GNU bug report logs

#48915 [PATCH] gnu: polkit: Graft a replacement for CVE-2021-3560.

Package	Source(s)		Maintainer(s)
guix-patches		PTS Buildd Popcon

Reported by Ludovic Courtès <ludo@gnu.org>
Date 2021-06-08T08:46:02
Severity normal
Tags patch security
Done Ludovic Courtès <ludo@gnu.org>
Bug is Archived

Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to guix-patches@gnu.org:
bug#48915; Package guix-patches. (Tue, 08 Jun 2021 08:46:02 GMT) (full text, mbox, link).

Acknowledgement sent to Ludovic Courtès <ludo@gnu.org>:
New bug report received and forwarded. Copy sent to guix-patches@gnu.org. (Tue, 08 Jun 2021 08:46:02 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

* gnu/packages/patches/polkit-CVE-2021-3560.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/polkit.scm (polkit/fixed): New variable.
(polkit)[replacement]: New field.
---
 gnu/local.mk                                  |  1 +
 .../patches/polkit-CVE-2021-3560.patch        | 21 +++++++++++++++++++
 gnu/packages/polkit.scm                       |  9 ++++++++
 3 files changed, 31 insertions(+)
 create mode 100644 gnu/packages/patches/polkit-CVE-2021-3560.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 0599df8968..42c5ee0d31 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1555,6 +1555,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/plib-CVE-2011-4620.patch		\
   %D%/packages/patches/plib-CVE-2012-4552.patch		\
   %D%/packages/patches/plotutils-spline-test.patch		\
+  %D%/packages/patches/polkit-CVE-2021-3560.patch		\
   %D%/packages/patches/portaudio-audacity-compat.patch		\
   %D%/packages/patches/portmidi-modular-build.patch		\
   %D%/packages/patches/postgresql-disable-resolve_symlinks.patch	\
diff --git a/gnu/packages/patches/polkit-CVE-2021-3560.patch b/gnu/packages/patches/polkit-CVE-2021-3560.patch
new file mode 100644
index 0000000000..9aa0373fda
--- /dev/null
+++ b/gnu/packages/patches/polkit-CVE-2021-3560.patch
@@ -0,0 +1,21 @@
+This patch fixes CVE-2021-3560, "local privilege escalation using
+polkit_system_bus_name_get_creds_sync()":
+
+  https://www.openwall.com/lists/oss-security/2021/06/03/1
+
+Patch from <https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13a>.
+
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8daa12cb9093c1d765c7b83654a2b8d0d382378e..8ed13631508dd96624898df90ee2ece4dcf3e1e5 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
+   while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+     g_main_context_iteration (tmp_context, TRUE);
+ 
++  if (data.caught_error)
++    goto out;
++
+   if (out_uid)
+     *out_uid = data.uid;
+   if (out_pid)
diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm
index d868aceec2..fcd8633b7a 100644
--- a/gnu/packages/polkit.scm
+++ b/gnu/packages/polkit.scm
@@ -44,6 +44,7 @@
   (package
     (name "polkit")
     (version "0.116")
+    (replacement polkit/fixed)
     (source (origin
              (method url-fetch)
              (uri (string-append
@@ -135,6 +136,14 @@ making process with respect to granting access to privileged operations
 for unprivileged applications.")
     (license lgpl2.0+)))
 
+(define-public polkit/fixed
+  (package
+    (inherit polkit)
+    (version "0.11A")                             ;0.116 + patch
+    (source (origin
+              (inherit (package-source polkit))
+              (patches (search-patches "polkit-CVE-2021-3560.patch"))))))
+
 (define-public polkit-qt
   (package
     (name "polkit-qt")
-- 
2.31.1

Added tag(s) security. Request was from Ludovic Courtès <ludo@gnu.org> to control@debbugs.gnu.org. (Tue, 08 Jun 2021 08:47:02 GMT) (full text, mbox, link).

Information forwarded to guix-patches@gnu.org:
bug#48915; Package guix-patches. (Tue, 08 Jun 2021 17:53:01 GMT) (full text, mbox, link).

Message #10 received at 48915@debbugs.gnu.org (full text, mbox, reply):

On Tue, Jun 08, 2021 at 10:45:12AM +0200, Ludovic Courtès wrote:
> +(define-public polkit/fixed
> +  (package
> +    (inherit polkit)
> +    (version "0.11A")                             ;0.116 + patch
> +    (source (origin
> +              (inherit (package-source polkit))
> +              (patches (search-patches "polkit-CVE-2021-3560.patch"))))))

Typically, we don't change the version when creating replacement
packages that apply a patch. We only change the version when the
replacement package actually updates to a new version.

Thanks for taking care of this!

Information forwarded to guix-patches@gnu.org:
bug#48915; Package guix-patches. (Tue, 08 Jun 2021 21:33:01 GMT) (full text, mbox, link).

Message #13 received at 48915@debbugs.gnu.org (full text, mbox, reply):

Leo Famulari <leo@famulari.name> skribis:

> On Tue, Jun 08, 2021 at 10:45:12AM +0200, Ludovic Courtès wrote:
>> +(define-public polkit/fixed
>> +  (package
>> +    (inherit polkit)
>> +    (version "0.11A")                             ;0.116 + patch
>> +    (source (origin
>> +              (inherit (package-source polkit))
>> +              (patches (search-patches "polkit-CVE-2021-3560.patch"))))))
>
> Typically, we don't change the version when creating replacement
> packages that apply a patch. We only change the version when the
> replacement package actually updates to a new version.

Pushed as 9178566954cc7f34d2d991d31df4565adad93508!

As discussed on IRC, I ended up making ‘polkit/fixed’ private, with the
version string unchanged (inherited from ‘polkit’).

We wondered whether Cuirass would build ‘polkit/fixed’ if it’s private.
Turns out it does, but this comment in (gnu ci) is still valid:

--8<---------------cut here---------------start------------->8---
(define (all-packages)
  "Return the list of packages to build."
  (define (adjust package result)
    (cond ((package-replacement package)
           ;; XXX: If PACKAGE and its replacement have the same name/version,
           ;; then both Cuirass jobs will have the same name, which
           ;; effectively means that the second one will be ignored.  Thus,
           ;; return the replacement first.
           (cons* (package-replacement package)   ;build both
                  package
                  result))
--8<---------------cut here---------------end--------------->8---

IOW, the replacement, and only the replacement, gets built.

The current ‘zstd’ replacement is private
<https://ci.guix.gnu.org/search?query=system%3Ax86_64-linux+spec%3Amaster+zstd>
only shows derivations for the replacement, not for the original one.
That’s okay though because the original one necessarily got built
earlier.

Thanks,
Ludo’.

bug closed, send any further explanations to 48915@debbugs.gnu.org and Ludovic Courtès <ludo@gnu.org> Request was from Ludovic Courtès <ludo@gnu.org> to control@debbugs.gnu.org. (Tue, 08 Jun 2021 21:33:02 GMT) (full text, mbox, link).

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Wed, 07 Jul 2021 11:24:05 GMT) (full text, mbox, link).

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 13:42:16 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.