#53549 - [PATCH] gnu: polkit: Fix CVE-2021-4034.

Package	Source(s)		Maintainer(s)
guix-patches		PTS Buildd Popcon

Message #12 received at 53549@debbugs.gnu.org (full text, mbox, reply):

Received: (at 53549) by debbugs.gnu.org; 26 Jan 2022 15:14:58 +0000
From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 26 10:14:58 2022
Received: from localhost ([127.0.0.1]:53161 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1nCk0g-0004Oy-6j
	for submit@debbugs.gnu.org; Wed, 26 Jan 2022 10:14:58 -0500
Received: from mailrelay.tugraz.at ([129.27.2.202]:60606)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <liliana.prikler@ist.tugraz.at>) id 1nCk0a-0004OZ-NS
 for 53549@debbugs.gnu.org; Wed, 26 Jan 2022 10:14:53 -0500
Received: from lprikler-laptop.ist.intra (gw.ist.tugraz.at [129.27.202.101])
 by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4JkS206mJ0z1LZW8;
 Wed, 26 Jan 2022 16:14:48 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 mailrelay.tugraz.at 4JkS206mJ0z1LZW8
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at;
 s=mailrelay; t=1643210089;
 bh=ZNST4h8H1HN4lRLqh31l/RbzzM7jFtM7++s8FbnGoQo=;
 h=Subject:From:To:Date:In-Reply-To:References:From;
 b=Pn27beFVfRc6R4EZJ1fc0JZShDuM7Kphmh/p8m0odIKRTvmOkvNcqHHenoNUcas09
 5/fRAn52LWVngByk5sjjPkRA4uZpdZ4XlgBYDEwMPfrTJnFKOiAQnL5gVee97tlhl0
 yoV36odnn426727eI+DEMNJ5SCcjvSIutxlSs4OA=
Message-ID: <a5a0a1f49aa4edcae8de8b43789f95937e6c04d8.camel@ist.tugraz.at>
Subject: Re: [PATCH] gnu: polkit: Fix CVE-2021-4034.
From: Liliana Marie Prikler <liliana.prikler@ist.tugraz.at>
To: Ludovic Courtès <ludo@gnu.org>, 53549@debbugs.gnu.org
Date: Wed, 26 Jan 2022 16:14:48 +0100
In-Reply-To: <20220126115624.31260-1-ludo@gnu.org>
References: <20220126115624.31260-1-ludo@gnu.org>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.42.1 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TUG-Backscatter-control: waObeELIUl4ypBWmcn/8wQ
X-Spam-Scanner: SpamAssassin 3.003001 
X-Spam-Score-relay: -1.9
X-Scanned-By: MIMEDefang 2.74 on 129.27.10.117
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 53549
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi Ludo,

Am Mittwoch, dem 26.01.2022 um 12:56 +0100 schrieb Ludovic Courtès:
> * gnu/packages/patches/polkit-CVE-2021-4034.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/polkit.scm (polkit-mozjs)[replacement]: New field.
> * gnu/packages/polkit.scm (polkit-mozjs/fixed): New variable.
> ---
>  gnu/local.mk                                  |  1 +
>  .../patches/polkit-CVE-2021-4034.patch        | 82
> +++++++++++++++++++
>  gnu/packages/polkit.scm                       | 13 ++-
>  3 files changed, 95 insertions(+), 1 deletion(-)
>  create mode 100644 gnu/packages/patches/polkit-CVE-2021-4034.patch
> 
> Hi!
> 
> We could avoid grafting and instead use 'polkit/fixed' in 'setuid-
> programs', but it seems safer and less error-prone to graft.
> 
> Thoughts?
Given that there is also a duktape variant, a graft is necessary, no? 
On a related note, polit-duktape inherits polkit-mozjs in a way that
does not require adding a separate graft for it, right?  Assuming both
of the above hold, LGTM.

Cheers

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 17:53:30 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

#53549 [PATCH] gnu: polkit: Fix CVE-2021-4034.