From 1224d7b427a507339087e2f72c481b560c85149b Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Sat, 8 Nov 2014 15:28:23 -0500 Subject: [PATCH 1/7] Split separate -libs package, so that NetworkManager can just depend on that, without dragging in the daemon (as well as libmozjs17). This allows the creation of more minimal systems that want programs like NM, but do not need the configurability of the daemon; it would be ok if only root is authorized. --- polkit.spec | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/polkit.spec b/polkit.spec index 0c9c03f..0eb6d33 100644 --- a/polkit.spec +++ b/polkit.spec @@ -6,7 +6,7 @@ Summary: An authorization framework Name: polkit Version: 0.112 -Release: 7%{?dist} +Release: 8%{?dist} License: LGPLv2+ URL: http://www.freedesktop.org/wiki/Software/polkit Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz @@ -83,6 +83,14 @@ BuildArch: noarch %description docs Development documentation for polkit. +%package libs +Summary: Libraries for polkit +Group: Development/Libraries + +%description libs +Libraries files for polkit. + + %prep %setup -q %patch0 -p1 -b .XDG_RUNTIME_DIR @@ -138,7 +146,6 @@ exit 0 %files -f polkit-1.lang %defattr(-,root,root,-) %doc COPYING NEWS README -%{_libdir}/lib*.so.* %{_datadir}/man/man1/* %{_datadir}/man/man8/* %{_datadir}/dbus-1/system-services/* @@ -157,7 +164,6 @@ exit 0 %{_bindir}/pkttyagent %dir %{_prefix}/lib/polkit-1 %{_prefix}/lib/polkit-1/polkitd -%{_libdir}/girepository-1.0/*.typelib # see upstream docs for why these permissions are necessary %attr(4755,root,root) %{_bindir}/pkexec @@ -174,7 +180,18 @@ exit 0 %defattr(-,root,root,-) %{_datadir}/gtk-doc +%files libs +%{_libdir}/lib*.so.* +%{_libdir}/girepository-1.0/*.typelib + %changelog +* Sat Nov 08 2014 Colin Walters - 0.112-8 +- Split separate -libs package, so that NetworkManager can just depend on + that, without dragging in the daemon (as well as libmozjs17). This + allows the creation of more minimal systems that want programs like NM, + but do not need the configurability of the daemon; it would be ok if only + root is authorized. + * Sun Aug 17 2014 Fedora Release Engineering - 0.112-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild From ddfe2e6107e37aa6503e4a2a17d7b9430352f81b Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Sun, 25 Jan 2015 13:47:21 -0600 Subject: [PATCH 2/7] 0.112-9 - polkit doesn't release reference counters of GVariant data (#1180886) - fix ldconfig scriptlets (move to -libs subpkg) --- polkit.spec | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/polkit.spec b/polkit.spec index 0eb6d33..abcd6bd 100644 --- a/polkit.spec +++ b/polkit.spec @@ -6,7 +6,7 @@ Summary: An authorization framework Name: polkit Version: 0.112 -Release: 8%{?dist} +Release: 9%{?dist} License: LGPLv2+ URL: http://www.freedesktop.org/wiki/Software/polkit Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz @@ -19,6 +19,9 @@ Patch1: polkit-0.112-PolkitAgentSession-race.patch Patch2: polkit-0.112-systemd-Deduplicate-code-paths.patch # http://cgit.freedesktop.org/polkit/commit/?id=a68f5dfd7662767b7b9822090b70bc5bd145c50c Patch3: polkit-0.112-systemd-prepare-for-D-Bus-user-bus.patch +# https://bugs.freedesktop.org/show_bug.cgi?id=88288 +# http://cgit.freedesktop.org/polkit/commit/?id=f4d71e0de885010494b8b0b8d62ca910011d7544 +Patch4: 0018-authority-Fix-memory-leak-in-EnumerateActions-call-r.patch Group: System Environment/Libraries BuildRequires: glib2-devel >= 2.30.0 BuildRequires: