polkit: Fix CVE-2018-19788

Signed-off-by: Dan Tran <dantran@microsoft.com> [Fixup for warrior context] Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Dan Tran <dantran@microsoft.com> 2019-09-25 17:12:49 +0000
committer: Armin Kuster <akuster808@gmail.com> 2019-10-05 08:58:45 -0700
commit: 6f4dcd00ce677d9df3fed7e12d87a4588dc65661 (patch)
tree: ee49dea3546c93f0bac83c898da29136b94c6a67
parent: 0d053082ab13a2668ecc94adbc6d6dd862be1c41 (diff)
download: meta-openembedded-6f4dcd00ce677d9df3fed7e12d87a4588dc65661.tar.gz
4 files changed, 408 insertions, 4 deletions
diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch
new file mode 100644
index 000000000..32ea0bacc
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch
@@ -0,0 +1,194 @@
+From cd80aa29c85745ca073cf0581ccdcf2f80aa30db Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Mon, 3 Dec 2018 10:28:58 +0100
+Subject: [PATCH 1/3] Allow negative uids/gids in PolkitUnixUser and Group
+ objects
+(uid_t) -1 is still used as placeholder to mean "unset". This is OK, since
+there should be no users with such number, see
+https://systemd.io/UIDS-GIDS#special-linux-uids.
+(uid_t) -1 is used as the default value in class initialization.
+When a user or group above INT32_MAX is created, the numeric uid or
+gid wraps around to negative when the value is assigned to gint, and
+polkit gets confused. Let's accept such gids, except for -1.
+A nicer fix would be to change the underlying type to e.g. uint32 to
+not have negative values. But this cannot be done without breaking the
+API, so likely new functions will have to be added (a
+polkit_unix_user_new variant that takes a unsigned, and the same for
+_group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will
+require a bigger patch.
+Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74.
+CVE: CVE-2018-19788
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/polkit/polkit/commit/2cb40c4d5feeaa09325522bd7d97910f1b59e379]
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ src/polkit/polkitunixgroup.c   | 15 +++++++++++----
+ src/polkit/polkitunixprocess.c | 12 ++++++++----
+ src/polkit/polkitunixuser.c    | 13 ++++++++++---
+ 3 files changed, 29 insertions(+), 11 deletions(-)
+diff --git a/src/polkit/polkitunixgroup.c b/src/polkit/polkitunixgroup.c
+index c57a1aa..309f689 100644
+--- a/src/polkit/polkitunixgroup.c
+++ b/src/polkit/polkitunixgroup.c
+@@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup, polkit_unix_group, G_TYPE_OBJECT,
+ static void
+ polkit_unix_group_init (PolkitUnixGroup *unix_group)
+ {
+  unix_group->gid = -1; /* (git_t) -1 is not a valid GID under Linux */
+ }
+ 
+ static void
+@@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject      *object,
+                                GParamSpec   *pspec)
+ {
+   PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object);
+  gint val;
+ 
+   switch (prop_id)
+     {
+     case PROP_GID:
+-      unix_group->gid = g_value_get_int (value);
+      val = g_value_get_int (value);
+      g_return_if_fail (val != -1);
+      unix_group->gid = val;
+       break;
+ 
+     default:
+@@ -131,9 +135,9 @@ polkit_unix_group_class_init (PolkitUnixGroupClass *klass)
+                                    g_param_spec_int ("gid",
+                                                      "Group ID",
+                                                      "The UNIX group ID",
+-                                                     0,
+                                                     G_MININT,
+                                                      G_MAXINT,
+-                                                     0,
+                                                     -1,
+                                                      G_PARAM_CONSTRUCT |
+                                                      G_PARAM_READWRITE |
+                                                      G_PARAM_STATIC_NAME |
+@@ -166,9 +170,10 @@ polkit_unix_group_get_gid (PolkitUnixGroup *group)
+  */
+ void
+ polkit_unix_group_set_gid (PolkitUnixGroup *group,
+-                          gint gid)
+                           gint gid)
+ {
+   g_return_if_fail (POLKIT_IS_UNIX_GROUP (group));
+  g_return_if_fail (gid != -1);
+   group->gid = gid;
+ }
+ 
+@@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group,
+ PolkitIdentity *
+ polkit_unix_group_new (gint gid)
+ {
+  g_return_val_if_fail (gid != -1, NULL);
+
+   return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP,
+                                        "gid", gid,
+                                        NULL));
+diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
+index 972b777..b02b258 100644
+--- a/src/polkit/polkitunixprocess.c
+++ b/src/polkit/polkitunixprocess.c
+@@ -159,9 +159,14 @@ polkit_unix_process_set_property (GObject      *object,
+       polkit_unix_process_set_pid (unix_process, g_value_get_int (value));
