[PATCH] gnu: polkit: Fix CVE-2021-4034.

  • Done
  • quality assurance status badge
Details
2 participants
  • Liliana Marie Prikler
  • Ludovic Courtès
Owner
unassigned
Submitted by
Ludovic Courtès
Severity
important
L
L
Ludovic Courtès wrote on 26 Jan 2022 12:56
(address . guix-patches@gnu.org)(name . Ludovic Courtès)(address . ludo@gnu.org)
20220126115624.31260-1-ludo@gnu.org
* gnu/packages/patches/polkit-CVE-2021-4034.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/polkit.scm (polkit-mozjs)[replacement]: New field.
* gnu/packages/polkit.scm (polkit-mozjs/fixed): New variable.
---
gnu/local.mk | 1 +
.../patches/polkit-CVE-2021-4034.patch | 82 +++++++++++++++++++
gnu/packages/polkit.scm | 13 ++-
3 files changed, 95 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/polkit-CVE-2021-4034.patch

Hi!

We could avoid grafting and instead use 'polkit/fixed' in 'setuid-programs',
but it seems safer and less error-prone to graft.

Thoughts?

Ludo'.

Toggle diff (143 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index dceaa53145..eb07842775 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1645,6 +1645,7 @@ dist_patch_DATA = \
%D%/packages/patches/plib-CVE-2011-4620.patch \
%D%/packages/patches/plib-CVE-2012-4552.patch \
%D%/packages/patches/plotutils-spline-test.patch \
+ %D%/packages/patches/polkit-CVE-2021-4034.patch \
%D%/packages/patches/polkit-configure-elogind.patch \
%D%/packages/patches/polkit-use-duktape.patch \
%D%/packages/patches/portaudio-audacity-compat.patch \
diff --git a/gnu/packages/patches/polkit-CVE-2021-4034.patch b/gnu/packages/patches/polkit-CVE-2021-4034.patch
new file mode 100644
index 0000000000..ca766cb3be
--- /dev/null
+++ b/gnu/packages/patches/polkit-CVE-2021-4034.patch
@@ -0,0 +1,82 @@
+Fixes CVE-2021-4034, local privilege escalation with 'pkexec':
+
+ https://www.openwall.com/lists/oss-security/2022/01/25/11
+
+Patch from <https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683>.
+
+From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Tue, 25 Jan 2022 17:21:46 +0000
+Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
+
+---
+ src/programs/pkcheck.c | 5 +++++
+ src/programs/pkexec.c | 23 ++++++++++++++++++++---
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
+index f1bb4e1..768525c 100644
+--- a/src/programs/pkcheck.c
++++ b/src/programs/pkcheck.c
+@@ -363,6 +363,11 @@ main (int argc, char *argv[])
+ local_agent_handle = NULL;
+ ret = 126;
+
++ if (argc < 1)
++ {
++ exit(126);
++ }
++
+ /* Disable remote file access from GIO. */
+ setenv ("GIO_USE_VFS", "local", 1);
+
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index 7698c5c..84e5ef6 100644
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -488,6 +488,15 @@ main (int argc, char *argv[])
+ pid_t pid_of_caller;
+ gpointer local_agent_handle;
+
++
++ /*
++ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
++ */
++ if (argc<1)
++ {
++ exit(127);
++ }
++
+ ret = 127;
+ authority = NULL;
+ subject = NULL;
+@@ -614,10 +623,10 @@ main (int argc, char *argv[])
+
+ path = g_strdup (pwstruct.pw_shell);
+ if (!path)
+- {
++ {
+ g_printerr ("No shell configured or error retrieving pw_shell\n");
+ goto out;
+- }
++ }
+ /* If you change this, be sure to change the if (!command_line)
+ case below too */
+ command_line = g_strdup (path);
+@@ -636,7 +645,15 @@ main (int argc, char *argv[])
+ goto out;
+ }
+ g_free (path);
+- argv[n] = path = s;
++ path = s;
++
++ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
++ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
++ */
++ if (argv[n] != NULL)
++ {
++ argv[n] = path;
++ }
+ }
+ if (access (path, F_OK) != 0)
+ {
diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm
index e4f4b1276f..1ae94be751 100644
--- a/gnu/packages/polkit.scm
+++ b/gnu/packages/polkit.scm
@@ -1,7 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2014 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2015 Andy Wingo <wingo@igalia.com>
-;;; Copyright © 2015, 2021 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2015, 2021-2022 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2017 Huang Ying <huang.ying.caritas@gmail.com>
@@ -54,6 +54,7 @@ (define-public polkit-mozjs
(package
(name "polkit")
(version "0.120")
+ (replacement polkit-mozjs/fixed)
(source (origin
(method url-fetch)
(uri (string-append
@@ -146,6 +147,16 @@ (define-public polkit-mozjs
for unprivileged applications.")
(license lgpl2.0+)))
+(define-public polkit-mozjs/fixed
+ (package
+ (inherit polkit-mozjs)
+ (version "0.121")
+ (source (origin
+ (inherit (package-source polkit-mozjs))
+ (patches (cons (search-patch "polkit-CVE-2021-4034.patch")
+ (origin-patches
+ (package-source polkit-mozjs))))))))
+
;;; Variant of polkit built with Duktape, a lighter JavaScript engine compared
;;; to mozjs.
(define-public polkit-duktape

