polkit: switch 'polkitd' to static UID/GID (rhbz#2104615 - fpc#1189)

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2104615

.gitignore

@@ -24,3 +24,20 @@ polkit-0.98.tar.gz
 /polkit-0.112.tar.gz.sign
 /polkit-0.113.tar.gz
 /polkit-0.113.tar.gz.sign
+/polkit-0.114.tar.gz
+/polkit-0.114.tar.gz.sign
+/polkit-0.115.tar.gz
+/polkit-0.115.tar.gz.sign
+/polkit-0.116.tar.gz
+/polkit-0.116.tar.gz.sign
+/polkit-0.117.tar.gz
+/polkit-0.117.tar.gz.sign
+/polkit-0.118.tar.gz
+/polkit-0.118.tar.gz.sign
+/polkit-0.120.tar.gz
+/polkit-0.120.tar.gz.sign
+/polkit-121.tar.gz
+/polkit-121.tar.gz.sign
+/polkit-121.tar.xz
+/polkit-121.tar.xz.sign
+/polkit-122.tar.gz

92.patch

@@ -0,0 +1,103 @@
+From 4910132853ad68dbe8f4e7710dd098120d1b9b95 Mon Sep 17 00:00:00 2001
+From: Xi Ruoyao <xry111@mengyan1223.wang>
+Date: Tue, 25 Jan 2022 19:19:30 +0800
+Subject: [PATCH 1/3] jsauthority: ensure to call JS_Init() and JS_ShutDown()
+ exactly once
+
+Before this commit, we were calling JS_Init() in
+polkit_backend_js_authority_class_init and never called JS_ShutDown.
+This is actually a misusage of SpiderMonkey API.  Quote from a comment
+in js/Initialization.h (both mozjs-78 and mozjs-91):
+
+    It is currently not possible to initialize SpiderMonkey multiple
+    times (that is, calling JS_Init/JSAPI methods/JS_ShutDown in that
+    order, then doing so again).
+
+This misusage does not cause severe issues with mozjs-78.  However, when
+we eventually port jsauthority to use mozjs-91, bad thing will happen:
+see the test failure mentioned in #150.
+
+This commit is tested with both mozjs-78 and mozjs-91, all tests pass
+with it.
+---
+ src/polkitbackend/polkitbackendjsauthority.cpp | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
+index ca17108..b22c34e 100644
+--- a/src/polkitbackend/polkitbackendjsauthority.cpp
++++ b/src/polkitbackend/polkitbackendjsauthority.cpp
+@@ -75,6 +75,13 @@
+
+ /* ---------------------------------------------------------------------------------------------------- */
+
++static class JsInitHelperType
++{
++public:
++	JsInitHelperType() { JS_Init(); }
++	~JsInitHelperType() { JS_ShutDown(); }
++} JsInitHelper;
++
+ struct _PolkitBackendJsAuthorityPrivate
+ {
+   gchar **rules_dirs;
+@@ -589,7 +596,6 @@ polkit_backend_js_authority_finalize (GObject *object)
+   delete authority->priv->js_polkit;
+
+   JS_DestroyContext (authority->priv->cx);
+-  /* JS_ShutDown (); */
+
+   G_OBJECT_CLASS (polkit_backend_js_authority_parent_class)->finalize (object);
+ }
+@@ -666,7 +672,6 @@ polkit_backend_js_authority_class_init (PolkitBackendJsAuthorityClass *klass)
+
+   g_type_class_add_private (klass, sizeof (PolkitBackendJsAuthorityPrivate));
+
+-  JS_Init ();
+ }
+
+ /* ---------------------------------------------------------------------------------------------------- */
+--
+GitLab
+
+
+From 2b5f49a4e4266d2c327ef55e6df121511e23236b Mon Sep 17 00:00:00 2001
+From: Xi Ruoyao <xry111@mengyan1223.wang>
+Date: Tue, 25 Jan 2022 19:20:58 +0800
+Subject: [PATCH 2/3] jsauthority: port to mozjs-91
+
+---
+ configure.ac   | 2 +-
+ meson.build    | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index e434ca2..6783ee7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -80,7 +80,7 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
+ AC_SUBST(GLIB_CFLAGS)
+ AC_SUBST(GLIB_LIBS)
+
+-PKG_CHECK_MODULES(LIBJS, [mozjs-78])
++PKG_CHECK_MODULES(LIBJS, [mozjs-91])
+
+ AC_SUBST(LIBJS_CFLAGS)
+ AC_SUBST(LIBJS_CXXFLAGS)
+--
+diff --git a/meson.build b/meson.build
+index 858078d..09cce0f 100644
+--- a/meson.build
++++ b/meson.build
+@@ -133,7 +133,7 @@ expat_dep = dependency('expat')
+ assert(cc.has_header('expat.h', dependencies: expat_dep), 'Can\'t find expat.h. Please install expat.')
+ assert(cc.has_function('XML_ParserCreate', dependencies: expat_dep), 'Can\'t find expat library. Please install expat.')
+
+-mozjs_dep = dependency('mozjs-78')
++mozjs_dep = dependency('mozjs-91')
+
+ dbus_dep = dependency('dbus-1', required: false)
+ dbus_policydir = pk_prefix / pk_datadir / 'dbus-1/system.d'
+--
+GitLab
+

CVE-2021-4115.patch

@@ -0,0 +1,71 @@
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8ed1363..2fbf5f1 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -62,6 +62,10 @@ enum
+   PROP_NAME,
+ };
+ 
++
++guint8 dbus_call_respond_fails;      // has to be global because of callback
++
++
+ static void subject_iface_init (PolkitSubjectIface *subject_iface);
+ 
+ G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT,
+@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject              *src,
+   if (!v)
+     {
+       data->caught_error = TRUE;
++      dbus_call_respond_fails += 1;
+     }
+   else
+     {
+@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
+   tmp_context = g_main_context_new ();
+   g_main_context_push_thread_default (tmp_context);
+ 
++  dbus_call_respond_fails = 0;
++
+   /* Do two async calls as it's basically as fast as one sync call.
+    */
+   g_dbus_connection_call (connection,
+@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
+ 			  on_retrieved_unix_uid_pid,
+ 			  &data);
+ 
+-  while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+-    g_main_context_iteration (tmp_context, TRUE);
++  while (TRUE)
++  {
++    /* If one dbus call returns error, we must wait until the other call
++     * calls _call_finish(), otherwise fd leak is possible.
++     * Resolves: GHSL-2021-077
++    */
+ 
+-  if (data.caught_error)
+-    goto out;
++    if ( (dbus_call_respond_fails > 1) )
++    {
++      // we got two faults, we can leave
++      goto out;
++    }
++
++    if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid)))
++    {
++      // we got one fault and the other call finally finished, we can leave
++      goto out;
++    }
++
++    if ( !(data.retrieved_uid && data.retrieved_pid) )
++    {
++      g_main_context_iteration (tmp_context, TRUE);
++    }
++    else
++    {
++      break;
++    }
++  }
+ 
+   if (out_uid)
+     *out_uid = data.uid;

a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch

@@ -0,0 +1,79 @@
+From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Tue, 25 Jan 2022 17:21:46 +0000
+Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
+
+---
+ src/programs/pkcheck.c |  5 +++++
+ src/programs/pkexec.c  | 23 ++++++++++++++++++++---
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
+index f1bb4e1..768525c 100644
+--- a/src/programs/pkcheck.c
++++ b/src/programs/pkcheck.c
+@@ -363,6 +363,11 @@ main (int argc, char *argv[])
+   local_agent_handle = NULL;
+   ret = 126;
+ 
++  if (argc < 1)
++    {
++      exit(126);
++    }
++
+   /* Disable remote file access from GIO. */
+   setenv ("GIO_USE_VFS", "local", 1);
+ 
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index 7698c5c..84e5ef6 100644
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -488,6 +488,15 @@ main (int argc, char *argv[])
+   pid_t pid_of_caller;
+   gpointer local_agent_handle;
+ 
++
++  /*
++   * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
++   */
++  if (argc<1)
++    {
++      exit(127);
++    }
++
+   ret = 127;
+   authority = NULL;
+   subject = NULL;
+@@ -614,10 +623,10 @@ main (int argc, char *argv[])
+ 
+       path = g_strdup (pwstruct.pw_shell);
+       if (!path)
+-	{
++        {
+           g_printerr ("No shell configured or error retrieving pw_shell\n");
+           goto out;
+-	}
++        }
+       /* If you change this, be sure to change the if (!command_line)
+ 	 case below too */
+       command_line = g_strdup (path);
+@@ -636,7 +645,15 @@ main (int argc, char *argv[])
+           goto out;
+         }
+       g_free (path);
+-      argv[n] = path = s;
++      path = s;
++
++      /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
++       * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
++       */
++      if (argv[n] != NULL)
++      {
++        argv[n] = path;
++      }
+     }
+   if (access (path, F_OK) != 0)
+     {
+-- 
+GitLab
+

mozjs78.patch

@@ -0,0 +1,90 @@
+diff --git a/configure.ac b/configure.ac
+index eea70fc..c4569f1 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -34,7 +34,7 @@ AC_PROG_LN_S
+ AC_SYS_LARGEFILE
+ AM_PROG_CC_C_O
+ AC_PROG_CXX
+-AX_CXX_COMPILE_STDCXX([14], [], [mandatory])
++AX_CXX_COMPILE_STDCXX([17], [], [mandatory])
+ 
+ # Taken from dbus
+ AC_ARG_ENABLE(ansi,             [  --enable-ansi           enable -ansi -pedantic gcc flags],enable_ansi=$enableval,enable_ansi=no)
+@@ -80,7 +80,7 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
+ AC_SUBST(GLIB_CFLAGS)
+ AC_SUBST(GLIB_LIBS)
+ 
+-PKG_CHECK_MODULES(LIBJS, [mozjs-68])
++PKG_CHECK_MODULES(LIBJS, [mozjs-78])
+ 
+ AC_SUBST(LIBJS_CFLAGS)
+ AC_SUBST(LIBJS_CXXFLAGS)
+diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
+index 25bd1f9..ca17108 100644
+--- a/src/polkitbackend/polkitbackendjsauthority.cpp
++++ b/src/polkitbackend/polkitbackendjsauthority.cpp
+@@ -49,6 +49,7 @@
+ #include <js/Realm.h>
+ #include <js/SourceText.h>
+ #include <js/Warnings.h>
++#include <js/Array.h>
+ #include <jsapi.h>
+ 
+ #include "initjs.h" /* init.js */
+@@ -367,7 +368,7 @@ load_scripts (PolkitBackendJsAuthority  *authority)
+ static void
+ reload_scripts (PolkitBackendJsAuthority *authority)
+ {
+-  JS::AutoValueArray<1> args(authority->priv->cx);
++  JS::RootedValueArray<1> args(authority->priv->cx);
+   JS::RootedValue rval(authority->priv->cx);
+ 
+   JS::RootedObject js_polkit(authority->priv->cx, authority->priv->js_polkit->get ());
+@@ -482,10 +483,6 @@ polkit_backend_js_authority_constructed (GObject *object)
+   if (!JS::InitSelfHostedCode (authority->priv->cx))
+     goto fail;
+ 
+-  JS::ContextOptionsRef (authority->priv->cx)
+-      .setIon (TRUE)
+-      .setBaseline (TRUE)
+-      .setAsmJS (TRUE);
+   JS::SetWarningReporter(authority->priv->cx, report_error);
+   JS_SetContextPrivate (authority->priv->cx, authority);
+ 
+@@ -720,7 +717,7 @@ set_property_strv (PolkitBackendJsAuthority  *authority,
+         elems[n].setNull ();
+     }
+ 
+-  JS::RootedObject array_object(authority->priv->cx, JS_NewArrayObject (authority->priv->cx, elems));
++  JS::RootedObject array_object(authority->priv->cx, JS::NewArrayObject (authority->priv->cx, elems));
+ 
+   value_jsval = JS::ObjectValue (*array_object);
+   JS_SetProperty (authority->priv->cx, obj, name, value_jsval);
+@@ -1114,7 +1111,7 @@ polkit_backend_js_authority_get_admin_auth_identities (PolkitBackendInteractiveA
+ {
+   PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority);
+   GList *ret = NULL;
+-  JS::AutoValueArray<2> args(authority->priv->cx);
++  JS::RootedValueArray<2> args(authority->priv->cx);
+   JS::RootedValue rval(authority->priv->cx);
+   guint n;
+   GError *error = NULL;
+@@ -1218,7 +1215,7 @@ polkit_backend_js_authority_check_authorization_sync (PolkitBackendInteractiveAu
+ {
+   PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority);
+   PolkitImplicitAuthorization ret = implicit;
+-  JS::AutoValueArray<2> args(authority->priv->cx);
++  JS::RootedValueArray<2> args(authority->priv->cx);
+   JS::RootedValue rval(authority->priv->cx);
+   GError *error = NULL;
+   JS::RootedString ret_jsstr (authority->priv->cx);
+@@ -1409,7 +1406,7 @@ js_polkit_spawn (JSContext  *cx,
+   JS::CallArgs args = JS::CallArgsFromVp (js_argc, vp);
+   array_object = &args[0].toObject();
+ 
+-  if (!JS_GetArrayLength (cx, array_object, &array_len))
++  if (!JS::GetArrayLength (cx, array_object, &array_len))
+     {
+       JS_ReportErrorUTF8 (cx, "Failed to get array length");
+       goto out;

