From b1480cde74a78a757d9193ea8538b36900978d34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= Date: Wed, 18 Sep 2013 20:41:48 +0200 Subject: [PATCH] Allow specifying an UID in the --process option of pkcheck(1) Resolves: #1009538, CVE-2013-4288 --- polkit-0.107-CVE-2013-4288.patch | 100 +++++++++++++++++++++++++++++++ polkit.spec | 10 +++- 2 files changed, 109 insertions(+), 1 deletion(-) create mode 100644 polkit-0.107-CVE-2013-4288.patch diff --git a/polkit-0.107-CVE-2013-4288.patch b/polkit-0.107-CVE-2013-4288.patch new file mode 100644 index 0000000..885b6ba --- /dev/null +++ b/polkit-0.107-CVE-2013-4288.patch @@ -0,0 +1,100 @@ +The uid is a new addition; this allows callers such as libvirt to +close a race condition in reading the uid of the process talking to +them. They can read it via getsockopt(SO_PEERCRED) or equivalent, +rather than having pkcheck look at /proc later after the fact. + +Programs which invoke pkcheck but need to know beforehand (i.e. at +compile time) whether or not it supports passing the uid can +use: + +pkcheck_supports_uid=$($PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1) +test x$pkcheck_supports_uid = xyes + +diff -urN polkit/data/polkit-gobject-1.pc.in polkit-0.107/data/polkit-gobject-1.pc.in +--- polkit/data/polkit-gobject-1.pc.in 2012-04-24 18:05:34.000000000 +0200 ++++ polkit-0.107/data/polkit-gobject-1.pc.in 2013-09-18 20:33:16.451783171 +0200 +@@ -11,3 +11,6 @@ + Libs: -L${libdir} -lpolkit-gobject-1 + Cflags: -I${includedir}/polkit-1 + Requires: gio-2.0 >= 2.18 glib-2.0 >= 2.18 ++# Programs using pkcheck can use this to determine ++# whether or not it can be passed a uid. ++pkcheck_supports_uid=true +diff -urN polkit/docs/man/pkcheck.xml polkit-0.107/docs/man/pkcheck.xml +--- polkit/docs/man/pkcheck.xml 2012-06-04 19:47:39.000000000 +0200 ++++ polkit-0.107/docs/man/pkcheck.xml 2013-09-18 20:33:16.451783171 +0200 +@@ -55,6 +55,9 @@ + + pid,pid-start-time + ++ ++ pid,pid-start-time,uid ++ + + + +@@ -90,7 +93,7 @@ + DESCRIPTION + + pkcheck is used to check whether a process, specified by +- either or , ++ either (see below) or , + is authorized for action. The + option can be used zero or more times to pass details about action. + If is passed, pkcheck blocks +@@ -160,15 +163,23 @@ + + NOTES + +- Since process identifiers can be recycled, the caller should always use +- pid,pid-start-time to specify the process +- to check for authorization when using the option. +- The value of pid-start-time +- can be determined by consulting e.g. the ++ Do not use either the bare pid or ++ pid,start-time syntax forms for ++ . There are race conditions in both. ++ New code should always use ++ pid,pid-start-time,uid. The value of ++ start-time can be determined by ++ consulting e.g. the + proc5 +- file system depending on the operating system. If only pid +- is passed to the option, then pkcheck +- will look up the start time itself but note that this may be racy. ++ file system depending on the operating system. If fewer than 3 ++ arguments are passed, pkcheck will attempt to ++ look up them up internally, but note that this may be racy. ++ ++ ++ If your program is a daemon with e.g. a custom Unix domain ++ socket, you should determine the uid ++ parameter via operating system mechanisms such as ++ PEERCRED. + + + +diff -urN polkit/src/programs/pkcheck.c polkit-0.107/src/programs/pkcheck.c +--- polkit/src/programs/pkcheck.c 2012-04-24 18:05:34.000000000 +0200 ++++ polkit-0.107/src/programs/pkcheck.c 2013-09-18 20:33:16.452783171 +0200 +@@ -372,6 +372,7 @@ + else if (g_strcmp0 (argv[n], "--process") == 0 || g_strcmp0 (argv[n], "-p") == 0) + { + gint pid; ++ guint uid; + guint64 pid_start_time; + + n++; +@@ -381,7 +382,11 @@ + goto out; + } + +- if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2) ++ if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT ",%u", &pid, &pid_start_time, &uid) == 3) ++ { ++ subject = polkit_unix_process_new_for_owner (pid, pid_start_time, uid); ++ } ++ else if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2) + { + subject = polkit_unix_process_new_full (pid, pid_start_time); + } diff --git a/polkit.spec b/polkit.spec index e951b89..f24c2c2 100644 --- a/polkit.spec +++ b/polkit.spec @@ -1,7 +1,7 @@ Summary: polkit Authorization Framework Name: polkit Version: 0.107 -Release: 5%{?dist} +Release: 6%{?dist} License: LGPLv2+ URL: http://www.freedesktop.org/wiki/Software/polkit Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz @@ -36,6 +36,9 @@ Patch1: polkit-0.107-avoid-crashing-if-initializing-the-server-object-fails.patc # Use GOnce for interface type registration Patch2: polkit-0.112-gobject-interface-type-registration-race.patch +# Upstream commit 3968411b0c7ba193f9b9276ec911692aec248608 +Patch3: polkit-0.107-CVE-2013-4288.patch + %description polkit is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to speak to privileged @@ -69,6 +72,7 @@ Development documentation for polkit. %patch0 -p1 -b .fall-back-to-uid-0 %patch1 -p1 -b .crash-fix %patch2 -p1 -b .gtype-race +%patch3 -p1 -b .CVE-2013-4288 %build %configure --enable-gtk-doc \ @@ -137,6 +141,10 @@ exit 0 %{_datadir}/gtk-doc %changelog +* Wed Sep 18 2013 Miloslav Trmač - 0.107-6 +- Allow specifying an UID in the --process option of pkcheck(1) + Resolves: #1009538, CVE-2013-4288 + * Wed May 29 2013 Tomas Bzatek 0.107-5 - Fix a race on PolkitSubject type registration (#866718)