expat-devel @@ -97,6 +100,7 @@ Libraries files for polkit. %patch1 -p1 -b .PolkitAgentSession-race %patch2 -p1 -b .dbus-user-bus %patch3 -p1 -b .session-dedup-code +%patch4 -p1 -b .authority-Fix-memory-leak %build %if 0%{?enable_autoreconf} @@ -126,7 +130,6 @@ getent passwd polkitd >/dev/null || useradd -r -g polkitd -d / -s /sbin/nologin exit 0 %post -/sbin/ldconfig # The implied (systemctl preset) will fail and complain, but the macro hides # and ignores the fact. This is in fact what we want, polkit.service does not # have an [Install] section and it is always started on demand. @@ -136,7 +139,6 @@ exit 0 %systemd_preun polkit.service %postun -/sbin/ldconfig # Not %%systemd_postun_with_restart - let's err on the side of safety, and keep # the daemon, with its temporary authorizations and agent registrations, running # after the upgrade as well; it would be unfortunate if the upgrade tool failed @@ -180,11 +182,18 @@ exit 0 %defattr(-,root,root,-) %{_datadir}/gtk-doc +%post libs -p /sbin/ldconfig +%postun libs -p /sbin/ldconfig + %files libs %{_libdir}/lib*.so.* %{_libdir}/girepository-1.0/*.typelib %changelog +* Sun Jan 25 2015 Rex Dieter - 0.112-9 +- polkit doesn't release reference counters of GVariant data (#1180886) +- fix ldconfig scriptlets (move to -libs subpkg) + * Sat Nov 08 2014 Colin Walters - 0.112-8 - Split separate -libs package, so that NetworkManager can just depend on that, without dragging in the daemon (as well as libmozjs17). This From b483a76f3822f3aeba3626ead536797284d3a300 Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Sun, 25 Jan 2015 18:21:23 -0600 Subject: [PATCH 3/7] add awol patch --- ...mory-leak-in-EnumerateActions-call-r.patch | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 0018-authority-Fix-memory-leak-in-EnumerateActions-call-r.patch diff --git a/0018-authority-Fix-memory-leak-in-EnumerateActions-call-r.patch b/0018-authority-Fix-memory-leak-in-EnumerateActions-call-r.patch new file mode 100644 index 0000000..f0f07b2 --- /dev/null +++ b/0018-authority-Fix-memory-leak-in-EnumerateActions-call-r.patch @@ -0,0 +1,30 @@ +From f4d71e0de885010494b8b0b8d62ca910011d7544 Mon Sep 17 00:00:00 2001 +From: "Max A. Dednev" +Date: Sun, 11 Jan 2015 20:00:44 -0500 +Subject: [PATCH 18/18] authority: Fix memory leak in EnumerateActions call + results handler + +Policykit-1 doesn't release reference counters of GVariant data for +org.freedesktop.PolicyKit1.Authority.EnumerateActions dbus call. This +patch fixed reference counting and following memory leak. + +https://bugs.freedesktop.org/show_bug.cgi?id=88288 +--- + src/polkit/polkitauthority.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/polkit/polkitauthority.c b/src/polkit/polkitauthority.c +index 75619ab..ab6d3cd 100644 +--- a/src/polkit/polkitauthority.c ++++ b/src/polkit/polkitauthority.c +@@ -715,7 +715,6 @@ polkit_authority_enumerate_actions_finish (PolkitAuthority *authority, + while ((child = g_variant_iter_next_value (&iter)) != NULL) + { + ret = g_list_prepend (ret, polkit_action_description_new_for_gvariant (child)); +- g_variant_ref_sink (child); + g_variant_unref (child); + } + ret = g_list_reverse (ret); +-- +2.1.0 + From 3b707439bd7687611e4a4fbdc784f2c3558665df Mon Sep 17 00:00:00 2001 From: Dennis Gilmore Date: Thu, 18 Jun 2015 15:37:11 +0000 Subject: [PATCH 4/7] - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild --- polkit.