base-commit: 1402c6abe150ced4cbb4fa0721fe7c8796fe2c38
prerequisite-patch-id: 6ecfe5930fe8847a954c16425713d4a6ac515a04
--
2.34.0
L
L
Ludovic Courtès wrote on 26 Jan 2022 15:40
control message for bug #53549
(address . control@debbugs.gnu.org)
87sftah85x.fsf@gnu.org
tags 53549 + security
quit
L
L
Ludovic Courtès wrote on 26 Jan 2022 15:40
(address . control@debbugs.gnu.org)
87r18uh85v.fsf@gnu.org
severity 53549 important
quit
L
L
Liliana Marie Prikler wrote on 26 Jan 2022 16:14
Re: [PATCH] gnu: polkit: Fix CVE-2021-4034.
a5a0a1f49aa4edcae8de8b43789f95937e6c04d8.camel@ist.tugraz.at
Hi Ludo,

Am Mittwoch, dem 26.01.2022 um 12:56 +0100 schrieb Ludovic Courtès:
Toggle quote (18 lines)
> * gnu/packages/patches/polkit-CVE-2021-4034.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/polkit.scm (polkit-mozjs)[replacement]: New field.
> * gnu/packages/polkit.scm (polkit-mozjs/fixed): New variable.
> ---
>  gnu/local.mk                                  |  1 +
>  .../patches/polkit-CVE-2021-4034.patch        | 82
> +++++++++++++++++++
>  gnu/packages/polkit.scm                       | 13 ++-
>  3 files changed, 95 insertions(+), 1 deletion(-)
>  create mode 100644 gnu/packages/patches/polkit-CVE-2021-4034.patch
>
> Hi!
>
> We could avoid grafting and instead use 'polkit/fixed' in 'setuid-
> programs', but it seems safer and less error-prone to graft.
>
> Thoughts?
Given that there is also a duktape variant, a graft is necessary, no?
On a related note, polit-duktape inherits polkit-mozjs in a way that
does not require adding a separate graft for it, right? Assuming both
of the above hold, LGTM.

Cheers
L
L
Ludovic Courtès wrote on 26 Jan 2022 17:56
Re: bug#53549: [PATCH] gnu: polkit: Fix CVE-2021-4034.
(name . Liliana Marie Prikler)(address . liliana.prikler@ist.tugraz.at)(address . 53549-done@debbugs.gnu.org)
8735lah1ve.fsf_-_@gnu.org
Hi,

Liliana Marie Prikler <liliana.prikler@ist.tugraz.at> skribis:

Toggle quote (24 lines)
> Am Mittwoch, dem 26.01.2022 um 12:56 +0100 schrieb Ludovic Courtès:
>> * gnu/packages/patches/polkit-CVE-2021-4034.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Add it.
>> * gnu/packages/polkit.scm (polkit-mozjs)[replacement]: New field.
>> * gnu/packages/polkit.scm (polkit-mozjs/fixed): New variable.
>> ---
>>  gnu/local.mk                                  |  1 +
>>  .../patches/polkit-CVE-2021-4034.patch        | 82
>> +++++++++++++++++++
>>  gnu/packages/polkit.scm                       | 13 ++-
>>  3 files changed, 95 insertions(+), 1 deletion(-)
>>  create mode 100644 gnu/packages/patches/polkit-CVE-2021-4034.patch
>>
>> Hi!
>>
>> We could avoid grafting and instead use 'polkit/fixed' in 'setuid-
>> programs', but it seems safer and less error-prone to graft.
>>
>> Thoughts?
> Given that there is also a duktape variant, a graft is necessary, no?
> On a related note, polit-duktape inherits polkit-mozjs in a way that
> does not require adding a separate graft for it, right? Assuming both
> of the above hold, LGTM.

The duktape variant is defined with ‘package/inherit’ and thus it
automatically gets a replacement with the patch:

Toggle snippet (8 lines)
$ ./pre-inst-env guix build polkit-duktape --no-grafts
/gnu/store/z92ymaf84ij8f37cm1wrkkmgrw2slrym-polkit-duktape-0.120
$ ./pre-inst-env guix build polkit-duktape
/gnu/store/3g55nhkcbc0a4l7b26gxsalxq0rq1cs7-polkit-duktape-0.121
$ guix gc -R $(./pre-inst-env guix build polkit-duktape -d) |grep polkit-CVE
/gnu/store/lxms944bda56ll590dsrkkhc9n2h3xws-polkit-CVE-2021-4034.patch

Pushed as 3993d33d1c0129b1ca6f0fd122fe2bbe48e4f093.

Thanks for taking a look!

Ludo’.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 53549@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 53549
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch