed like more code than necessary to
|
||||
prevent such a minor problem. I see no reason to allow pkexec to
|
||||
execute targets that are not accessible to the executing user because
|
||||
of directory permissions. This is such a limited use case anyway that
|
||||
this doesn't really affect functionality.
|
||||
|
||||
http://bugs.freedesktop.org/show_bug.cgi?id=26982
|
||||
|
||||
Signed-off-by: David Zeuthen <davidz@redhat.com>
|
||||
---
|
||||
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
|
||||
index 860e665..17c191e 100644
|
||||
--- a/src/programs/pkexec.c
|
||||
+++ b/src/programs/pkexec.c
|
||||
@@ -411,7 +411,6 @@ main (int argc, char *argv[])
|
||||
gchar *opt_user;
|
||||
pid_t pid_of_caller;
|
||||
uid_t uid_of_caller;
|
||||
- struct stat statbuf;
|
||||
|
||||
ret = 127;
|
||||
authority = NULL;
|
||||
@@ -520,9 +519,9 @@ main (int argc, char *argv[])
|
||||
g_free (path);
|
||||
argv[n] = path = s;
|
||||
}
|
||||
- if (stat (path, &statbuf) != 0)
|
||||
+ if (access (path, F_OK) != 0)
|
||||
{
|
||||
- g_printerr ("Error getting information about %s: %s\n", path, g_strerror (errno));
|
||||
+ g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno));
|
||||
goto out;
|
||||
}
|
||||
command_line = g_strjoinv (" ", argv + n);
|
||||
--
|
||||
cgit v0.8.3-6-g21f6
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:65425af5ea4a62401df43a224c5f33d0256e4fbd265de09545f55602f14bf25d
|
||||
size 856349
|
3
polkit-0.98.tar.bz2
Normal file
3
polkit-0.98.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:b282694581465347bd2943398d995a344fa44495f9200196e5ac62f5b961ec57
|
||||
size 794417
|
24
polkit-install-missing-header.patch
Normal file
24
polkit-install-missing-header.patch
Normal file
@ -0,0 +1,24 @@
|
||||
Index: polkit-0.98/src/polkitagent/Makefile.am
|
||||
===================================================================
|
||||
--- polkit-0.98.orig/src/polkitagent/Makefile.am
|
||||
+++ polkit-0.98/src/polkitagent/Makefile.am
|
||||
@@ -46,6 +46,7 @@ libpolkit_agent_1includedir=$(includedir
|
||||
|
||||
libpolkit_agent_1include_HEADERS = \
|
||||
polkitagent.h \
|
||||
+ polkitagentenumtypes.h \
|
||||
polkitagenttypes.h \
|
||||
polkitagentsession.h \
|
||||
polkitagentlistener.h \
|
||||
Index: polkit-0.98/src/polkitagent/Makefile.in
|
||||
===================================================================
|
||||
--- polkit-0.98.orig/src/polkitagent/Makefile.in
|
||||
+++ polkit-0.98/src/polkitagent/Makefile.in
|
||||
@@ -338,6 +338,7 @@ lib_LTLIBRARIES = libpolkit-agent-1.la
|
||||
libpolkit_agent_1includedir = $(includedir)/polkit-1/polkitagent
|
||||
libpolkit_agent_1include_HEADERS = \
|
||||
polkitagent.h \
|
||||
+ polkitagentenumtypes.h \
|
||||
polkitagenttypes.h \
|
||||
polkitagentsession.h \
|
||||
polkitagentlistener.h \
|
@ -1,3 +1,42 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 26 10:04:44 CEST 2010 - vuntz@opensuse.org
|
||||
|
||||
- Update to version 0.98:
|
||||
+ Fix scanning of unix-process subjects
|
||||
+ Add textual authentication agent and use it in pkexec(1)
|
||||
+ Fix ConsoleKit interaction bug
|
||||
+ pkexec: add --disable-internal-agent option
|
||||
+ pkcheck: add --enable-internal-agent option
|
||||
+ Fix wording in pkexec(1) man page
|
||||
+ Various doc cleanups
|
||||
- Changes from version 0.97:
|
||||
+ Port to GDBus
|
||||
+ Add shadow authentication support
|
||||
+ Remove Lock Down functionality
|
||||
+ fdo#26982: pkexec information disclosure vulnerability
|
||||
+ Make polkitd accept --replace and gracefully handle SIGINT
|
||||
+ Implement polkit_temporary_authorization_new_for_gvariant()
|
||||
+ Make NameOwnerChanged a private impl detail of the interactive
|
||||
authority
|
||||
+ Add a GPermission implementation
|
||||
+ PolkitAuthority: Implement failable initialization
|
||||
+ PolkitAuthority: Add g_return_if_fail() checks
|
||||
+ Add g_return_if_fail() to all public API entry points
|
||||
+ Use polkit_authority_get_sync() instead of deprecated
|
||||
polkit_authority_get
|
||||
+ PolkitBackend: Don't export unneeded convenience API
|
||||
+ Update GI annotations
|
||||
+ Don't dist org.freedesktop.ConsoleKit.xml.
|
||||
+ Properly reference headers
|
||||
+ fdo#29051: Configuration reload on every query
|
||||
- Drop pkexec-information-disclosure.patch: fixed upstream.
