Allow specifying an UID in the --process option of pkcheck(1)

Resolves: #1009538, CVE-2013-4288
Fix a race on PolkitSubject type registration (#866718 )
2013-09-18 20:41:48 +02:00 · 2013-05-29 16:33:15 +02:00
3 changed files with 232 additions and 1 deletions
--- a/polkit-0.107-CVE-2013-4288.patch
+++ b/polkit-0.107-CVE-2013-4288.patch
@ -0,0 +1,100 @@
+The uid is a new addition; this allows callers such as libvirt to
+close a race condition in reading the uid of the process talking to
+them.  They can read it via getsockopt(SO_PEERCRED) or equivalent,
+rather than having pkcheck look at /proc later after the fact.
+
+Programs which invoke pkcheck but need to know beforehand (i.e.  at
+compile time) whether or not it supports passing the uid can
+use:
+
+pkcheck_supports_uid=$($PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1)
+test x$pkcheck_supports_uid = xyes
+
+diff -urN polkit/data/polkit-gobject-1.pc.in polkit-0.107/data/polkit-gobject-1.pc.in
+--- polkit/data/polkit-gobject-1.pc.in	2012-04-24 18:05:34.000000000 +0200
+++ polkit-0.107/data/polkit-gobject-1.pc.in	2013-09-18 20:33:16.451783171 +0200
+@@ -11,3 +11,6 @@
+ Libs: -L${libdir} -lpolkit-gobject-1
+ Cflags: -I${includedir}/polkit-1
+ Requires: gio-2.0 >= 2.18 glib-2.0 >= 2.18
+# Programs using pkcheck can use this to determine
+# whether or not it can be passed a uid.
+pkcheck_supports_uid=true
+diff -urN polkit/docs/man/pkcheck.xml polkit-0.107/docs/man/pkcheck.xml
+--- polkit/docs/man/pkcheck.xml	2012-06-04 19:47:39.000000000 +0200
+++ polkit-0.107/docs/man/pkcheck.xml	2013-09-18 20:33:16.451783171 +0200
+@@ -55,6 +55,9 @@
+             <arg choice="plain">
+               <replaceable>pid,pid-start-time</replaceable>
+             </arg>
+            <arg choice="plain">
+              <replaceable>pid,pid-start-time,uid</replaceable>
+            </arg>
+           </group>
+         </arg>
+         <arg choice="plain">
+@@ -90,7 +93,7 @@
+     <title>DESCRIPTION</title>
+     <para>
+       <command>pkcheck</command> is used to check whether a process, specified by
+-      either <option>--process</option> or <option>--system-bus-name</option>,
+      either <option>--process</option> (see below) or <option>--system-bus-name</option>,
+       is authorized for <replaceable>action</replaceable>. The <option>--detail</option>
+       option can be used zero or more times to pass details about <replaceable>action</replaceable>.
+       If <option>--allow-user-interaction</option> is passed, <command>pkcheck</command> blocks
+@@ -160,15 +163,23 @@
+   <refsect1 id="pkcheck-notes">
+     <title>NOTES</title>
+     <para>
+-      Since process identifiers can be recycled, the caller should always use
+-      <replaceable>pid,pid-start-time</replaceable> to specify the process
+-      to check for authorization when using the <option>--process</option> option.
+-      The value of <replaceable>pid-start-time</replaceable>
+-      can be determined by consulting e.g. the
+      Do not use either the bare <replaceable>pid</replaceable> or
+      <replaceable>pid,start-time</replaceable> syntax forms for
+      <option>--process</option>.  There are race conditions in both.
+      New code should always use
+      <replaceable>pid,pid-start-time,uid</replaceable>.  The value of
+      <replaceable>start-time</replaceable> can be determined by
+      consulting e.g. the
+       <citerefentry><refentrytitle>proc</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+-      file system depending on the operating system. If only <replaceable>pid</replaceable>
+-      is passed to the <option>--process</option> option, then <command>pkcheck</command>
+-      will look up the start time itself but note that this may be racy.
+      file system depending on the operating system.  If fewer than 3
+      arguments are passed, <command>pkcheck</command> will attempt to
+      look up them up internally, but note that this may be racy.
+    </para>
+    <para>
+      If your program is a daemon with e.g. a custom Unix domain
+      socket, you should determine the <replaceable>uid</replaceable>
+      parameter via operating system mechanisms such as
+      <literal>PEERCRED</literal>.