+       break;
+ 
+-    case PROP_UID:
+-      polkit_unix_process_set_uid (unix_process, g_value_get_int (value));
+    case PROP_UID: {
+      gint val;
+
+      val = g_value_get_int (value);
+      g_return_if_fail (val != -1);
+      polkit_unix_process_set_uid (unix_process, val);
+       break;
+    }
+ 
+     case PROP_START_TIME:
+       polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value));
+@@ -239,7 +244,7 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass)
+                                    g_param_spec_int ("uid",
+                                                      "User ID",
+                                                      "The UNIX user ID",
+-                                                     -1,
+                                                     G_MININT,
+                                                      G_MAXINT,
+                                                      -1,
+                                                      G_PARAM_CONSTRUCT |
+@@ -303,7 +308,6 @@ polkit_unix_process_set_uid (PolkitUnixProcess *process,
+                              gint               uid)
+ {
+   g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process));
+-  g_return_if_fail (uid >= -1);
+   process->uid = uid;
+ }
+ 
+diff --git a/src/polkit/polkitunixuser.c b/src/polkit/polkitunixuser.c
+index 8bfd3a1..234a697 100644
+--- a/src/polkit/polkitunixuser.c
+++ b/src/polkit/polkitunixuser.c
+@@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, polkit_unix_user, G_TYPE_OBJECT,
+ static void
+ polkit_unix_user_init (PolkitUnixUser *unix_user)
+ {
+  unix_user->uid = -1;  /* (uid_t) -1 is not a valid UID under Linux */
+   unix_user->name = NULL;
+ }
+ 
+@@ -112,11 +113,14 @@ polkit_unix_user_set_property (GObject      *object,
+                                GParamSpec   *pspec)
+ {
+   PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object);
+  gint val;
+ 
+   switch (prop_id)
+     {
+     case PROP_UID:
+-      unix_user->uid = g_value_get_int (value);
+      val = g_value_get_int (value);
+      g_return_if_fail (val != -1);
+      unix_user->uid = val;
+       break;
+ 
+     default:
+@@ -144,9 +148,9 @@ polkit_unix_user_class_init (PolkitUnixUserClass *klass)
+                                    g_param_spec_int ("uid",
+                                                      "User ID",
+                                                      "The UNIX user ID",
+-                                                     0,
+                                                     G_MININT,
+                                                      G_MAXINT,
+-                                                     0,
+                                                     -1,
+                                                      G_PARAM_CONSTRUCT |
+                                                      G_PARAM_READWRITE |
+                                                      G_PARAM_STATIC_NAME |
+@@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
+                           gint uid)
+ {
+   g_return_if_fail (POLKIT_IS_UNIX_USER (user));
+  g_return_if_fail (uid != -1);
+   user->uid = uid;
+ }
+ 
+@@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
+ PolkitIdentity *
+ polkit_unix_user_new (gint uid)
+ {
+  g_return_val_if_fail (uid != -1, NULL);
+
+   return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER,
+                                         "uid", uid,
+                                         NULL));
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch
new file mode 100644
index 000000000..097dfd921
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch
@@ -0,0 +1,153 @@
+From 17f18d9f81d99b014c680e7e50198d7f190b804e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Mon, 3 Dec 2018 11:20:34 +0100
+Subject: [PATCH 2/3] tests: add tests for high uids
+CVE: CVE-2018-19788
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/polkit/polkit/commit/b534a10727455409acd54018a9c91000e7626126]
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ test/data/etc/group                           |  1 +
+ test/data/etc/passwd                          |  2 +
+ .../etc/polkit-1/rules.d/10-testing.rules     | 21 ++++++
+ .../test-polkitbackendjsauthority.c           | 72 +++++++++++++++++++
+ 4 files changed, 96 insertions(+)
+diff --git a/test/data/etc/group b/test/data/etc/group
+index 12ef328..b9acab9 100644
+--- a/test/data/etc/group
+++ b/test/data/etc/group
+@@ -5,3 +5,4 @@ john:x:500:
+ jane:x:501:
+ sally:x:502:
+ henry:x:503:
+highuid2:x:4000000000:
+diff --git a/test/data/etc/passwd b/test/data/etc/passwd
+index 8544feb..5cf14a5 100644
+--- a/test/data/etc/passwd
+++ b/test/data/etc/passwd
+@@ -3,3 +3,5 @@ john:x:500:500:John Done:/home/john:/bin/bash
+ jane:x:501:501:Jane Smith:/home/jane:/bin/bash
+ sally:x:502:502:Sally Derp:/home/sally:/bin/bash