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/polkit.spec b/polkit.spec index abcd6bd..73e7900 100644 --- a/polkit.spec +++ b/polkit.spec @@ -6,7 +6,7 @@ Summary: An authorization framework Name: polkit Version: 0.112 -Release: 9%{?dist} +Release: 10%{?dist} License: LGPLv2+ URL: http://www.freedesktop.org/wiki/Software/polkit Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz @@ -190,6 +190,9 @@ exit 0 %{_libdir}/girepository-1.0/*.typelib %changelog +* Thu Jun 18 2015 Fedora Release Engineering - 0.112-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + * Sun Jan 25 2015 Rex Dieter - 0.112-9 - polkit doesn't release reference counters of GVariant data (#1180886) - fix ldconfig scriptlets (move to -libs subpkg) From 14fa2ea73552be9ba8b33e34d687afea090c2ec3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Fri, 19 Jun 2015 02:55:02 +0200 Subject: [PATCH 5/7] Ignore Eclipse metadata --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index f03ed94..23d2ea0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +/.project polkit-0.92.tar.gz polkit-0.93.tar.gz polkit-0.94.tar.gz From cf8b2764645cbdc21c2ba571d2706e02a5b03aaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Fri, 19 Jun 2015 03:52:49 +0200 Subject: [PATCH 6/7] Ensure %{_unitdir} is defined, to fix the build. --- polkit.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/polkit.spec b/polkit.spec index 73e7900..9d7b27d 100644 --- a/polkit.spec +++ b/polkit.spec @@ -6,7 +6,7 @@ Summary: An authorization framework Name: polkit Version: 0.112 -Release: 10%{?dist} +Release: 11%{?dist} License: LGPLv2+ URL: http://www.freedesktop.org/wiki/Software/polkit Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz @@ -29,7 +29,7 @@ BuildRequires: pam-devel BuildRequires: gtk-doc BuildRequires: intltool BuildRequires: gobject-introspection-devel -BuildRequires: systemd-devel +BuildRequires: systemd, systemd-devel BuildRequires: mozjs17-devel %if 0%{?enable_autoreconf} @@ -190,6 +190,9 @@ exit 0 %{_libdir}/girepository-1.0/*.typelib %changelog +* Fri Jun 19 2015 Miloslav Trmač - 0.112-11 +- Add BuildRequires: systemd so that %%{_unitdir} is defined, to fix the build. + * Thu Jun 18 2015 Fedora Release Engineering - 0.112-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild From 0e57360c4e65fb197ddade39790b142300c01ea6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Thu, 2 Jul 2015 20:37:11 +0200 Subject: [PATCH 7/7] Update to polkit-0.113 (CVE-2015-3218, CVE-2015-3255, CVE-2015-3256, CVE-2015-4625) --- .gitignore | 2 + ...mory-leak-in-EnumerateActions-call-r.patch | 30 ----- polkit-0.112-PolkitAgentSession-race.patch | 120 ------------------ polkit-0.112-XDG_RUNTIME_DIR.patch | 78 ------------ ...0.112-systemd-Deduplicate-code-paths.patch | 107 ---------------- ...2-systemd-prepare-for-D-Bus-user-bus.patch | 87 ------------- polkit.spec | 33 ++--- sources | 4 +- 8 files changed, 13 insertions(+), 448 deletions(-) delete mode 100644 0018-authority-Fix-memory-leak-in-EnumerateActions-call-r.patch delete mode 100644 polkit-0.112-PolkitAgentSession-race.patch delete mode 100644 polkit-0.112-XDG_RUNTIME_DIR.patch delete mode 100644 polkit-0.112-systemd-Deduplicate-code-paths.patch delete mode 100644 polkit-0.112-systemd-prepare-for-D-Bus-user-bus.patch diff --git a/.gitignore b/.gitignore index 23d2ea0..aa05492 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,5 @@ polkit-0.98.tar.gz /polkit-0.111.tar.gz.sign /polkit-0.112.tar.gz /polkit-0.112.tar.gz.sign +/polkit-0.113.tar.gz +/polkit-0.113.tar.gz.sign diff --git a/0018-authority-Fix-memory-leak-in-EnumerateActions-call-r.patch