+     </para>
+   </refsect1>
+ 
+diff -urN polkit/src/programs/pkcheck.c polkit-0.107/src/programs/pkcheck.c
+--- polkit/src/programs/pkcheck.c	2012-04-24 18:05:34.000000000 +0200
+++ polkit-0.107/src/programs/pkcheck.c	2013-09-18 20:33:16.452783171 +0200
+@@ -372,6 +372,7 @@
+       else if (g_strcmp0 (argv[n], "--process") == 0 || g_strcmp0 (argv[n], "-p") == 0)
+         {
+           gint pid;
+	  guint uid;
+           guint64 pid_start_time;
+ 
+           n++;
+@@ -381,7 +382,11 @@
+               goto out;
+             }
+ 
+-          if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2)
+          if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT ",%u", &pid, &pid_start_time, &uid) == 3)
+            {
+              subject = polkit_unix_process_new_for_owner (pid, pid_start_time, uid);
+            }
+          else if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2)
+             {
+               subject = polkit_unix_process_new_full (pid, pid_start_time);
+             }
--- a/polkit-0.112-gobject-interface-type-registration-race.patch
+++ b/polkit-0.112-gobject-interface-type-registration-race.patch
@ -0,0 +1,115 @@
+From 20ad116a6582e57d20f9d8197758947918753a4c Mon Sep 17 00:00:00 2001
+From: Tomas Bzatek <tbzatek@redhat.com>
+Date: Wed, 29 May 2013 13:45:31 +0000
+Subject: Use GOnce for interface type registration
+
+Static local variable may not be enough since it doesn't provide locking.
+
+Related to these udisksd warnings:
+  GLib-GObject-WARNING **: cannot register existing type `PolkitSubject'
+
+Thanks to Hans de Goede for spotting this!
+
+https://bugs.freedesktop.org/show_bug.cgi?id=65130
+---
+diff --git a/src/polkit/polkitidentity.c b/src/polkit/polkitidentity.c
+index dd15b2f..7813c2c 100644
+--- a/src/polkit/polkitidentity.c
+++ b/src/polkit/polkitidentity.c
+@@ -49,9 +49,9 @@ base_init (gpointer g_iface)
+ GType
+ polkit_identity_get_type (void)
+ {
+-  static GType iface_type = 0;
+  static volatile gsize g_define_type_id__volatile = 0;
+ 
+-  if (iface_type == 0)
+  if (g_once_init_enter (&g_define_type_id__volatile))
+     {
+       static const GTypeInfo info =
+       {
+@@ -67,12 +67,14 @@ polkit_identity_get_type (void)
+         NULL                    /* value_table    */
+       };
+ 
+-      iface_type = g_type_register_static (G_TYPE_INTERFACE, "PolkitIdentity", &info, 0);
+      GType iface_type =
+        g_type_register_static (G_TYPE_INTERFACE, "PolkitIdentity", &info, 0);
+ 
+       g_type_interface_add_prerequisite (iface_type, G_TYPE_OBJECT);
+      g_once_init_leave (&g_define_type_id__volatile, iface_type);
+     }
+ 
+-  return iface_type;
+  return g_define_type_id__volatile;
+ }
+ 
+ /**
+diff --git a/src/polkit/polkitsubject.c b/src/polkit/polkitsubject.c
+index d2c4c20..aed5795 100644
+--- a/src/polkit/polkitsubject.c
+++ b/src/polkit/polkitsubject.c
+@@ -50,9 +50,9 @@ base_init (gpointer g_iface)
+ GType
+ polkit_subject_get_type (void)
+ {
+-  static GType iface_type = 0;
+  static volatile gsize g_define_type_id__volatile = 0;
+ 
+-  if (iface_type == 0)
+  if (g_once_init_enter (&g_define_type_id__volatile))
+     {
+       static const GTypeInfo info =
+       {
+@@ -68,12 +68,14 @@ polkit_subject_get_type (void)
+         NULL                    /* value_table    */
+       };
+ 
+-      iface_type = g_type_register_static (G_TYPE_INTERFACE, "PolkitSubject", &info, 0);
