Accepting request 46290 from Base:System

Copy from Base:System/polkit based on submit request 46290 from user vuntz

OBS-URL: https://build.opensuse.org/request/show/46290
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/polkit?expand=0&rev=12
This commit is contained in:
OBS User autobuild 2010-08-27 15:00:07 +00:00 committed by Git OBS Bridge
commit c89d0c3d16
6 changed files with 87 additions and 82 deletions

View File

@ -1,61 +0,0 @@
From 14bdfd816512a82b1ad258fa143ae5faa945df8a Mon Sep 17 00:00:00 2001
From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Date: Wed, 10 Mar 2010 17:46:19 +0000
Subject: Bug 26982 pkexec information disclosure vulnerability
pkexec is vulnerable to a minor information disclosure vulnerability
that allows an attacker to verify whether or not arbitrary files
exist, violating directory permissions. I reproduced the issue on my
Karmic installation as follows:
$ mkdir secret
$ sudo chown root:root secret
$ sudo chmod 400 secret
$ sudo touch secret/hidden
$ pkexec /home/drosenbe/secret/hidden
(password prompt)
$ pkexec /home/drosenbe/secret/doesnotexist
Error getting information about /home/drosenbe/secret/doesnotexist: No such
file or directory
I've attached my patch for the issue. I replaced the stat() call
entirely with access() using F_OK, so rather than check that the
target exists, pkexec now checks if the user has permission to verify
the existence of the program. There might be another way of doing
this, such as chdir()'ing to the parent directory of the target and
calling lstat(), but this seemed like more code than necessary to
prevent such a minor problem. I see no reason to allow pkexec to
execute targets that are not accessible to the executing user because
of directory permissions. This is such a limited use case anyway that
this doesn't really affect functionality.
http://bugs.freedesktop.org/show_bug.cgi?id=26982
Signed-off-by: David Zeuthen <davidz@redhat.com>
---
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
index 860e665..17c191e 100644
--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
@@ -411,7 +411,6 @@ main (int argc, char *argv[])
gchar *opt_user;
pid_t pid_of_caller;
uid_t uid_of_caller;
- struct stat statbuf;
ret = 127;
authority = NULL;
@@ -520,9 +519,9 @@ main (int argc, char *argv[])
g_free (path);
argv[n] = path = s;
}
- if (stat (path, &statbuf) != 0)
+ if (access (path, F_OK) != 0)
{
- g_printerr ("Error getting information about %s: %s\n", path, g_strerror (errno));
+ g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno));
goto out;
}
command_line = g_strjoinv (" ", argv + n);
--
cgit v0.8.3-6-g21f6

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:65425af5ea4a62401df43a224c5f33d0256e4fbd265de09545f55602f14bf25d
size 856349

3
polkit-0.98.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b282694581465347bd2943398d995a344fa44495f9200196e5ac62f5b961ec57
size 794417

View File

@ -0,0 +1,24 @@
Index: polkit-0.98/src/polkitagent/Makefile.am
===================================================================
--- polkit-0.98.orig/src/polkitagent/Makefile.am
+++ polkit-0.98/src/polkitagent/Makefile.am
@@ -46,6 +46,7 @@ libpolkit_agent_1includedir=$(includedir
libpolkit_agent_1include_HEADERS = \
polkitagent.h \
+ polkitagentenumtypes.h \
polkitagenttypes.h \
polkitagentsession.h \
polkitagentlistener.h \
Index: polkit-0.98/src/polkitagent/Makefile.in
===================================================================
--- polkit-0.98.orig/src/polkitagent/Makefile.in
+++ polkit-0.98/src/polkitagent/Makefile.in
@@ -338,6 +338,7 @@ lib_LTLIBRARIES = libpolkit-agent-1.la
libpolkit_agent_1includedir = $(includedir)/polkit-1/polkitagent
libpolkit_agent_1include_HEADERS = \
polkitagent.h \
+ polkitagentenumtypes.h \
polkitagenttypes.h \
polkitagentsession.h \
polkitagentlistener.h \

View File

@ -1,3 +1,42 @@
-------------------------------------------------------------------
Thu Aug 26 10:04:44 CEST 2010 - vuntz@opensuse.org
- Update to version 0.98:
+ Fix scanning of unix-process subjects
+ Add textual authentication agent and use it in pkexec(1)
+ Fix ConsoleKit interaction bug
+ pkexec: add --disable-internal-agent option
+ pkcheck: add --enable-internal-agent option
+ Fix wording in pkexec(1) man page
+ Various doc cleanups
- Changes from version 0.97:
+ Port to GDBus
+ Add shadow authentication support
+ Remove Lock Down functionality
+ fdo#26982: pkexec information disclosure vulnerability
+ Make polkitd accept --replace and gracefully handle SIGINT
+ Implement polkit_temporary_authorization_new_for_gvariant()
+ Make NameOwnerChanged a private impl detail of the interactive
authority
+ Add a GPermission implementation
+ PolkitAuthority: Implement failable initialization
+ PolkitAuthority: Add g_return_if_fail() checks
+ Add g_return_if_fail() to all public API entry points
+ Use polkit_authority_get_sync() instead of deprecated
polkit_authority_get
+ PolkitBackend: Don't export unneeded convenience API
+ Update GI annotations
+ Don't dist org.freedesktop.ConsoleKit.xml.
+ Properly reference headers
+ fdo#29051: Configuration reload on every query
- Drop pkexec-information-disclosure.patch: fixed upstream.
- Add polkit-install-missing-header.patch to install a header that
should get installed.
- Remove eggdbus-devel BuildRequires.
- Build with introspection support: add gobject-introspection
BuildRequires and pass --enable-introspection to configure.
- Fix groups of all packages to be valid groups.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de

