diff --git a/pkexec-information-disclosure.patch b/pkexec-information-disclosure.patch deleted file mode 100644 index 2766429..0000000 --- a/pkexec-information-disclosure.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 14bdfd816512a82b1ad258fa143ae5faa945df8a Mon Sep 17 00:00:00 2001 -From: Dan Rosenberg -Date: Wed, 10 Mar 2010 17:46:19 +0000 -Subject: Bug 26982 – pkexec information disclosure vulnerability - -pkexec is vulnerable to a minor information disclosure vulnerability -that allows an attacker to verify whether or not arbitrary files -exist, violating directory permissions. I reproduced the issue on my -Karmic installation as follows: - - $ mkdir secret - $ sudo chown root:root secret - $ sudo chmod 400 secret - $ sudo touch secret/hidden - $ pkexec /home/drosenbe/secret/hidden - (password prompt) - $ pkexec /home/drosenbe/secret/doesnotexist - Error getting information about /home/drosenbe/secret/doesnotexist: No such - file or directory - -I've attached my patch for the issue. I replaced the stat() call -entirely with access() using F_OK, so rather than check that the -target exists, pkexec now checks if the user has permission to verify -the existence of the program. There might be another way of doing -this, such as chdir()'ing to the parent directory of the target and -calling lstat(), but this seemed like more code than necessary to -prevent such a minor problem. I see no reason to allow pkexec to -execute targets that are not accessible to the executing user because -of directory permissions. This is such a limited use case anyway that -this doesn't really affect functionality. - -http://bugs.freedesktop.org/show_bug.cgi?id=26982 - -Signed-off-by: David Zeuthen ---- -diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c -index 860e665..17c191e 100644 ---- a/src/programs/pkexec.c -+++ b/src/programs/pkexec.c -@@ -411,7 +411,6 @@ main (int argc, char *argv[]) - gchar *opt_user; - pid_t pid_of_caller; - uid_t uid_of_caller; -- struct stat statbuf; - - ret = 127; - authority = NULL; -@@ -520,9 +519,9 @@ main (int argc, char *argv[]) - g_free (path); - argv[n] = path = s; - } -- if (stat (path, &statbuf) != 0) -+ if (access (path, F_OK) != 0) - { -- g_printerr ("Error getting information about %s: %s\n", path, g_strerror (errno)); -+ g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno)); - goto out; - } - command_line = g_strjoinv (" ", argv + n); --- -cgit v0.8.3-6-g21f6 diff --git a/polkit-0.96.tar.bz2 b/polkit-0.96.tar.bz2 deleted file mode 100644 index 75d566f..0000000 --- a/polkit-0.96.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:65425af5ea4a62401df43a224c5f33d0256e4fbd265de09545f55602f14bf25d -size 856349 diff --git a/polkit-0.98.tar.bz2 b/polkit-0.98.tar.bz2 new file mode 100644 index 0000000..6c4317b --- /dev/null +++ b/polkit-0.98.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b282694581465347bd2943398d995a344fa44495f9200196e5ac62f5b961ec57 +size 794417 diff --git a/polkit-install-missing-header.patch b/polkit-install-missing-header.patch new file mode 100644 index 0000000..671fb33 --- /dev/null +++ b/polkit-install-missing-header.patch @@ -0,0 +1,24 @@ +Index: polkit-0.98/src/polkitagent/Makefile.am +=================================================================== +--- polkit-0.98.orig/src/polkitagent/Makefile.am ++++ polkit-0.98/src/polkitagent/Makefile.am +@@ -46,6 +46,7 @@ libpolkit_agent_1includedir=$(includedir + + libpolkit_agent_1include_HEADERS = \ + polkitagent.h \ ++ polkitagentenumtypes.h \ + polkitagenttypes.h \ + polkitagentsession.h \ + polkitagentlistener.h \ +Index: polkit-0.98/src/polkitagent/Makefile.in +=================================================================== +--- polkit-0.98.orig/src/polkitagent/Makefile.in ++++ polkit-0.98/src/polkitagent/Makefile.in +@@ -338,6 +338,7 @@ lib_LTLIBRARIES = libpolkit-agent-1.la + libpolkit_agent_1includedir = $(includedir)/polkit-1/polkitagent + libpolkit_agent_1include_HEADERS = \ + polkitagent.h \ ++ polkitagentenumtypes.h \ + polkitagenttypes.h \ + polkitagentsession.h \ + polkitagentlistener.h \ diff --git a/polkit.changes b/polkit.changes index 1f1f118..777f45b 100644 --- a/polkit.changes +++ b/polkit.changes @@ -1,3 +1,42 @@ +------------------------------------------------------------------- +Thu Aug 26 10:04:44 CEST 2010 - vuntz@opensuse.org + +- Update to version 0.98: + + Fix scanning of unix-process subjects + + Add textual authentication agent and use it in pkexec(1) + + Fix ConsoleKit interaction bug + + pkexec: add --disable-internal-agent option + + pkcheck: add --enable-internal-agent option + + Fix wording in pkexec(1) man page + + Various doc