polkit.spec

@@ -1,39 +1,34 @@
 # Only enable if using patches that touches configure.ac,
 # Makefile.am or other build system related files
 #
-#define enable_autoreconf 1
-
 Summary: An authorization framework
 Name: polkit
-Version: 0.113
+Version: 122
 Release: 4%{?dist}
 License: LGPLv2+
 URL: http://www.freedesktop.org/wiki/Software/polkit
-Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz
-Source1: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz.sign
-Group: System Environment/Libraries
+Source0: https://gitlab.freedesktop.org/polkit/polkit/-/archive/%{version}/%{name}-%{version}.tar.gz
+
+BuildRequires: gcc-c++
 BuildRequires: glib2-devel >= 2.30.0
 BuildRequires: expat-devel
 BuildRequires: pam-devel
 BuildRequires: gtk-doc
-BuildRequires: intltool
+BuildRequires: gettext-devel
 BuildRequires: gobject-introspection-devel
 BuildRequires: systemd, systemd-devel
-BuildRequires: mozjs17-devel
-
-%if 0%{?enable_autoreconf}
-BuildRequires: autoconf
-BuildRequires: automake
-BuildRequires: libtool
-%endif
+BuildRequires: dbus-devel
+BuildRequires: pkgconfig(duktape)
+BuildRequires: meson
+BuildRequires: git
 
 Requires: dbus, polkit-pkla-compat
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 
 Requires(pre): shadow-utils
-Requires(post): /sbin/ldconfig, systemd
+Requires(post): systemd
 Requires(preun): systemd
-Requires(postun): /sbin/ldconfig, systemd
+Requires(postun): systemd
 
 Obsoletes: PolicyKit <= 0.10
 Provides: PolicyKit = 0.11
@@ -45,7 +40,7 @@ Conflicts: polkit-gnome < 0.97
 Obsoletes: polkit-desktop-policy < 0.103
 Provides: polkit-desktop-policy = 0.103
 
