| ... | ... | --- /dev/null |
| ... | ... | +++ b/CVE-2021-4034.patch |
| ... | ... | @@ -0,0 +1,79 @@ |
| 1 |
From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
|
|
| 2 |
From: Jan Rybar <jrybar@redhat.com>
|
|
| 3 |
Date: Tue, 25 Jan 2022 17:21:46 +0000
|
|
| 4 |
Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
|
|
| 5 |
|
|
| 6 |
---
|
|
| 7 |
src/programs/pkcheck.c | 5 +++++
|
|
| 8 |
src/programs/pkexec.c | 23 ++++++++++++++++++++---
|
|
| 9 |
2 files changed, 25 insertions(+), 3 deletions(-)
|
|
| 10 |
|
|
| 11 |
diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
|
|
| 12 |
index f1bb4e1..768525c 100644
|
|
| 13 |
--- a/src/programs/pkcheck.c
|
|
| 14 |
+++ b/src/programs/pkcheck.c
|
|
| 15 |
@@ -363,6 +363,11 @@ main (int argc, char *argv[])
|
|
| 16 |
local_agent_handle = NULL;
|
|
| 17 |
ret = 126;
|
|
| 18 |
|
|
| 19 |
+ if (argc < 1)
|
|
| 20 |
+ {
|
|
| 21 |
+ exit(126);
|
|
| 22 |
+ }
|
|
| 23 |
+
|
|
| 24 |
/* Disable remote file access from GIO. */
|
|
| 25 |
setenv ("GIO_USE_VFS", "local", 1);
|
|
| 26 |
|
|
| 27 |
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
|
|
| 28 |
index 7698c5c..84e5ef6 100644
|
|
| 29 |
--- a/src/programs/pkexec.c
|
|
| 30 |
+++ b/src/programs/pkexec.c
|
|
| 31 |
@@ -488,6 +488,15 @@ main (int argc, char *argv[])
|
|
| 32 |
pid_t pid_of_caller;
|
|
| 33 |
gpointer local_agent_handle;
|
|
| 34 |
|
|
| 35 |
+
|
|
| 36 |
+ /*
|
|
| 37 |
+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
|
|
| 38 |
+ */
|
|
| 39 |
+ if (argc<1)
|
|
| 40 |
+ {
|
|
| 41 |
+ exit(127);
|
|
| 42 |
+ }
|
|
| 43 |
+
|
|
| 44 |
ret = 127;
|
|
| 45 |
authority = NULL;
|
|
| 46 |
subject = NULL;
|
|
| 47 |
@@ -614,10 +623,10 @@ main (int argc, char *argv[])
|
|
| 48 |
|
|
| 49 |
path = g_strdup (pwstruct.pw_shell);
|
|
| 50 |
if (!path)
|
|
| 51 |
- {
|
|
| 52 |
+ {
|
|
| 53 |
g_printerr ("No shell configured or error retrieving pw_shell\n");
|
|
| 54 |
goto out;
|
|
| 55 |
- }
|
|
| 56 |
+ }
|
|
| 57 |
/* If you change this, be sure to change the if (!command_line)
|
|
| 58 |
case below too */
|
|
| 59 |
command_line = g_strdup (path);
|
|
| 60 |
@@ -636,7 +645,15 @@ main (int argc, char *argv[])
|
|
| 61 |
goto out;
|
|
| 62 |
}
|
|
| 63 |
g_free (path);
|
|
| 64 |
- argv[n] = path = s;
|
|
| 65 |
+ path = s;
|
|
| 66 |
+
|
|
| 67 |
+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
|
|
| 68 |
+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
|
|
| 69 |
+ */
|
|
| 70 |
+ if (argv[n] != NULL)
|
|
| 71 |
+ {
|
|
| 72 |
+ argv[n] = path;
|
|
| 73 |
+ }
|
|
| 74 |
}
|
|
| 75 |
if (access (path, F_OK) != 0)
|
|
| 76 |
{
|
|
| 77 |
--
|
|
| 78 |
GitLab
|
|
| 79 |
|
| ... | ... | --- a/polkit.spec |
| ... | ... | +++ b/polkit.spec |
| ... | ... | @@ -8,7 +8,7 @@ |
| 8 | 8 |
Summary: PolicyKit Authorization Framework
|
| 9 | 9 |
Name: polkit
|
| 10 | 10 |
Version: 0.119
|
| 11 |
Release: 4
|
|
| 11 |
Release: 5
|
|
| 12 | 12 |
License: LGPLv2.1+
|
| 13 | 13 |
Group: System/Libraries
|
| 14 | 14 |
Url: http://www.freedesktop.org/wiki/Software/PolicyKit
|
| ... | ... | @@ -27,6 +27,9 @@ Patch2: no-chown.diff |
| … | … | |
| 27 | 27 |
Patch20: x11vars.patch
|
| 28 | 28 |
# Adds Russian build locale
|
| 29 | 29 |
Patch21: add.locale.ru.patch
|
| 30 |
# https://www.openwall.com/lists/oss-security/2022/01/25/11
|
|
| 31 |
# https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
|
|
| 32 |
Patch22: CVE-2021-4034.patch
|
|
| 30 | 33 |
BuildRequires: gtk-doc
|
| 31 | 34 |
BuildRequires: intltool
|
| 32 | 35 |
BuildRequires: meson
|
:+1:
New comment