|
||||
- Add polkit-install-missing-header.patch to install a header that
|
||||
should get installed.
|
||||
- Remove eggdbus-devel BuildRequires.
|
||||
- Build with introspection support: add gobject-introspection
|
||||
BuildRequires and pass --enable-introspection to configure.
|
||||
- Fix groups of all packages to be valid groups.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de
|
||||
|
||||
|
39
polkit.spec
39
polkit.spec
@ -1,5 +1,5 @@
|
||||
#
|
||||
# spec file for package polkit (Version 0.96)
|
||||
# spec file for package polkit (Version 0.98)
|
||||
#
|
||||
# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
||||
#
|
||||
@ -19,24 +19,25 @@
|
||||
|
||||
Name: polkit
|
||||
Summary: PolicyKit Authorization Framework
|
||||
Version: 0.96
|
||||
Release: 3
|
||||
Version: 0.98
|
||||
Release: 1
|
||||
License: LGPLv2+
|
||||
Url: http://www.freedesktop.org/wiki/Software/PolicyKit
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
Group: System Environment/Libraries
|
||||
BuildRequires: glib2-devel
|
||||
BuildRequires: libexpat-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: eggdbus-devel
|
||||
BuildRequires: gtk-doc
|
||||
BuildRequires: intltool
|
||||
Requires: ConsoleKit
|
||||
Requires: dbus-1
|
||||
Group: System/Libraries
|
||||
Source0: http://hal.freedesktop.org/releases/%{name}-%{version}.tar.bz2
|
||||
Source99: baselibs.conf
|
||||
# PATCH-FIX-UPSTREAM polkit-install-missing-header.patch fdo#29816 vuntz@opensuse.org -- Install header that should get installed
|
||||
Patch0: polkit-install-missing-header.patch
|
||||
BuildRequires: glib2-devel
|
||||
BuildRequires: gobject-introspection-devel
|
||||
BuildRequires: gtk-doc
|
||||
BuildRequires: intltool
|
||||
BuildRequires: libexpat-devel
|
||||
BuildRequires: pam-devel
|
||||
Requires: ConsoleKit
|
||||
Requires: dbus-1
|
||||
Requires: libpolkit0 = %{version}-%{release}
|
||||
Patch0: pkexec-information-disclosure.patch
|
||||
|
||||
%description
|
||||
PolicyKit is a toolkit for defining and handling authorizations.
|
||||
@ -46,7 +47,7 @@ processes.
|
||||
%package devel
|
||||
License: LGPLv2+
|
||||
Summary: Development files for PolicyKit
|
||||
Group: Development/Libraries
|
||||
Group: Development/Libraries/C and C++
|
||||
Requires: %name = %{version}-%{release}
|
||||
Requires: pkgconfig
|
||||
Requires: glib2-devel
|
||||
@ -57,7 +58,7 @@ Development files for PolicyKit Authorization Framework.
|
||||
%package doc
|
||||
License: LGPLv2+
|
||||
Summary: Development documentation for PolicyKit
|
||||
Group: Development/Libraries
|
||||
Group: Development/Libraries/C and C++
|
||||
%if 0%{?suse_version} >= 1120
|
||||
BuildArch: noarch
|
||||
%endif
|
||||
@ -68,7 +69,7 @@ Development documentation for PolicyKit Authorization Framework.
|
||||
%package -n libpolkit0
|
||||
License: LGPLv2+
|
||||
Summary: Libraries required for polkit
|
||||
Group: Development/Libraries
|
||||
Group: System/Libraries
|
||||
Requires: %{name} = %{version}
|
||||
|
||||
%description -n libpolkit0
|
||||
@ -88,7 +89,7 @@ export V=1
|
||||
--with-os-type=suse \
|
||||
--enable-gtk-doc \
|
||||
--disable-static \
|
||||
--disable-introspection \
|
||||
--enable-introspection \
|
||||
--enable-examples \
|
||||
--libexecdir=%{_prefix}/lib/polkit-1
|
||||
make %{?_smp_mflags}
|
||||
@ -119,6 +120,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%files -n libpolkit0
|
||||
%defattr(-,root,root,-)
|
||||
%{_libdir}/lib*.so.*
|
||||
%{_libdir}/girepository-1.0/Polkit-1.0.typelib
|
||||
|
||||
%files -f polkit-1.lang
|
||||
%defattr(-,root,root,-)
|
||||
@ -138,7 +140,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy
|
||||
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
|
||||
%config(noreplace) %{_sysconfdir}/pam.d/polkit-1
|
||||
%{_sysconfdir}/polkit-1
|
||||
%dir %{_sysconfdir}/polkit-1
|
||||
%config(noreplace) %{_sysconfdir}/polkit-1/nullbackend.conf.d/50-nullbackend.conf
|
||||
%config(noreplace) %{_sysconfdir}/polkit-1/localauthority.conf.d/50-localauthority.conf
|
||||
%{_bindir}/pkaction
|
||||
@ -155,6 +157,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_libdir}/pkgconfig/*.pc
|
||||
%{_includedir}/*
|
||||
%{_bindir}/pk-example-frobnicate
|
||||
%{_datadir}/gir-1.0/*.gir
|
||||
%{_datadir}/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy
|
||||
|
||||
%files doc
|
||||
|
Loading…
Reference in New Issue
Block a user