polkit: add patches for CVE-2021-4034 and CVE-2021-4115

They were available in polkit master branch and cherry-pick to 0.119 version works so pick the patches. Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
author: Mikko Rapeli <mikko.rapeli@bmw.de> 2022-03-25 10:56:26 +0200
committer: Khem Raj <raj.khem@gmail.com> 2022-03-25 08:28:48 -0700
commit: d5eef01fcea66b93002ed563cf39ebcc71bf42c9 (patch)
tree: 1989479eca394b76f2f444790fa113ea3c4c3ec0
parent: 97c904c765a860759d2320d6a67421ce1ecb705b (diff)
download: meta-openembedded-d5eef01fcea66b93002ed563cf39ebcc71bf42c9.tar.gz
3 files changed, 174 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/polkit/polkit/0001-pkexec-local-privilege-escalation-CVE-2021-4034.patch b/meta-oe/recipes-extended/polkit/polkit/0001-pkexec-local-privilege-escalation-CVE-2021-4034.patch
new file mode 100644
index 0000000000..c725c001dd
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/polkit/0001-pkexec-local-privilege-escalation-CVE-2021-4034.patch
@@ -0,0 +1,84 @@
+From 85c2dd9275cdfb369f613089f22733c0f1ba2aec Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Tue, 25 Jan 2022 17:21:46 +0000
+Subject: [PATCH 1/3] pkexec: local privilege escalation (CVE-2021-4034)
+Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
+---
+ src/programs/pkcheck.c |  5 +++++
+ src/programs/pkexec.c  | 23 ++++++++++++++++++++---
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+CVE: CVE-2021-4034
+Upstream-Status: Backport [a2bf5c9c83b6ae46cbd5c779d3055bff81ded683]
+diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
+index f1bb4e1..768525c 100644
+--- a/src/programs/pkcheck.c
+++ b/src/programs/pkcheck.c
+@@ -363,6 +363,11 @@ main (int argc, char *argv[])
+   local_agent_handle = NULL;
+   ret = 126;
+ 
+  if (argc < 1)
+    {
+      exit(126);
+    }
+
+   /* Disable remote file access from GIO. */
+   setenv ("GIO_USE_VFS", "local", 1);
+ 
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index 7698c5c..84e5ef6 100644
+--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
+@@ -488,6 +488,15 @@ main (int argc, char *argv[])
+   pid_t pid_of_caller;
+   gpointer local_agent_handle;
+ 
+
+  /*
+   * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
+   */
+  if (argc<1)
+    {
+      exit(127);
+    }
+
+   ret = 127;
+   authority = NULL;
+   subject = NULL;
+@@ -614,10 +623,10 @@ main (int argc, char *argv[])
+ 
+       path = g_strdup (pwstruct.pw_shell);
+       if (!path)
+-       {
+        {
+           g_printerr ("No shell configured or error retrieving pw_shell\n");
+           goto out;
+-       }
+        }
+       /* If you change this, be sure to change the if (!command_line)
+         case below too */
+       command_line = g_strdup (path);
+@@ -636,7 +645,15 @@ main (int argc, char *argv[])
+           goto out;
+         }
+       g_free (path);
+-      argv[n] = path = s;
+      path = s;
+
+      /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
+       * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
+       */
+      if (argv[n] != NULL)
+      {
+        argv[n] = path;
+      }
+     }
+   if (access (path, F_OK) != 0)
+     {
+-- 
+2.20.1
diff --git a/meta-oe/recipes-extended/polkit/polkit/0002-CVE-2021-4115-GHSL-2021-077-fix.patch b/meta-oe/recipes-extended/polkit/polkit/0002-CVE-2021-4115-GHSL-2021-077-fix.patch
new file mode 100644
index 0000000000..fcad872dc3
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/polkit/0002-CVE-2021-4115-GHSL-2021-077-fix.patch
@@ -0,0 +1,88 @@
+From c86aea01a06ad4d6c428137e9cfe2f74b1ae7f01 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Mon, 21 Feb 2022 08:29:05 +0000
+Subject: [PATCH 2/3] CVE-2021-4115 (GHSL-2021-077) fix
+Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
+---
+ src/polkit/polkitsystembusname.c | 38 ++++++++++++++++++++++++++++----
+ 1 file changed, 34 insertions(+), 4 deletions(-)
+CVE: CVE-2021-4115
+Upstream-Status: Backport [41cb093f554da8772362654a128a84dd8a5542a7]
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8ed1363..2fbf5f1 100644
+--- a/src/polkit/polkitsystembusname.c
+++ b/src/polkit/polkitsystembusname.c
+@@ -62,6 +62,10 @@ enum
+   PROP_NAME,
+ };
+ 
+
+guint8 dbus_call_respond_fails;      // has to be global because of callback
+
+
+ static void subject_iface_init (PolkitSubjectIface *subject_iface);
+ 
+ G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT,
+@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject              *src,
+   if (!v)
+     {
+       data->caught_error = TRUE;
+      dbus_call_respond_fails += 1;
+     }
+   else
+     {
+@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
+   tmp_context = g_main_context_new ();
+   g_main_context_push_thread_default (tmp_context);
+ 
+  dbus_call_respond_fails = 0;
+
+   /* Do two async calls as it's basically as fast as one sync call.
