diff --git a/Allow-uid-of-1-for-a-PolkitUnixProcess.patch b/Allow-uid-of-1-for-a-PolkitUnixProcess.patch new file mode 100644 index 0000000..e4ac170 --- /dev/null +++ b/Allow-uid-of-1-for-a-PolkitUnixProcess.patch @@ -0,0 +1,47 @@ +From 783ec80ec1b4d8f1dc20a2a41dfaddbc1c3f5ab2 Mon Sep 17 00:00:00 2001 +From: Matthew Leeds +Date: Tue, 11 Dec 2018 12:04:26 -0800 +Subject: [PATCH] Allow uid of -1 for a PolkitUnixProcess + +Commit 2cb40c4d5 changed PolkitUnixUser, PolkitUnixGroup, and +PolkitUnixProcess to allow negative values for their uid/gid properties, +since these are values above INT_MAX which wrap around but are still +valid, with the exception of -1 which is not valid. However, +PolkitUnixProcess allows a uid of -1 to be passed to +polkit_unix_process_new_for_owner() which means polkit is expected to +figure out the uid on its own (this happens in the _constructed +function). So this commit removes the check in +polkit_unix_process_set_property() so that new_for_owner() can be used +as documented without producing a critical error message. + +This does not affect the protection against CVE-2018-19788 which is +based on creating a user with a UID up to but not including 4294967295 +(-1). +--- + src/polkit/polkitunixprocess.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c +index 78d7251..289a82e 100644 +--- a/src/polkit/polkitunixprocess.c ++++ b/src/polkit/polkitunixprocess.c +@@ -228,14 +228,9 @@ polkit_unix_process_set_property (GObject *object, + polkit_unix_process_set_pid (unix_process, g_value_get_int (value)); + break; + +- case PROP_UID: { +- gint val; +- +- val = g_value_get_int (value); +- g_return_if_fail (val != -1); +- polkit_unix_process_set_uid (unix_process, val); ++ case PROP_UID: ++ polkit_unix_process_set_uid (unix_process, g_value_get_int (value)); + break; +- } + + case PROP_START_TIME: + polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value)); +-- +2.14.5 + diff --git a/polkit.spec b/polkit.spec index beb6a7e..12484b7 100644 --- a/polkit.spec +++ b/polkit.spec @@ -6,7 +6,7 @@ Summary: An authorization framework Name: polkit Version: 0.115 -Release: 2.1%{?dist} +Release: 2.2%{?dist} License: LGPLv2+ URL: http://www.freedesktop.org/wiki/Software/polkit Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz @@ -15,6 +15,7 @@ Group: System Environment/Libraries Patch1: CVE-2018-19788.patch Patch2: start_time-reuse-exploit.patch +Patch3: Allow-uid-of-1-for-a-PolkitUnixProcess.patch BuildRequires: gcc-c++ BuildRequires: glib2-devel >= 2.30.0 @@ -179,6 +180,9 @@ exit 0 %{_libdir}/girepository-1.0/*.typelib %changelog +* Wed Feb 06 2019 Jan Rybar - 0.115-2.2 +- Allow pid=-1 for PolkitUnixProcess to prevent 'critical' + * Wed Jan 09 2019 Jan Rybar - 0.115-2.1 - Fix of start_time reuse exploit (slowfork)