b/0018-authority-Fix-memory-leak-in-EnumerateActions-call-r.patch deleted file mode 100644 index f0f07b2..0000000 --- a/0018-authority-Fix-memory-leak-in-EnumerateActions-call-r.patch +++ /dev/null @@ -1,30 +0,0 @@ -From f4d71e0de885010494b8b0b8d62ca910011d7544 Mon Sep 17 00:00:00 2001 -From: "Max A. Dednev" -Date: Sun, 11 Jan 2015 20:00:44 -0500 -Subject: [PATCH 18/18] authority: Fix memory leak in EnumerateActions call - results handler - -Policykit-1 doesn't release reference counters of GVariant data for -org.freedesktop.PolicyKit1.Authority.EnumerateActions dbus call. This -patch fixed reference counting and following memory leak. - -https://bugs.freedesktop.org/show_bug.cgi?id=88288 ---- - src/polkit/polkitauthority.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/polkit/polkitauthority.c b/src/polkit/polkitauthority.c -index 75619ab..ab6d3cd 100644 ---- a/src/polkit/polkitauthority.c -+++ b/src/polkit/polkitauthority.c -@@ -715,7 +715,6 @@ polkit_authority_enumerate_actions_finish (PolkitAuthority *authority, - while ((child = g_variant_iter_next_value (&iter)) != NULL) - { - ret = g_list_prepend (ret, polkit_action_description_new_for_gvariant (child)); -- g_variant_ref_sink (child); - g_variant_unref (child); - } - ret = g_list_reverse (ret); --- -2.1.0 - diff --git a/polkit-0.112-PolkitAgentSession-race.patch b/polkit-0.112-PolkitAgentSession-race.patch deleted file mode 100644 index d6e16b2..0000000 --- a/polkit-0.112-PolkitAgentSession-race.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 7650ad1e08ab13bdb461783c4995d186d9392840 Mon Sep 17 00:00:00 2001 -From: Rui Matos -Date: Thu, 6 Feb 2014 18:41:18 +0100 -Subject: [PATCH] PolkitAgentSession: fix race between child and io watches - -The helper flushes and fdatasyncs stdout and stderr before terminating -but this doesn't guarantee that our io watch is called before our -child watch. This means that we can end up with a successful return -from the helper which we still report as a failure. - -If we add G_IO_HUP and G_IO_ERR to the conditions we look for in the -io watch and the child terminates we still run the io watch handler -which will complete the session. - -This means that the child watch is in fact needless and we can remove -it. - -https://bugs.freedesktop.org/show_bug.cgi?id=60847 ---- - src/polkitagent/polkitagentsession.c | 47 +++++++++--------------------------- - 1 file changed, 11 insertions(+), 36 deletions(-) - -diff --git a/src/polkitagent/polkitagentsession.c b/src/polkitagent/polkitagentsession.c -index 1c7a2dc..f014773 100644 ---- a/src/polkitagent/polkitagentsession.c -+++ b/src/polkitagent/polkitagentsession.c -@@ -92,7 +92,6 @@ struct _PolkitAgentSession - int child_stdout; - GPid child_pid; - -- GSource *child_watch_source; - GSource *child_stdout_watch_source; - GIOChannel *child_stdout_channel; - -@@ -377,13 +376,6 @@ kill_helper (PolkitAgentSession *session) - session->child_pid = 0; - } - -- if (session->child_watch_source != NULL) -- { -- g_source_destroy (session->child_watch_source); -- g_source_unref (session->child_watch_source); -- session->child_watch_source = NULL; -- } -- - if (session->child_stdout_watch_source != NULL) - { - g_source_destroy (session->child_stdout_watch_source); -@@ -429,26 +421,6 @@ complete_session (PolkitAgentSession *session, - } - } - --static void --child_watch_func (GPid pid, -- gint status, -- gpointer user_data) --{ -- PolkitAgentSession *session = POLKIT_AGENT_SESSION (user_data); -- -- if (G_UNLIKELY (_show_debug ())) -- { -- g_print ("PolkitAgentSession: in child_watch_func for pid %d (WIFEXITED=%d WEXITSTATUS=%d)\n", -- (gint) pid, -- WIFEXITED(status), -- WEXITSTATUS(status)); -- } -- -- /* kill all the watches we have set up, except for the child since it has exited already */ -- session->child_pid = 0; -- complete_session (session, FALSE); --} -- - static gboolean - io_watch_have_data (GIOChannel *channel, - GIOCondition condition, -@@ -475,10 +447,13 @@ io_watch_have_data (GIOChannel *channel, - NULL, - NULL, - &error); -- if (error != NULL) -+ if (error != NULL || line == NULL) - { -- g_warning ("Error reading line from helper: %s", error->message); -- g_error_free (error); -+ /* In case we get just G_IO_HUP, line is NULL but error is -+ unset.*/ -+ g_warning ("Error reading line from helper: %s", -+ error ? error->message : "nothing to read"); -+ g_clear_error (&error); - - complete_session (session, FALSE); - goto out; -@@ -540,6 +515,9 @@ io_watch_have_data (GIOChannel *channel, - g_free (line); - g_free (unescaped); - -+ if (condition & (G_IO_ERR | G_IO_HUP)) -+ complete_session (session, FALSE); -+ - /* keep the IOChannel around */ - return TRUE; - } -@@ -650,12 +628,9 @@ polkit_agent_session_initiate (PolkitAgentSession *session) - if (G_UNLIKELY (_show_debug ())) - g_print ("PolkitAgentSession: spawned helper with pid %d\n", (gint) session->child_pid); - -- session->child_watch_source = g_child_watch_source_new (session->child_pid); -- g_source_set_callback (session->child_watch_source, (GSourceFunc) child_watch_func, session, NULL); -- g_source_attach (session->child_watch_source, g_main_context_get_thread_default ()); -- - session->child_stdout_channel = g_io_channel_unix_new (session->child_stdout); -- session->child_stdout_watch_source = g_io_create_watch (session->child_stdout_channel, G_IO_IN); -+ session->child_stdout_watch_source = g_io_create_watch (session->child_stdout_channel, -+ G_IO_IN | G_IO_ERR | G_IO_HUP); - g_source_set_callback (session->child_stdout_watch_source, (GSourceFunc) io_watch_have_data, session, NULL); - g_source_attach (session->child_stdout_watch_source, g_main_context_get_thread_default ()); - --- -1.8.3.1 - diff --git a/polkit-0.112-XDG_RUNTIME_DIR.patch b/polkit-0.112-XDG_RUNTIME_DIR.patch deleted file mode 100644 index f8c2e77..0000000 --- a/polkit-0.112-XDG_RUNTIME_DIR.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 8635ffc16aeff6a07d675f861fe0dea03ea81d7e Mon Sep 17 00:00:00 2001 -From: Colin Walters -Date: Thu, 21 Nov 2013 17:39:37 -0500 -Subject: [PATCH] pkexec: Work around systemd injecting broken XDG_RUNTIME_DIR - -This workaround isn't too much code, and it's often better to fix bugs -in two places anyways. - -For more information: - -See https://bugzilla.redhat.com/show_bug.cgi?id=753882 -See http://lists.freedesktop.org/archives/systemd-devel/2013-November/014370.html ---- - src/programs/pkexec.c | 33 ++++++++++++++++++++++++++++++--- - 1 file changed, 30 insertions(+), 3 deletions(-) - -diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c -index 005e1fe..a7ca8e0 100644 ---- a/src/programs/pkexec.c -+++ b/src/programs/pkexec.c -@@ -143,8 +143,22 @@ pam_conversation_function (int n, - return PAM_CONV_ERR; - } - -+/* A work around for: -+ * https://bugzilla.redhat.com/show_bug.cgi?id=753882 -+ */ -+static gboolean -+xdg_runtime_dir_is_owned_by (const char *path, -+ uid_t target_uid) -+{ -+ struct stat stbuf; -+ -+ return stat (path, &stbuf) == 0 && -+ stbuf.st_uid == target_uid; -+} -+ - static gboolean --open_session (const gchar *user_to_auth) -+open_session (const gchar *user_to_auth, -+ uid_t target_uid) - { - gboolean ret; - gint rc; -@@ -186,7 +200,19 @@ open_session (const gchar *user_to_auth) - { - guint n; - for (n = 0; envlist[n]; n++) -- putenv (envlist[n]); -+ { -+ const char *envitem = envlist[n]; -+ -+ if (g_str_has_prefix (envitem, "XDG_RUNTIME_DIR=")) -+ { -+ const char *eq = strchr (envitem, '='); -+ g_assert (eq); -+ if (!xdg_runtime_dir_is_owned_by (eq + 1, target_uid)) -+ continue; -+ } -+ -+ putenv (envlist[n]); -+ } - free (envlist); - } - -@@ -913,7 +939,8 @@ main (int argc, char *argv[]) - * As evident above, neither su(1) (and, for that matter, nor sudo(8)) does this. - */ - #ifdef POLKIT_AUTHFW_PAM -- if (!open_session (pw->pw_name)) -+ if (!open_session (pw->pw_name, -+ pw->pw_uid)) - { - goto out; - } --- -1.8.3.1 - diff --git a/polkit-0.112-systemd-Deduplicate-code-paths.patch b/polkit-0.112-systemd-Deduplicate-code-paths.patch deleted file mode 100644 index 1cc0fbc..0000000 --- a/polkit-0.112-systemd-Deduplicate-code-paths.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 26d0c0578211fb96fc8fe75572aa11ad6ecbf9b8 Mon Sep 17 00:00:00 2001 -From: Colin Walters -Date: Thu, 7 Nov 2013 15:57:50 -0500 -Subject: [PATCH] sessionmonitor-systemd: Deduplicate code paths - -We had the code to go from pid -> session duplicated. If we have a -PolkitSystemBusName, convert it to a PolkitUnixProcess. -Then we can do PolkitUnixProcess -> pid -> session in one place. - -This is just a code cleanup. - -https://bugs.freedesktop.org/show_bug.cgi?id=69538 ---- - .../polkitbackendsessionmonitor-systemd.c | 63 ++++++++-------------- - 1 file changed, 22 insertions(+), 41 deletions(-) - -diff --git a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c -index 0185310..756b728 100644 ---- a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c -+++ b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c -@@ -313,61 +313,42 @@ polkit_backend_session_monitor_get_session_for_subject (PolkitBackendSessionMoni - PolkitSubject *subject, - GError **error) - { -- PolkitSubject *session; -- -- session = NULL; -+ PolkitUnixProcess *tmp_process = NULL; -+ PolkitUnixProcess *process = NULL; -+ PolkitSubject *session = NULL; -+ char *session_id = NULL; -+ pid_t pid; - - if (POLKIT_IS_UNIX_PROCESS (subject)) -- { -- gchar *session_id; -- pid_t pid; -- -- pid = polkit_unix_process_get_pid (POLKIT_UNIX_PROCESS (subject)); -- if (sd_pid_get_session (pid, &session_id) < 0) -- goto out; -- -- session = polkit_unix_session_new (session_id); -- free (session_id); -- } -+ process = POLKIT_UNIX_PROCESS (subject); /* We already have a process */ - else if (POLKIT_IS_SYSTEM_BUS_NAME (subject)) - { -- guint32 pid; -- gchar *session_id; -- GVariant *result; -- -- result = g_dbus_connection_call_sync (monitor->system_bus, -- "org.freedesktop.DBus", -- "/org/freedesktop/DBus", -- "org.freedesktop.DBus", -- "GetConnectionUnixProcessID", -- g_variant_new ("(s)", polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (subject))), -- G_VARIANT_TYPE ("(u)"), -- G_DBUS_CALL_FLAGS_NONE, -- -1, /* timeout_msec */ -- NULL, /* GCancellable */ -- error); -- if (result == NULL) -- goto out; -- g_variant_get (result, "(u)", &pid); -- g_variant_unref (result); -- -- if (sd_pid_get_session (pid, &session_id) < 0) -- goto out; -- -- session = polkit_unix_session_new (session_id); -- free (session_id); -+ /* Convert bus name to process */ -+ tmp_process = (PolkitUnixProcess*)polkit_system_bus_name_get_process_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error); -+ if (!tmp_process) -+ goto out; -+ process = tmp_process; - } - else - { - g_set_error (error, - POLKIT_ERROR, - POLKIT_ERROR_NOT_SUPPORTED, -- "Cannot get user for subject of type %s", -+ "Cannot get session for subject of type %s", - g_type_name (G_TYPE_FROM_INSTANCE (subject))); - } - -- out: -+ /* Now do process -> pid -> session */ -+ g_assert (process != NULL); -+ pid = polkit_unix_process_get_pid (process); - -+ if (sd_pid_get_session (pid, &session_id) < 0) -+ goto out; -+ -+ session = polkit_unix_session_new (session_id); -+ free (session_id); -+ out: -+ if (tmp_process) g_object_unref (tmp_process); - return session; - } - --- -2.0.0 - diff --git a/polkit-0.112-systemd-prepare-for-D-Bus-user-bus.patch b/polkit-0.112-systemd-prepare-for-D-Bus-user-bus.patch deleted file mode 100644 index 0d0cf9e..0000000 --- a/polkit-0.112-systemd-prepare-for-D-Bus-user-bus.patch +++ /dev/null @@ -1,87 +0,0 @@ -From a68f5dfd7662767b7b9822090b70bc5bd145c50c Mon Sep 17 00:00:00 2001 -From: Kay Sievers -Date: Mon, 19 May 2014 10:19:49 +0900 -Subject: [PATCH] sessionmonitor-systemd: prepare for D-Bus "user bus" model - -In the D-Bus "user bus" model, all sessions of a user share the same -D-Bus instance, a polkit requesting process might live outside the -login session which registered the user's polkit agent. - -In case a polkit requesting process is not part of the user's login -session, we ask systemd-logind for the the user's "display" session -instead. - -https://bugs.freedesktop.org/show_bug.cgi?id=78905 ---- - configure.ac | 4 ++++ - .../polkitbackendsessionmonitor-systemd.c | 27 ++++++++++++++++++---- - 2 files changed, 26 insertions(+), 5 deletions(-) - -diff --git a/configure.ac b/configure.ac -index a7b0148..e783ea5 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -202,6 +202,10 @@ if test "$enable_libsystemd_login" != "no"; then - if test "$have_libsystemd_login" = "yes"; then - SESSION_TRACKING=libsystemd-login - AC_DEFINE([HAVE_LIBSYSTEMD_LOGIN], 1, [Define to 1 if libsystemd-login is available]) -+ save_LIBS=$LIBS -+ LIBS=$LIBSYSTEMD_LOGIN_LIBS -+ AC_CHECK_FUNCS(sd_uid_get_display) -+ LIBS=$save_LIBS - else - if test "$enable_libsystemd_login" = "yes"; then - AC_MSG_ERROR([libsystemd-login support requested but libsystemd-login library not found]) -diff --git a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c -index 756b728..9995f87 100644 ---- a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c -+++ b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c -@@ -318,6 +318,9 @@ polkit_backend_session_monitor_get_session_for_subject (PolkitBackendSessionMoni - PolkitSubject *session = NULL; - char *session_id = NULL; - pid_t pid; -+#if HAVE_SD_UID_GET_DISPLAY -+ uid_t uid; -+#endif - - if (POLKIT_IS_UNIX_PROCESS (subject)) - process = POLKIT_UNIX_PROCESS (subject); /* We already have a process */ -@@ -338,16 +341,30 @@ polkit_backend_session_monitor_get_session_for_subject (PolkitBackendSessionMoni - g_type_name (G_TYPE_FROM_INSTANCE (subject))); - } - -- /* Now do process -> pid -> session */ -+ /* Now do process -> pid -> same session */ - g_assert (process != NULL); - pid = polkit_unix_process_get_pid (process); - -- if (sd_pid_get_session (pid, &session_id) < 0) -+ if (sd_pid_get_session (pid, &session_id) >= 