+      GType iface_type =
+        g_type_register_static (G_TYPE_INTERFACE, "PolkitSubject", &info, 0);
+ 
+       g_type_interface_add_prerequisite (iface_type, G_TYPE_OBJECT);
+      g_once_init_leave (&g_define_type_id__volatile, iface_type);
+     }
+ 
+-  return iface_type;
+  return g_define_type_id__volatile;
+ }
+ 
+ /**
+diff --git a/src/polkitbackend/polkitbackendactionlookup.c b/src/polkitbackend/polkitbackendactionlookup.c
+index 5a1a228..20747e7 100644
+--- a/src/polkitbackend/polkitbackendactionlookup.c
+++ b/src/polkitbackend/polkitbackendactionlookup.c
+@@ -74,9 +74,9 @@ base_init (gpointer g_iface)
+ GType
+ polkit_backend_action_lookup_get_type (void)
+ {
+-  static GType iface_type = 0;
+  static volatile gsize g_define_type_id__volatile = 0;
+ 
+-  if (iface_type == 0)
+  if (g_once_init_enter (&g_define_type_id__volatile))
+     {
+       static const GTypeInfo info =
+       {
+@@ -92,12 +92,14 @@ polkit_backend_action_lookup_get_type (void)
+         NULL                    /* value_table    */
+       };
+ 
+-      iface_type = g_type_register_static (G_TYPE_INTERFACE, "PolkitBackendActionLookup", &info, 0);
+      GType iface_type =
+        g_type_register_static (G_TYPE_INTERFACE, "PolkitBackendActionLookup", &info, 0);
+ 
+       g_type_interface_add_prerequisite (iface_type, G_TYPE_OBJECT);
+      g_once_init_leave (&g_define_type_id__volatile, iface_type);
+     }
+ 
+-  return iface_type;
+  return g_define_type_id__volatile;
+ }
+ 
+ /**
+--
+cgit v0.9.0.2-2-gbebe
--- a/polkit.spec
+++ b/polkit.spec
@ -1,7 +1,7 @@
 Summary: polkit Authorization Framework
 Name: polkit
 Version: 0.107
-Release: 4%{?dist}
+Release: 6%{?dist}
 License: LGPLv2+
 URL: http://www.freedesktop.org/wiki/Software/polkit
 Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz
@ -32,6 +32,13 @@ Provides: polkit-desktop-policy = 0.103
 Patch0: polkit-0.107-fall-back-to-uid0-if-no-admin-users-are-available.patch
 Patch1: polkit-0.107-avoid-crashing-if-initializing-the-server-object-fails.patch

+# https://bugzilla.redhat.com/show_bug.cgi?id=866718
+# Use GOnce for interface type registration
+Patch2: polkit-0.112-gobject-interface-type-registration-race.patch
+
+# Upstream commit 3968411b0c7ba193f9b9276ec911692aec248608
+Patch3: polkit-0.107-CVE-2013-4288.patch
+
 %description
 polkit is a toolkit for defining and handling authorizations.  It is
 used for allowing unprivileged processes to speak to privileged
@ -64,6 +71,8 @@ Development documentation for polkit.
 %setup -q
 %patch0 -p1 -b .fall-back-to-uid-0
 %patch1 -p1 -b .crash-fix
+%patch2 -p1 -b .gtype-race
+%patch3 -p1 -b .CVE-2013-4288

 %build
 %configure --enable-gtk-doc \
@ -132,6 +141,13 @@ exit 0
 %{_datadir}/gtk-doc

 %changelog
+* Wed Sep 18 2013 Miloslav Trmač <mitr@redhat.com> - 0.107-6
+- Allow specifying an UID in the --process option of pkcheck(1)
+  Resolves: #1009538, CVE-2013-4288
+
+* Wed May 29 2013 Tomas Bzatek <tbzatek@redhat.com> 0.107-5
+- Fix a race on PolkitSubject type registration (#866718)
+
 * Wed Oct 10 2012 Adam Jackson <ajax@redhat.com> 0.107-4
 - Don't crash if initializing the server object fails
Author	SHA1	Message	Date
Miloslav Trmač	b1480cde74	Allow specifying an UID in the --process option of pkcheck(1) Resolves: #1009538, CVE-2013-4288	2013-09-18 20:41:48 +02:00
Tomas Bzatek	5f3df8c3fd	Fix a race on PolkitSubject type registration (#866718 )	2013-05-29 16:33:15 +02:00