-Obsoletes: polkit-js-engine < 0.110-4
+Obsoletes: polkit-js-engine < 0.120-5
 Provides: polkit-js-engine = %{version}-%{release}
 
 # when -libs was split out, handle multilib upgrade path -- rex
@@ -58,7 +53,6 @@ processes.
 
 %package devel
 Summary: Development files for polkit
-Group: Development/Libraries
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Requires: %name-docs = %{version}-%{release}
 Requires: glib2-devel
@@ -70,7 +64,6 @@ Development files for polkit.
 
 %package docs
 Summary: Development documentation for polkit
-Group: Development/Libraries
 Requires: %name-devel = %{version}-%{release}
 Obsoletes: PolicyKit-docs <= 0.10
 Provides: PolicyKit-docs = 0.11
@@ -81,40 +74,35 @@ Development documentation for polkit.
 
 %package libs
 Summary: Libraries for polkit
-Group: Development/Libraries
 
 %description libs
 Libraries files for polkit.
 
 
 %prep
-%setup -q
+%autosetup -S git
 
 %build
-%if 0%{?enable_autoreconf}
-autoreconf -i
-%endif
-# we can't use _hardened_build here, see
-# https://bugzilla.redhat.com/show_bug.cgi?id=962005
-export CFLAGS='-fPIC %optflags'
-export LDFLAGS='-pie -Wl,-z,now -Wl,-z,relro'
-%configure --enable-gtk-doc \
-        --disable-static \
-        --enable-introspection \
-        --disable-examples \
-        --enable-libsystemd-login=yes --with-mozjs=mozjs-17.0
-make V=1
+%meson -D authfw=pam \
+       -D examples=false \
+       -D gtk_doc=true \
+       -D introspection=true \
+       -D man=true \
+       -D session_tracking=libsystemd-login \
+       -D tests=false
+
+%meson_build
 
 %install
-make install DESTDIR=$RPM_BUILD_ROOT INSTALL='install -p'
+%meson_install
 
 rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
 
 %find_lang polkit-1
 
 %pre
-getent group polkitd >/dev/null || groupadd -r polkitd
-getent passwd polkitd >/dev/null || useradd -r -g polkitd -d / -s /sbin/nologin -c "User for polkitd" polkitd
+getent group polkitd >/dev/null || groupadd -r -g 114 polkitd
+getent passwd polkitd >/dev/null || useradd -r -u 114 -g polkitd -d / -s /sbin/nologin -c "User for polkitd" polkitd
 exit 0
 
 %post
@@ -130,20 +118,20 @@ exit 0
 %systemd_postun_with_restart polkit.service
 
 %files -f polkit-1.lang
-%defattr(-,root,root,-)
-%doc COPYING NEWS README
+%doc COPYING NEWS.md README.md
 %{_datadir}/man/man1/*
 %{_datadir}/man/man8/*
+%{_datadir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
 %{_datadir}/dbus-1/system-services/*
 %{_unitdir}/polkit.service
 %dir %{_datadir}/polkit-1/
 %dir %{_datadir}/polkit-1/actions
 %attr(0700,polkitd,root) %dir %{_datadir}/polkit-1/rules.d
 %{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy
+%{_datadir}/polkit-1/policyconfig-1.dtd
 %dir %{_sysconfdir}/polkit-1
-%{_sysconfdir}/polkit-1/rules.d/50-default.rules
+%{_datadir}/polkit-1/rules.d/50-default.rules
 %attr(0700,polkitd,root) %dir %{_sysconfdir}/polkit-1/rules.d
-%{_sysconfdir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
 %{_sysconfdir}/pam.d/polkit-1
 %{_bindir}/pkaction
 %{_bindir}/pkcheck
@@ -156,24 +144,199 @@ exit 0
 %attr(4755,root,root) %{_prefix}/lib/polkit-1/polkit-agent-helper-1
 