cleanups +- Changes from version 0.97: + + Port to GDBus + + Add shadow authentication support + + Remove Lock Down functionality + + fdo#26982: pkexec information disclosure vulnerability + + Make polkitd accept --replace and gracefully handle SIGINT + + Implement polkit_temporary_authorization_new_for_gvariant() + + Make NameOwnerChanged a private impl detail of the interactive + authority + + Add a GPermission implementation + + PolkitAuthority: Implement failable initialization + + PolkitAuthority: Add g_return_if_fail() checks + + Add g_return_if_fail() to all public API entry points + + Use polkit_authority_get_sync() instead of deprecated + polkit_authority_get + + PolkitBackend: Don't export unneeded convenience API + + Update GI annotations + + Don't dist org.freedesktop.ConsoleKit.xml. + + Properly reference headers + + fdo#29051: Configuration reload on every query +- Drop pkexec-information-disclosure.patch: fixed upstream. +- Add polkit-install-missing-header.patch to install a header that + should get installed. +- Remove eggdbus-devel BuildRequires. +- Build with introspection support: add gobject-introspection + BuildRequires and pass --enable-introspection to configure. +- Fix groups of all packages to be valid groups. + ------------------------------------------------------------------- Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de diff --git a/polkit.spec b/polkit.spec index dc6b513..8e7e9d3 100644 --- a/polkit.spec +++ b/polkit.spec @@ -1,5 +1,5 @@ # -# spec file for package polkit (Version 0.96) +# spec file for package polkit (Version 0.98) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -19,24 +19,25 @@ Name: polkit Summary: PolicyKit Authorization Framework -Version: 0.96 -Release: 3 +Version: 0.98 +Release: 1 License: LGPLv2+ Url: http://www.freedesktop.org/wiki/Software/PolicyKit BuildRoot: %{_tmppath}/%{name}-%{version}-build -Group: System Environment/Libraries -BuildRequires: glib2-devel -BuildRequires: libexpat-devel -BuildRequires: pam-devel -BuildRequires: eggdbus-devel -BuildRequires: gtk-doc -BuildRequires: intltool -Requires: ConsoleKit -Requires: dbus-1 +Group: System/Libraries Source0: http://hal.freedesktop.org/releases/%{name}-%{version}.tar.bz2 Source99: baselibs.conf +# PATCH-FIX-UPSTREAM polkit-install-missing-header.patch fdo#29816 vuntz@opensuse.org -- Install header that should get installed +Patch0: polkit-install-missing-header.patch +BuildRequires: glib2-devel +BuildRequires: gobject-introspection-devel +BuildRequires: gtk-doc +BuildRequires: intltool +BuildRequires: libexpat-devel +BuildRequires: pam-devel +Requires: ConsoleKit +Requires: dbus-1 Requires: libpolkit0 = %{version}-%{release} -Patch0: pkexec-information-disclosure.patch %description PolicyKit is a toolkit for defining and handling authorizations. @@ -46,7 +47,7 @@ processes. %package devel License: LGPLv2+ Summary: Development files for PolicyKit -Group: Development/Libraries +Group: Development/Libraries/C and C++ Requires: %name = %{version}-%{release} Requires: pkgconfig Requires: glib2-devel @@ -57,7 +58,7 @@ Development files for PolicyKit Authorization Framework. %package doc License: LGPLv2+ Summary: Development documentation for PolicyKit -Group: Development/Libraries +Group: Development/Libraries/C and C++ %if 0%{?suse_version} >= 1120 BuildArch: noarch %endif @@ -68,7 +69,7 @@ Development documentation for PolicyKit Authorization Framework. %package -n libpolkit0 License: LGPLv2+ Summary: Libraries required for polkit -Group: Development/Libraries +Group: System/Libraries Requires: %{name} = %{version} %description -n libpolkit0 @@ -88,7 +89,7 @@ export V=1 --with-os-type=suse \ --enable-gtk-doc \ --disable-static \ - --disable-introspection \ + --enable-introspection \ --enable-examples \ --libexecdir=%{_prefix}/lib/polkit-1 make %{?_smp_mflags} @@ -119,6 +120,7 @@ rm -rf $RPM_BUILD_ROOT %files -n libpolkit0 %defattr(-,root,root,-) %{_libdir}/lib*.so.* +%{_libdir}/girepository-1.0/Polkit-1.0.typelib %files -f polkit-1.lang %defattr(-,root,root,-) @@ -138,7 +140,7 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf %config(noreplace) %{_sysconfdir}/pam.d/polkit-1 -%{_sysconfdir}/polkit-1 +%dir %{_sysconfdir}/polkit-1 %config(noreplace) %{_sysconfdir}/polkit-1/nullbackend.conf.d/50-nullbackend.conf %config(noreplace) %{_sysconfdir}/polkit-1/localauthority.conf.d/50-localauthority.conf %{_bindir}/pkaction @@ -155,6 +157,7 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/pkgconfig/*.pc %{_includedir}/* %{_bindir}/pk-example-frobnicate +%{_datadir}/gir-1.0/*.gir %{_datadir}/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy %files doc