+ henry:x:503:503:Henry Herp:/home/henry:/bin/bash
+highuid1:x:2147483648:2147483648:The first high uid:/home/highuid1:/sbin/nologin
+highuid2:x:4000000000:4000000000:An example high uid:/home/example:/sbin/nologin
+diff --git a/test/data/etc/polkit-1/rules.d/10-testing.rules b/test/data/etc/polkit-1/rules.d/10-testing.rules
+index 446e622..98bf062 100644
+--- a/test/data/etc/polkit-1/rules.d/10-testing.rules
+++ b/test/data/etc/polkit-1/rules.d/10-testing.rules
+@@ -53,6 +53,27 @@ polkit.addRule(function(action, subject) {
+     }
+ });
+ 
+polkit.addRule(function(action, subject) {
+    if (action.id == "net.company.john_action") {
+        if (subject.user == "john") {
+            return polkit.Result.YES;
+        } else {
+            return polkit.Result.NO;
+        }
+    }
+});
+
+polkit.addRule(function(action, subject) {
+    if (action.id == "net.company.highuid2_action") {
+        if (subject.user == "highuid2") {
+            return polkit.Result.YES;
+        } else {
+            return polkit.Result.NO;
+        }
+    }
+});
+
+
+ // ---------------------------------------------------------------------
+ // variables
+ 
+diff --git a/test/polkitbackend/test-polkitbackendjsauthority.c b/test/polkitbackend/test-polkitbackendjsauthority.c
+index b484a26..71aad23 100644
+--- a/test/polkitbackend/test-polkitbackendjsauthority.c
+++ b/test/polkitbackend/test-polkitbackendjsauthority.c
+@@ -330,6 +330,78 @@ static const RulesTestCase rules_test_cases[] = {
+     NULL,
+     POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED,
+   },
+
+  {
+    /* highuid1 is not a member of group 'users', see test/data/etc/group */
+    "group_membership_with_non_member(highuid22)",
+    "net.company.group.only_group_users",
+    "unix-user:highuid2",
+    NULL,
+    POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
+  },
+
+  {
+    /* highuid2 is not a member of group 'users', see test/data/etc/group */
+    "group_membership_with_non_member(highuid21)",
+    "net.company.group.only_group_users",
+    "unix-user:highuid2",
+    NULL,
+    POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
+  },
+
+  {
+    /* highuid1 is not a member of group 'users', see test/data/etc/group */
+    "group_membership_with_non_member(highuid24)",
+    "net.company.group.only_group_users",
+    "unix-user:2147483648",
+    NULL,
+    POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
+  },
+
+  {
+    /* highuid2 is not a member of group 'users', see test/data/etc/group */
+    "group_membership_with_non_member(highuid23)",
+    "net.company.group.only_group_users",
+    "unix-user:4000000000",
+    NULL,
+    POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
+  },
+
+  {
+    /* john is authorized to do this, see 10-testing.rules */
+    "john_action",
+    "net.company.john_action",
+    "unix-user:john",
+    NULL,
+    POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED,
+  },
+
+  {
+    /* only john is authorized to do this, see 10-testing.rules */
+    "jane_action",
+    "net.company.john_action",
+    "unix-user:jane",
+    NULL,
+    POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
+  },
+
+  {
+    /* highuid2 is authorized to do this, see 10-testing.rules */
+    "highuid2_action",
+    "net.company.highuid2_action",
+    "unix-user:highuid2",
+    NULL,
+    POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED,
+  },
+
+  {
+    /* only highuid2 is authorized to do this, see 10-testing.rules */
+    "highuid1_action",
+    "net.company.highuid2_action",
+    "unix-user:highuid1",
+    NULL,
+    POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
+  },
+ };
+ 
+ /* ---------------------------------------------------------------------------------------------------- */
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p3.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p3.patch
new file mode 100644
index 000000000..b97a6b06d
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p3.patch
@@ -0,0 +1,53 @@
+From 0fd5884a943a92aa076fa3276bd83f502dcb934e Mon Sep 17 00:00:00 2001
+From: Matthew Leeds <matthew.leeds@endlessm.com>
+Date: Tue, 11 Dec 2018 12:04:26 -0800
+Subject: [PATCH 3/3] Allow uid of -1 for a PolkitUnixProcess
+Commit 2cb40c4d5 changed PolkitUnixUser, PolkitUnixGroup, and
+PolkitUnixProcess to allow negative values for their uid/gid properties,
+since these are values above INT_MAX which wrap around but are still
+valid, with the exception of -1 which is not valid. However,
+PolkitUnixProcess allows a uid of -1 to be passed to
+polkit_unix_process_new_for_owner() which means polkit is expected to
+figure out the uid on its own (this happens in the _constructed
+function). So this commit removes the check in
+polkit_unix_process_set_property() so that new_for_owner() can be used
+as documented without producing a critical error message.