0) -+ { -+ session = polkit_unix_session_new (session_id); -+ goto out; -+ } -+ -+#if HAVE_SD_UID_GET_DISPLAY -+ /* Now do process -> uid -> graphical session (systemd version 213)*/ -+ if (sd_pid_get_owner_uid (pid, &uid) < 0) - goto out; -- -- session = polkit_unix_session_new (session_id); -- free (session_id); -+ -+ if (sd_uid_get_display (uid, &session_id) >= 0) -+ { -+ session = polkit_unix_session_new (session_id); -+ goto out; -+ } -+#endif -+ - out: -+ free (session_id); - if (tmp_process) g_object_unref (tmp_process); - return session; - } --- -2.0.0 - diff --git a/polkit.spec b/polkit.spec index 9d7b27d..48d0dec 100644 --- a/polkit.spec +++ b/polkit.spec @@ -1,27 +1,16 @@ # Only enable if using patches that touches configure.ac, # Makefile.am or other build system related files # -%define enable_autoreconf 1 +#define enable_autoreconf 1 Summary: An authorization framework Name: polkit -Version: 0.112 -Release: 11%{?dist} +Version: 0.113 +Release: 1%{?dist} License: LGPLv2+ URL: http://www.freedesktop.org/wiki/Software/polkit Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz Source1: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz.sign -# https://bugs.freedesktop.org/show_bug.cgi?id=71894 -Patch0: polkit-0.112-XDG_RUNTIME_DIR.patch -# https://bugs.freedesktop.org/show_bug.cgi?id=60847 -Patch1: polkit-0.112-PolkitAgentSession-race.patch -# http://cgit.freedesktop.org/polkit/commit/?id=26d0c0578211fb96fc8fe75572aa11ad6ecbf9b8 -Patch2: polkit-0.112-systemd-Deduplicate-code-paths.patch -# http://cgit.freedesktop.org/polkit/commit/?id=a68f5dfd7662767b7b9822090b70bc5bd145c50c -Patch3: polkit-0.112-systemd-prepare-for-D-Bus-user-bus.patch -# https://bugs.freedesktop.org/show_bug.cgi?id=88288 -# http://cgit.freedesktop.org/polkit/commit/?id=f4d71e0de885010494b8b0b8d62ca910011d7544 -Patch4: 0018-authority-Fix-memory-leak-in-EnumerateActions-call-r.patch Group: System Environment/Libraries BuildRequires: glib2-devel >= 2.30.0 BuildRequires: expat-devel @@ -96,11 +85,6 @@ Libraries files for polkit. %prep %setup -q -%patch0 -p1 -b .XDG_RUNTIME_DIR -%patch1 -p1 -b .PolkitAgentSession-race -%patch2 -p1 -b .dbus-user-bus -%patch3 -p1 -b .session-dedup-code -%patch4 -p1 -b .authority-Fix-memory-leak %build %if 0%{?enable_autoreconf} @@ -139,11 +123,7 @@ exit 0 %systemd_preun polkit.service %postun -# Not %%systemd_postun_with_restart - let's err on the side of safety, and keep -# the daemon, with its temporary authorizations and agent registrations, running -# after the upgrade as well; it would be unfortunate if the upgrade tool failed -# because a component can't handle polkitd losing state. -%systemd_postun +%systemd_postun_with_restart polkit.service %files -f polkit-1.lang %defattr(-,root,root,-) @@ -190,6 +170,11 @@ exit 0 %{_libdir}/girepository-1.0/*.typelib %changelog +* Thu Jul 2 2015 Miloslav Trmač - 0.113-1 +- Update to polkit-0.113 (CVE-2015-3218, CVE-2015-3255, CVE-2015-3256, + CVE-2015-4625) + Resolves: #910262, #1175061, #1177930, #1194391, #1228739, #1233810 + * Fri Jun 19 2015 Miloslav Trmač - 0.112-11 - Add BuildRequires: systemd so that %%{_unitdir} is defined, to fix the build. diff --git a/sources b/sources index 40bd1e0..afa6554 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -b0f2fa00a55f47c6a5d88e9b73f80127 polkit-0.112.tar.gz -55dae3c2451345f5049693cce99b7f78 polkit-0.112.tar.gz.sign +4b77776c9e4f897dcfe03b2c34198edf polkit-0.113.tar.gz +86b92a63394de618898b43f5722e9fe2 polkit-0.113.tar.gz.sign