 %files devel
-%defattr(-,root,root,-)
 %{_libdir}/lib*.so
 %{_libdir}/pkgconfig/*.pc
 %{_datadir}/gir-1.0/*.gir
 %{_includedir}/*
+%{_datadir}/gettext/its/polkit.its
+%{_datadir}/gettext/its/polkit.loc
 
 %files docs
-%defattr(-,root,root,-)
 %{_datadir}/gtk-doc
 
-%post libs -p /sbin/ldconfig
-%postun libs -p /sbin/ldconfig
+%ldconfig_scriptlets libs
 
 %files libs
 %{_libdir}/lib*.so.*
 %{_libdir}/girepository-1.0/*.typelib
 
 %changelog
+* Wed Feb 08 2023 Jan Rybar <jrybar@redhat.com> - 122-4
+- Switch 'polkitd' to static UID/GID (fpc#1189) (on behalf of lucab)
+- Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2104615
+
+
+* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 122-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Fri Dec 16 2022 František Zatloukal <fzatlouk@redhat.com> - 122-2
+- Rebuilt for duktape 2.7.0
+
+* Wed Oct 26 2022 Vincent Mihalkovic <vmihalko@redhat.com> - 122-1
+- rebase to 122
+
+* Mon Aug 15 2022 Jan Rybar <jrybar@redhat.com> - 121-4
+- duktape re-enabled
+
+* Tue Aug 02 2022 Jan Rybar <jrybar@redhat.com> - 121-3
+- switched back to mozjs until problems with duktape are fixed
+- Related: bz#2109145
+
+* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 121-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue Jul 12 2022 Jan Rybar <jrybar@redhat.com> - 121-1
+- Rebase to v.121
+
+* Sun Feb 20 2022 Frantisek Zatloukal <fzatlouk@redhat.com> - 0.120-5
+- switch to mozjs91
+
+* Wed Feb 16 2022 Jan Rybar <jrybar@redhat.com> - 0.120-4
+- file descriptor exhaustion (GHSL-2021-077)
+- Resolves: CVE-2021-4115
+
+* Wed Jan 26 2022 Timothée Ravier <tim@siosm.fr> - 0.120-3
+- Fix for CVE-2021-4034
+
+* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.120-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Wed Oct 06 2021 Pete Walter <pwalter@fedoraproject.org> - 0.120-1
+- Update to 0.120
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.118-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Thu May 20 2021 Jan Rybar <jrybar@redhat.com> - 0.118-2
+- CVE-2021-3560 mitigation
+- Resolves: CVE-2021-3560
+
+* Mon Apr 26 2021 Jan Rybar <jrybar@redhat.com> - 0.118-1
+- rebase to 0.118
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.117-4
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.117-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Aug 12 2020 Jan Rybar <jrybar@redhat.com> - 0.117-2
+- update dependency to mozjs78
+
+* Fri Jul 31 2020 Jan Rybar <jrybar@redhat.com> - 0.117-1
+- Rebased to polkit-0.117
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.116-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 22 2020 Tom Stellard <tstellar@redhat.com> - 0.116-8
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.116-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Oct 25 2019 Jan Rybar <jrybar@redhat.com> - 0.116-6
+- jsauthority memleak fix
+
+* Fri Sep 27 2019 Jan Rybar <jrybar@redhat.com> - 0.116-5
+- pkttyagent: unread input flushed on terminal restore
+
+* Sun Sep 08 2019 Kalev Lember <klember@redhat.com> - 0.116-4
+- Rebuilt for mozjs60 s390x fixes
+
+* Fri Aug 02 2019 Jan Rybar <jrybar@redhat.com> - 0.116-3
+- pkttyagent: backport patch, get SIGTTOU in background job
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.116-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu May 02 2019 Pete Walter <pwalter@fedoraproject.org> - 0.116-1