+This does not affect the protection against CVE-2018-19788 which is
+based on creating a user with a UID up to but not including 4294967295
+(-1).
+CVE: CVE-2018-19788
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/polkit/polkit/commit/c05472b86222a72505adc5eec460493980224ef8]
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ src/polkit/polkitunixprocess.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
+index b02b258..e2a3c03 100644
+--- a/src/polkit/polkitunixprocess.c
+++ b/src/polkit/polkitunixprocess.c
+@@ -159,14 +159,9 @@ polkit_unix_process_set_property (GObject      *object,
+       polkit_unix_process_set_pid (unix_process, g_value_get_int (value));
+       break;
+ 
+-    case PROP_UID: {
+-      gint val;
+-
+-      val = g_value_get_int (value);
+-      g_return_if_fail (val != -1);
+-      polkit_unix_process_set_uid (unix_process, val);
+    case PROP_UID:
+      polkit_unix_process_set_uid (unix_process, g_value_get_int (value));
+       break;
+-    }
+ 
+     case PROP_START_TIME:
+       polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value));
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/meta-oe/recipes-extended/polkit/polkit_0.115.bb b/meta-oe/recipes-extended/polkit/polkit_0.115.bb
index 562a754b2..ca21c0387 100644
--- a/meta-oe/recipes-extended/polkit/polkit_0.115.bb
+++ b/meta-oe/recipes-extended/polkit/polkit_0.115.bb
@@ -23,10 +23,14 @@ PACKAGECONFIG[consolekit] = ",,,consolekit"
 PAM_SRC_URI = "file://polkit-1_pam.patch"
 SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.gz \
-           file://0001-make-netgroup-support-configurable.patch \
+    file://0001-make-netgroup-support-configurable.patch \
-           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
-           file://0001-backend-Compare-PolkitUnixProcess-uids-for-temporary.patch \
+    file://0001-backend-Compare-PolkitUnixProcess-uids-for-temporary.patch \
-           "
+    file://CVE-2018-19788_p1.patch \
+    file://CVE-2018-19788_p2.patch \
+    file://CVE-2018-19788_p3.patch \
+"
 SRC_URI[md5sum] = "f03b055d6ae5fc8eac76838c7d83d082"
 SRC_URI[sha256sum] = "2f87ecdabfbd415c6306673ceadc59846f059b18ef2fce42bac63fe283f12131"
author	Dan Tran <dantran@microsoft.com>	2019-09-25 17:12:49 +0000
committer	Armin Kuster <akuster808@gmail.com>	2019-10-05 08:58:45 -0700
commit	6f4dcd00ce677d9df3fed7e12d87a4588dc65661 (patch)
tree	ee49dea3546c93f0bac83c898da29136b94c6a67
parent	0d053082ab13a2668ecc94adbc6d6dd862be1c41 (diff)
download	meta-openembedded-6f4dcd00ce677d9df3fed7e12d87a4588dc65661.tar.gz

diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch new file mode 100644 index 000000000..32ea0bacc --- /dev/null +++ b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch
@@ -0,0 +1,194 @@
		1	From cd80aa29c85745ca073cf0581ccdcf2f80aa30db Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
		3	Date: Mon, 3 Dec 2018 10:28:58 +0100
		4	Subject: [PATCH 1/3] Allow negative uids/gids in PolkitUnixUser and Group
		5	objects
		6
		7	(uid_t) -1 is still used as placeholder to mean "unset". This is OK, since
		8	there should be no users with such number, see
		9	https://systemd.io/UIDS-GIDS#special-linux-uids.
		10
		11	(uid_t) -1 is used as the default value in class initialization.
		12
		13	When a user or group above INT32_MAX is created, the numeric uid or
		14	gid wraps around to negative when the value is assigned to gint, and
		15	polkit gets confused. Let's accept such gids, except for -1.
		16
		17	A nicer fix would be to change the underlying type to e.g. uint32 to
		18	not have negative values. But this cannot be done without breaking the
		19	API, so likely new functions will have to be added (a
		20	polkit_unix_user_new variant that takes a unsigned, and the same for
		21	_group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will
		22	require a bigger patch.
		23
		24	Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74.
		25
		26	CVE: CVE-2018-19788
		27	Upstream-Status: Backport
		28	[https://gitlab.freedesktop.org/polkit/polkit/commit/2cb40c4d5feeaa09325522bd7d97910f1b59e379]
		29
		30	Signed-off-by: Dan Tran <dantran@microsoft.com>
		31	---
		32	src/polkit/polkitunixgroup.c \| 15 +++++++++++----
		33	src/polkit/polkitunixprocess.c \| 12 ++++++++----
		34	src/polkit/polkitunixuser.c \| 13 ++++++++++---
		35	3 files changed, 29 insertions(+), 11 deletions(-)
		36
		37	diff --git a/src/polkit/polkitunixgroup.c b/src/polkit/polkitunixgroup.c
		38	index c57a1aa..309f689 100644
		39	--- a/src/polkit/polkitunixgroup.c
		40	+++ b/src/polkit/polkitunixgroup.c
		41	@@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup, polkit_unix_group, G_TYPE_OBJECT,
		42	static void
		43	polkit_unix_group_init (PolkitUnixGroup *unix_group)
		44	{
		45	+ unix_group->gid = -1; /* (git_t) -1 is not a valid GID under Linux */
		46	}
		47
		48	static void
		49	@@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject *object,
		50	GParamSpec *pspec)
		51	{
		52	PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object);
		53	+ gint val;
		54
		55	switch (prop_id)
		56	{
		57	case PROP_GID:
		58	- unix_group->gid = g_value_get_int (value);
		59	+ val = g_value_get_int (value);
		60	+ g_return_if_fail (val != -1);
		61	+ unix_group->gid = val;
		62	break;
		63
		64	default:
		65	@@ -131,9 +135,9 @@ polkit_unix_group_class_init (PolkitUnixGroupClass *klass)
		66	g_param_spec_int ("gid",
		67	"Group ID",
		68	"The UNIX group ID",
		69	- 0,
		70	+ G_MININT,
		71	G_MAXINT,
		72	- 0,
		73	+ -1,
		74	G_PARAM_CONSTRUCT \|
		75	G_PARAM_READWRITE \|
		76	G_PARAM_STATIC_NAME \|
		77	@@ -166,9 +170,10 @@ polkit_unix_group_get_gid (PolkitUnixGroup *group)
		78	*/
		79	void
		80	polkit_unix_group_set_gid (PolkitUnixGroup *group,
		81	- gint gid)
		82	+ gint gid)
		83	{
		84	g_return_if_fail (POLKIT_IS_UNIX_GROUP (group));
		85	+ g_return_if_fail (gid != -1);
		86	group->gid = gid;
		87	}
		88
		89	@@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group,
		90	PolkitIdentity *
		91	polkit_unix_group_new (gint gid)
		92	{
		93	+ g_return_val_if_fail (gid != -1, NULL);
		94	+
		95	return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP,
		96	"gid", gid,
		97	NULL));
		98	diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
		99	index 972b777..b02b258 100644
		100	--- a/src/polkit/polkitunixprocess.c
		101	+++ b/src/polkit/polkitunixprocess.c
		102	@@ -159,9 +159,14 @@ polkit_unix_process_set_property (GObject *object,
		103	polkit_unix_process_set_pid (unix_process, g_value_get_int (value));
		104	break;
		105
		106	- case PROP_UID:
		107	- polkit_unix_process_set_uid (unix_process, g_value_get_int (value));
		108	+ case PROP_UID: {
		109	+ gint val;
		110	+
		111	+ val = g_value_get_int (value);
		112	+ g_return_if_fail (val != -1);
		113	+ polkit_unix_process_set_uid (unix_process, val);
		114	break;
		115	+ }
		116
		117	case PROP_START_TIME:
		118	polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value));
		119	@@ -239,7 +244,7 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass)
		120	g_param_spec_int ("uid",
		121	"User ID",
		122	"The UNIX user ID",
		123	- -1,
		124	+ G_MININT,
		125	G_MAXINT,
		126	-1,
		127	G_PARAM_CONSTRUCT \|
		128	@@ -303,7 +308,6 @@ polkit_unix_process_set_uid (PolkitUnixProcess *process,
		129	gint uid)
		130	{
		131	g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process));
		132	- g_return_if_fail (uid >= -1);
		133	process->uid = uid;
		134	}
		135
		136	diff --git a/src/polkit/polkitunixuser.c b/src/polkit/polkitunixuser.c
		137	index 8bfd3a1..234a697 100644
		138	--- a/src/polkit/polkitunixuser.c
		139	+++ b/src/polkit/polkitunixuser.c
		140	@@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, polkit_unix_user, G_TYPE_OBJECT,
		141	static void
		142	polkit_unix_user_init (PolkitUnixUser *unix_user)
		143	{
		144	+ unix_user->uid = -1; /* (uid_t) -1 is not a valid UID under Linux */
		145	unix_user->name = NULL;
		146	}
		147
		148	@@ -112,11 +113,14 @@ polkit_unix_user_set_property (GObject *object,
		149	GParamSpec *pspec)
		150	{
		151	PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object);
		152	+ gint val;
		153
		154	switch (prop_id)
		155	{
		156	case PROP_UID:
		157	- unix_user->uid = g_value_get_int (value);
		158	+ val = g_value_get_int (value);
		159	+ g_return_if_fail (val != -1);
		160	+ unix_user->uid = val;
		161	break;
		162
		163	default:
		164	@@ -144,9 +148,9 @@ polkit_unix_user_class_init (PolkitUnixUserClass *klass)
		165	g_param_spec_int ("uid",
		166	"User ID",
		167	"The UNIX user ID",
		168	- 0,
		169	+ G_MININT,
		170	G_MAXINT,
		171	- 0,
		172	+ -1,
		173	G_PARAM_CONSTRUCT \|
		174	G_PARAM_READWRITE \|
		175	G_PARAM_STATIC_NAME \|
		176	@@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
		177	gint uid)
		178	{
		179	g_return_if_fail (POLKIT_IS_UNIX_USER (user));
		180	+ g_return_if_fail (uid != -1);
		181	user->uid = uid;
		182	}
		183
		184	@@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
		185	PolkitIdentity *
		186	polkit_unix_user_new (gint uid)
		187	{
		188	+ g_return_val_if_fail (uid != -1, NULL);
		189	+
		190	return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER,
		191	"uid", uid,
		192	NULL));
		193	--
		194	2.22.0.vfs.1.1.57.gbaf16c8


diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch new file mode 100644 index 000000000..097dfd921 --- /dev/null +++ b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch
@@ -0,0 +1,153 @@
		1	From 17f18d9f81d99b014c680e7e50198d7f190b804e Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
		3	Date: Mon, 3 Dec 2018 11:20:34 +0100
		4	Subject: [PATCH 2/3] tests: add tests for high uids
		5
		6	CVE: CVE-2018-19788
		7	Upstream-Status: Backport
		8	[https://gitlab.freedesktop.org/polkit/polkit/commit/b534a10727455409acd54018a9c91000e7626126]
		9
		10	Signed-off-by: Dan Tran <dantran@microsoft.com>
		11	---
		12	test/data/etc/group \| 1 +
		13	test/data/etc/passwd \| 2 +
		14	.../etc/polkit-1/rules.d/10-testing.rules \| 21 ++++++
		15	.../test-polkitbackendjsauthority.c \| 72 +++++++++++++++++++
		16	4 files changed, 96 insertions(+)
		17
		18	diff --git a/test/data/etc/group b/test/data/etc/group
		19	index 12ef328..b9acab9 100644
		20	--- a/test/data/etc/group
		21	+++ b/test/data/etc/group
		22	@@ -5,3 +5,4 @@ john:x:500:
		23	jane:x:501:
		24	sally:x:502:
		25	henry:x:503:
		26	+highuid2:x:4000000000:
		27	diff --git a/test/data/etc/passwd b/test/data/etc/passwd
		28	index 8544feb..5cf14a5 100644
		29	--- a/test/data/etc/passwd
		30	+++ b/test/data/etc/passwd
		31	@@ -3,3 +3,5 @@ john:x:500:500:John Done:/home/john:/bin/bash
		32	jane:x:501:501:Jane Smith:/home/jane:/bin/bash
		33	sally:x:502:502:Sally Derp:/home/sally:/bin/bash
		34	henry:x:503:503:Henry Herp:/home/henry:/bin/bash
		35	+highuid1:x:2147483648:2147483648:The first high uid:/home/highuid1:/sbin/nologin
		36	+highuid2:x:4000000000:4000000000:An example high uid:/home/example:/sbin/nologin
		37	diff --git a/test/data/etc/polkit-1/rules.d/10-testing.rules b/test/data/etc/polkit-1/rules.d/10-testing.rules
		38	index 446e622..98bf062 100644
		39	--- a/test/data/etc/polkit-1/rules.d/10-testing.rules
		40	+++ b/test/data/etc/polkit-1/rules.d/10-testing.rules
		41	@@ -53,6 +53,27 @@ polkit.addRule(function(action, subject) {
		42	}
		43	});
		44
		45	+polkit.addRule(function(action, subject) {
		46	+ if (action.id == "net.company.john_action") {
		47	+ if (subject.user == "john") {
		48	+ return polkit.Result.YES;
		49	+ } else {
		50	+ return polkit.Result.NO;
		51	+ }
		52	+ }
		53	+});
		54	+
		55	+polkit.addRule(function(action, subject) {
		56	+ if (action.id == "net.company.highuid2_action") {
		57	+ if (subject.user == "highuid2") {
		58	+ return polkit.Result.YES;
		59	+ } else {
		60	+ return polkit.Result.NO;
		61	+ }
		62	+ }
		63	+});
		64	+
		65	+
		66	// ---------------------------------------------------------------------
		67	// variables
		68
		69	diff --git a/test/polkitbackend/test-polkitbackendjsauthority.c b/test/polkitbackend/test-polkitbackendjsauthority.c
		70	index b484a26..71aad23 100644
		71	--- a/test/polkitbackend/test-polkitbackendjsauthority.c
		72	+++ b/test/polkitbackend/test-polkitbackendjsauthority.c
		73	@@ -330,6 +330,78 @@ static const RulesTestCase rules_test_cases[] = {
		74	NULL,
		75	POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED,
		76	},
		77	+
		78	+ {
		79	+ /* highuid1 is not a member of group 'users', see test/data/etc/group */
		80	+ "group_membership_with_non_member(highuid22)",
		81	+ "net.company.group.only_group_users",
		82	+ "unix-user:highuid2",
		83	+ NULL,
		84	+ POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
		85	+ },
		86	+
		87	+ {
		88	+ /* highuid2 is not a member of group 'users', see test/data/etc/group */
		89	+ "group_membership_with_non_member(highuid21)",
		90	+ "net.company.group.only_group_users",
		91	+ "unix-user:highuid2",
		92	+ NULL,
		93	+ POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
		94	+ },
		95	+
		96	+ {
		97	+ /* highuid1 is not a member of group 'users', see test/data/etc/group */
		98	+ "group_membership_with_non_member(highuid24)",
		99	+ "net.company.group.only_group_users",
		100	+ "unix-user:2147483648",
		101	+ NULL,
		102	+ POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
		103	+ },
		104	+
		105	+ {
		106	+ /* highuid2 is not a member of group 'users', see test/data/etc/group */
		107	+ "group_membership_with_non_member(highuid23)",
		108	+ "net.company.group.only_group_users",
		109	+ "unix-user:4000000000",
		110	+ NULL,
		111	+ POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
		112	+ },
		113	+
		114	+ {
		115	+ /* john is authorized to do this, see 10-testing.rules */
		116	+ "john_action",
		117	+ "net.company.john_action",
		118	+ "unix-user:john",
		119	+ NULL,
		120	+ POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED,
		121	+ },
		122	+
		123	+ {
		124	+ /* only john is authorized to do this, see 10-testing.rules */
		125	+ "jane_action",
		126	+ "net.company.john_action",
		127	+ "unix-user:jane",
		128	+ NULL,
		129	+ POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
		130	+ },
		131	+
		132	+ {
		133	+ /* highuid2 is authorized to do this, see 10-testing.rules */
		134	+ "highuid2_action",
		135	+ "net.company.highuid2_action",
		136	+ "unix-user:highuid2",
		137	+ NULL,
		138	+ POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED,
		139	+ },
		140	+
		141	+ {
		142	+ /* only highuid2 is authorized to do this, see 10-testing.rules */
		143	+ "highuid1_action",
		144	+ "net.company.highuid2_action",
		145	+ "unix-user:highuid1",
		146	+ NULL,
		147	+ POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
		148	+ },
		149	};
		150
		151	/* ---------------------------------------------------------------------------------------------------- */
		152	--
		153	2.22.0.vfs.1.1.57.gbaf16c8


diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p3.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p3.patch new file mode 100644 index 000000000..b97a6b06d --- /dev/null +++ b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p3.patch
@@ -0,0 +1,53 @@
		1	From 0fd5884a943a92aa076fa3276bd83f502dcb934e Mon Sep 17 00:00:00 2001
		2	From: Matthew Leeds <matthew.leeds@endlessm.com>
		3	Date: Tue, 11 Dec 2018 12:04:26 -0800
		4	Subject: [PATCH 3/3] Allow uid of -1 for a PolkitUnixProcess
		5
		6	Commit 2cb40c4d5 changed PolkitUnixUser, PolkitUnixGroup, and
		7	PolkitUnixProcess to allow negative values for their uid/gid properties,
		8	since these are values above INT_MAX which wrap around but are still
		9	valid, with the exception of -1 which is not valid. However,
		10	PolkitUnixProcess allows a uid of -1 to be passed to
		11	polkit_unix_process_new_for_owner() which means polkit is expected to
		12	figure out the uid on its own (this happens in the _constructed
		13	function). So this commit removes the check in
		14	polkit_unix_process_set_property() so that new_for_owner() can be used
		15	as documented without producing a critical error message.
