From 81281b0796ed7df547d6ca4d1ba19a6dd274160675a8e8dc28909e170e24ffbf Mon Sep 17 00:00:00 2001 From: Scott Reeves Date: Fri, 27 Sep 2013 22:36:06 +0000 Subject: [PATCH] Accepting request 201242 from home:sreeves1:branches:Base:System fix bnc#838939 OBS-URL: https://build.opensuse.org/request/show/201242 OBS-URL: https://build.opensuse.org/package/show/Base:System/rtkit?expand=0&rev=21 --- rtkit-bnc836939.patch | 43 +++++++++++++++++++++++++++++++++++++++++++ rtkit.changes | 6 ++++++ rtkit.spec | 5 ++++- 3 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 rtkit-bnc836939.patch diff --git a/rtkit-bnc836939.patch b/rtkit-bnc836939.patch new file mode 100644 index 0000000..205777f --- /dev/null +++ b/rtkit-bnc836939.patch @@ -0,0 +1,43 @@ +commit 88d4082ef6caf6b071d749dca1c50e7edde914cc +Author: Colin Walters +Date: Thu Aug 22 16:05:22 2013 -0400 + + Pass uid of caller to polkit + + Otherwise, we force polkit to look up the uid itself in /proc, which + is racy if they execve() a setuid binary. + +diff --git a/rtkit-daemon.c b/rtkit-daemon.c +index 2ebe673..3ecc1f7 100644 +--- a/rtkit-daemon.c ++++ b/rtkit-daemon.c +@@ -1170,12 +1170,14 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process + DBusMessage *m = NULL, *r = NULL; + const char *unix_process = "unix-process"; + const char *pid = "pid"; ++ const char *uid = "uid"; + const char *start_time = "start-time"; + const char *cancel_id = ""; + uint32_t flags = 0; + uint32_t pid_u32 = p->pid; +- uint64_t start_time_u64 = p->starttime; ++ uint32_t uid_u32 = (uint32_t)u->uid; + DBusMessageIter iter_msg, iter_struct, iter_array, iter_dict, iter_variant; ++ uint64_t start_time_u64 = p->starttime; + int ret; + dbus_bool_t authorized = FALSE; + +@@ -1206,6 +1208,13 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process + assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant)); + assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict)); + ++ assert_se(dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict)); ++ assert_se(dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &uid)); ++ assert_se(dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "u", &iter_variant)); ++ assert_se(dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT32, &uid_u32)); ++ assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant)); ++ assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict)); ++ + assert_se(dbus_message_iter_close_container(&iter_struct, &iter_array)); + assert_se(dbus_message_iter_close_container(&iter_msg, &iter_struct)); + diff --git a/rtkit.changes b/rtkit.changes index 81f1d5b..aa7def9 100644 --- a/rtkit.changes +++ b/rtkit.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Sep 27 22:21:16 UTC 2013 - sreeves@suse.com + +- Add rtkit-bnc836939.patch + Fix bnc#836939 - use of insecure polkit DBUS API. CVE-2013-4326 + ------------------------------------------------------------------- Wed Oct 17 14:13:55 UTC 2012 - fcrozat@suse.com diff --git a/rtkit.spec b/rtkit.spec index 2f9b472..8422152 100644 --- a/rtkit.spec +++ b/rtkit.spec @@ -1,7 +1,7 @@ # # spec file for package rtkit # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -39,6 +39,8 @@ BuildRequires: pkgconfig(libsystemd-daemon) %define has_systemd 1 %endif Patch0: rtkit-use-system-sd-daemon.patch +# PATCH-FIX-UPSTREAM rtkit-bnc836939.patch sreeves@suse.com -- use of insecure polkit DBUS API +Patch1: rtkit-bnc836939.patch %description RealtimeKit is a D-Bus system service that changes the @@ -50,6 +52,7 @@ processes. %prep %setup -q %patch0 -p1 +%patch1 -p1 %build autoreconf -fiv