+- Update to 0.116
+
+* Thu Feb 14 2019 Jan Rybar <jrybar@redhat.com> - 0.115-11
+- pkttyagent: PolkitAgentTextListener leaves echo tty disabled if SIGINT/SIGTERM
+
+* Fri Feb 08 2019 Pete Walter <pwalter@fedoraproject.org> - 0.115-10
+- Move to mozjs60
+
+* Tue Feb 05 2019 Jan Rybar <jrybar@redhat.com> - 0.115-9
+- Allow uid=-1 for PolkitUnixProcess
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.115-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Tue Jan 08 2019 Colin Walters <walters@verbum.org> - 0.115-7
+- Add security fix for
+  https://bugs.chromium.org/p/project-zero/issues/detail?id=1692
+
+* Fri Dec 07 2018 Jan Rybar <jrybar@redhat.com> - 0.115-6
+- Fix of CVE-2018-19788, priv escalation with high UIDs
+- Resolves: rhbz#1655926
+
+* Thu Sep 27 2018 Owen Taylor <otaylor@redhat.com> - 0.115-5
+- Fix installation with prefix != /usr
+
+* Mon Aug 13 2018 Jan Rybar <jrybar@redhat.com> - 0.115-4
+- Leaking zombie processess started by rules
+
+* Fri Jul 20 2018 Jan Rybar <jrybar@redhat.com> - 0.115-3
+- Warning raised by polkit when disconnected from ssh
+- polkitagentlistener: resource leak - pointer to 'server'
+- Error message raised on every 'systemctl start' in emergency.target
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.115-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jul 10 2018 Miloslav Trmač <mitr@redhat.com> - 0.115-1
+- Update to 0.115 (CVE-2018-1116)
+
+* Tue Apr 03 2018 Ray Strode <rstrode@redhat.com> - 0.114-1
+- Update to 0.114
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-16
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-15
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-14
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Thu Apr 13 2017 Richard Hughes <rhughes@redhat.com> - 0.113-13
+- Add the its files from upstream.
+
+* Tue Apr 4 2017 Miloslav Trmač <mitr@redhat.com> - 0.113-12
+- Fix a memory leak in PolkitPermission.
+  Patch by Rui Matos <tiagomatos@gmail.com>
+  Resolves: #1433915
+
+* Tue Apr 4 2017 Miloslav Trmač <mitr@redhat.com> - 0.113-11
+- Revert back to the state in 0.113-7, undoing the untested changes.
+
+* Tue Apr  4 2017 Peter Robinson <pbrobinson@fedoraproject.org> 0.113-10
+- Move to an upstream snapshot, rebase patches
+
+* Fri Mar 31 2017 Rex Dieter <rdieter@fedoraproject.org> - 0.113-9
+- restore Provides: polkit-desktop-policy polkit-js-engine
+
+* Thu Mar 30 2017 Peter Robinson <pbrobinson@fedoraproject.org> 0.113-8
+- Use %%license, license needs to be in -libs as it's the only guaranteed installed package
+- Move to mozjs38
+- Other upstream fixes
+- Spec cleanups
+
+* Mon Feb 13 2017 Miloslav Trmač <mitr@redhat.com> - 0.113-7
+- Fix memory leaks when calling authentication agents
+  Resolves: #1380166
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.113-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
 * Tue Jul 14 2015 Miloslav Trmač <mitr@redhat.com> - 0.113-4
 - Bump the Obsoletes: to < 0.113-3 to account for the non-split 0.113-2.fc21
   Resolves: #1243004

sources

@@ -1,2 +1 @@
-4b77776c9e4f897dcfe03b2c34198edf  polkit-0.113.tar.gz
-86b92a63394de618898b43f5722e9fe2  polkit-0.113.tar.gz.sign
+SHA512 (polkit-122.tar.gz) = 6f537b218133777c1a9ef6b38296b4e17263d86b783acce4ce895ef3b507bb1b482d4b88bc410ab8846ce7cc7b84e82c4109f80f535190a351d7d2683b8608f3