		16
		17	This does not affect the protection against CVE-2018-19788 which is
		18	based on creating a user with a UID up to but not including 4294967295
		19	(-1).
		20
		21	CVE: CVE-2018-19788
		22	Upstream-Status: Backport
		23	[https://gitlab.freedesktop.org/polkit/polkit/commit/c05472b86222a72505adc5eec460493980224ef8]
		24
		25	Signed-off-by: Dan Tran <dantran@microsoft.com>
		26	---
		27	src/polkit/polkitunixprocess.c \| 9 ++-------
		28	1 file changed, 2 insertions(+), 7 deletions(-)
		29
		30	diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
		31	index b02b258..e2a3c03 100644
		32	--- a/src/polkit/polkitunixprocess.c
		33	+++ b/src/polkit/polkitunixprocess.c
		34	@@ -159,14 +159,9 @@ polkit_unix_process_set_property (GObject *object,
		35	polkit_unix_process_set_pid (unix_process, g_value_get_int (value));
		36	break;
		37
		38	- case PROP_UID: {
		39	- gint val;
		40	-
		41	- val = g_value_get_int (value);
		42	- g_return_if_fail (val != -1);
		43	- polkit_unix_process_set_uid (unix_process, val);
		44	+ case PROP_UID:
		45	+ polkit_unix_process_set_uid (unix_process, g_value_get_int (value));
		46	break;
		47	- }
		48
		49	case PROP_START_TIME:
		50	polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value));
		51	--
		52	2.22.0.vfs.1.1.57.gbaf16c8
		53


diff --git a/meta-oe/recipes-extended/polkit/polkit_0.115.bb b/meta-oe/recipes-extended/polkit/polkit_0.115.bb index 562a754b2..ca21c0387 100644 --- a/meta-oe/recipes-extended/polkit/polkit_0.115.bb +++ b/meta-oe/recipes-extended/polkit/polkit_0.115.bb
@@ -23,10 +23,14 @@ PACKAGECONFIG[consolekit] = ",,,consolekit"
23		23
24	PAM_SRC_URI = "file://polkit-1_pam.patch"	24	PAM_SRC_URI = "file://polkit-1_pam.patch"
25	SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.gz \	25	SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.gz \
26	file://0001-make-netgroup-support-configurable.patch \	26	file://0001-make-netgroup-support-configurable.patch \
27	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \	27	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
28	file://0001-backend-Compare-PolkitUnixProcess-uids-for-temporary.patch \	28	file://0001-backend-Compare-PolkitUnixProcess-uids-for-temporary.patch \
29	"	29	file://CVE-2018-19788_p1.patch \
		30	file://CVE-2018-19788_p2.patch \
		31	file://CVE-2018-19788_p3.patch \
		32	"
		33
30	SRC_URI[md5sum] = "f03b055d6ae5fc8eac76838c7d83d082"	34	SRC_URI[md5sum] = "f03b055d6ae5fc8eac76838c7d83d082"
31	SRC_URI[sha256sum] = "2f87ecdabfbd415c6306673ceadc59846f059b18ef2fce42bac63fe283f12131"	35	SRC_URI[sha256sum] = "2f87ecdabfbd415c6306673ceadc59846f059b18ef2fce42bac63fe283f12131"
32		36