View File

@ -1,5 +1,5 @@
# #
# spec file for package polkit (Version 0.96) # spec file for package polkit (Version 0.98)
# #
# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
# #
@ -19,24 +19,25 @@
Name: polkit Name: polkit
Summary: PolicyKit Authorization Framework Summary: PolicyKit Authorization Framework
Version: 0.96 Version: 0.98
Release: 3 Release: 1
License: LGPLv2+ License: LGPLv2+
Url: http://www.freedesktop.org/wiki/Software/PolicyKit Url: http://www.freedesktop.org/wiki/Software/PolicyKit
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
Group: System Environment/Libraries Group: System/Libraries
BuildRequires: glib2-devel
BuildRequires: libexpat-devel
BuildRequires: pam-devel
BuildRequires: eggdbus-devel
BuildRequires: gtk-doc
BuildRequires: intltool
Requires: ConsoleKit
Requires: dbus-1
Source0: http://hal.freedesktop.org/releases/%{name}-%{version}.tar.bz2 Source0: http://hal.freedesktop.org/releases/%{name}-%{version}.tar.bz2
Source99: baselibs.conf Source99: baselibs.conf
# PATCH-FIX-UPSTREAM polkit-install-missing-header.patch fdo#29816 vuntz@opensuse.org -- Install header that should get installed
Patch0: polkit-install-missing-header.patch
BuildRequires: glib2-devel
BuildRequires: gobject-introspection-devel
BuildRequires: gtk-doc
BuildRequires: intltool
BuildRequires: libexpat-devel
BuildRequires: pam-devel
Requires: ConsoleKit
Requires: dbus-1
Requires: libpolkit0 = %{version}-%{release} Requires: libpolkit0 = %{version}-%{release}
Patch0: pkexec-information-disclosure.patch
%description %description
PolicyKit is a toolkit for defining and handling authorizations. PolicyKit is a toolkit for defining and handling authorizations.
@ -46,7 +47,7 @@ processes.
%package devel %package devel
License: LGPLv2+ License: LGPLv2+
Summary: Development files for PolicyKit Summary: Development files for PolicyKit
Group: Development/Libraries Group: Development/Libraries/C and C++
Requires: %name = %{version}-%{release} Requires: %name = %{version}-%{release}
Requires: pkgconfig Requires: pkgconfig
Requires: glib2-devel Requires: glib2-devel
@ -57,7 +58,7 @@ Development files for PolicyKit Authorization Framework.
%package doc %package doc
License: LGPLv2+ License: LGPLv2+
Summary: Development documentation for PolicyKit Summary: Development documentation for PolicyKit
Group: Development/Libraries Group: Development/Libraries/C and C++
%if 0%{?suse_version} >= 1120 %if 0%{?suse_version} >= 1120
BuildArch: noarch BuildArch: noarch
%endif %endif
@ -68,7 +69,7 @@ Development documentation for PolicyKit Authorization Framework.
%package -n libpolkit0 %package -n libpolkit0
License: LGPLv2+ License: LGPLv2+
Summary: Libraries required for polkit Summary: Libraries required for polkit
Group: Development/Libraries Group: System/Libraries
Requires: %{name} = %{version} Requires: %{name} = %{version}
%description -n libpolkit0 %description -n libpolkit0
@ -88,7 +89,7 @@ export V=1
--with-os-type=suse \ --with-os-type=suse \
--enable-gtk-doc \ --enable-gtk-doc \
--disable-static \ --disable-static \
--disable-introspection \ --enable-introspection \
--enable-examples \ --enable-examples \
--libexecdir=%{_prefix}/lib/polkit-1 --libexecdir=%{_prefix}/lib/polkit-1
make %{?_smp_mflags} make %{?_smp_mflags}
@ -119,6 +120,7 @@ rm -rf $RPM_BUILD_ROOT
%files -n libpolkit0 %files -n libpolkit0
%defattr(-,root,root,-) %defattr(-,root,root,-)
%{_libdir}/lib*.so.* %{_libdir}/lib*.so.*
%{_libdir}/girepository-1.0/Polkit-1.0.typelib
%files -f polkit-1.lang %files -f polkit-1.lang
%defattr(-,root,root,-) %defattr(-,root,root,-)
@ -138,7 +140,7 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy %{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
%config(noreplace) %{_sysconfdir}/pam.d/polkit-1 %config(noreplace) %{_sysconfdir}/pam.d/polkit-1
%{_sysconfdir}/polkit-1 %dir %{_sysconfdir}/polkit-1
%config(noreplace) %{_sysconfdir}/polkit-1/nullbackend.conf.d/50-nullbackend.conf %config(noreplace) %{_sysconfdir}/polkit-1/nullbackend.conf.d/50-nullbackend.conf
%config(noreplace) %{_sysconfdir}/polkit-1/localauthority.conf.d/50-localauthority.conf %config(noreplace) %{_sysconfdir}/polkit-1/localauthority.conf.d/50-localauthority.conf
%{_bindir}/pkaction %{_bindir}/pkaction
@ -155,6 +157,7 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/pkgconfig/*.pc %{_libdir}/pkgconfig/*.pc
%{_includedir}/* %{_includedir}/*
%{_bindir}/pk-example-frobnicate %{_bindir}/pk-example-frobnicate
%{_datadir}/gir-1.0/*.gir
%{_datadir}/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy %{_datadir}/polkit-1/actions/org.freedesktop.policykit.examples.pkexec.policy
%files doc %files doc