+    */
+   g_dbus_connection_call (connection,
+@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
+                          on_retrieved_unix_uid_pid,
+                          &data);
+ 
+-  while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+-    g_main_context_iteration (tmp_context, TRUE);
+  while (TRUE)
+  {
+    /* If one dbus call returns error, we must wait until the other call
+     * calls _call_finish(), otherwise fd leak is possible.
+     * Resolves: GHSL-2021-077
+    */
+ 
+-  if (data.caught_error)
+-    goto out;
+    if ( (dbus_call_respond_fails > 1) )
+    {
+      // we got two faults, we can leave
+      goto out;
+    }
+
+    if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid)))
+    {
+      // we got one fault and the other call finally finished, we can leave
+      goto out;
+    }
+
+    if ( !(data.retrieved_uid && data.retrieved_pid) )
+    {
+      g_main_context_iteration (tmp_context, TRUE);
+    }
+    else
+    {
+      break;
+    }
+  }
+ 
+   if (out_uid)
+     *out_uid = data.uid;
+-- 
+2.20.1
diff --git a/meta-oe/recipes-extended/polkit/polkit_0.119.bb b/meta-oe/recipes-extended/polkit/polkit_0.119.bb
index 8a326a9815..b68ecaf089 100644
--- a/meta-oe/recipes-extended/polkit/polkit_0.119.bb
+++ b/meta-oe/recipes-extended/polkit/polkit_0.119.bb
@@ -27,6 +27,8 @@ SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.
           file://0003-make-netgroup-support-optional.patch \
           file://0002-jsauthority-port-to-mozjs-91.patch \
           file://0003-jsauthority-ensure-to-call-JS_Init-and-JS_ShutDown-e.patch \
+           file://0001-pkexec-local-privilege-escalation-CVE-2021-4034.patch \
+           file://0002-CVE-2021-4115-GHSL-2021-077-fix.patch \
           "
 SRC_URI[sha256sum] = "c8579fdb86e94295404211285fee0722ad04893f0213e571bd75c00972fd1f5c"
author	Mikko Rapeli <mikko.rapeli@bmw.de>	2022-03-25 10:56:26 +0200
committer	Khem Raj <raj.khem@gmail.com>	2022-03-25 08:28:48 -0700
commit	d5eef01fcea66b93002ed563cf39ebcc71bf42c9 (patch)
tree	1989479eca394b76f2f444790fa113ea3c4c3ec0
parent	97c904c765a860759d2320d6a67421ce1ecb705b (diff)
download	meta-openembedded-d5eef01fcea66b93002ed563cf39ebcc71bf42c9.tar.gz

diff --git a/meta-oe/recipes-extended/polkit/polkit/0001-pkexec-local-privilege-escalation-CVE-2021-4034.patch b/meta-oe/recipes-extended/polkit/polkit/0001-pkexec-local-privilege-escalation-CVE-2021-4034.patch new file mode 100644 index 0000000000..c725c001dd --- /dev/null +++ b/meta-oe/recipes-extended/polkit/polkit/0001-pkexec-local-privilege-escalation-CVE-2021-4034.patch
@@ -0,0 +1,84 @@
		1	From 85c2dd9275cdfb369f613089f22733c0f1ba2aec Mon Sep 17 00:00:00 2001
		2	From: Jan Rybar <jrybar@redhat.com>
		3	Date: Tue, 25 Jan 2022 17:21:46 +0000
		4	Subject: [PATCH 1/3] pkexec: local privilege escalation (CVE-2021-4034)
		5
		6	Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
		7
		8	---
		9	src/programs/pkcheck.c \| 5 +++++
		10	src/programs/pkexec.c \| 23 ++++++++++++++++++++---
		11	2 files changed, 25 insertions(+), 3 deletions(-)
		12
		13	CVE: CVE-2021-4034
		14	Upstream-Status: Backport [a2bf5c9c83b6ae46cbd5c779d3055bff81ded683]
		15
		16	diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
		17	index f1bb4e1..768525c 100644
		18	--- a/src/programs/pkcheck.c
		19	+++ b/src/programs/pkcheck.c
		20	@@ -363,6 +363,11 @@ main (int argc, char *argv[])
		21	local_agent_handle = NULL;
		22	ret = 126;
		23
		24	+ if (argc < 1)
		25	+ {
		26	+ exit(126);
		27	+ }
		28	+
		29	/* Disable remote file access from GIO. */
		30	setenv ("GIO_USE_VFS", "local", 1);
		31
		32	diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
		33	index 7698c5c..84e5ef6 100644
		34	--- a/src/programs/pkexec.c
		35	+++ b/src/programs/pkexec.c
		36	@@ -488,6 +488,15 @@ main (int argc, char *argv[])
		37	pid_t pid_of_caller;
		38	gpointer local_agent_handle;
		39
		40	+
		41	+ /*
		42	+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
		43	+ */
		44	+ if (argc<1)
		45	+ {
		46	+ exit(127);
		47	+ }
		48	+
		49	ret = 127;
		50	authority = NULL;
		51	subject = NULL;
		52	@@ -614,10 +623,10 @@ main (int argc, char *argv[])
		53
		54	path = g_strdup (pwstruct.pw_shell);
		55	if (!path)
		56	- {
		57	+ {
		58	g_printerr ("No shell configured or error retrieving pw_shell\n");
		59	goto out;
		60	- }
		61	+ }
		62	/* If you change this, be sure to change the if (!command_line)
		63	case below too */
		64	command_line = g_strdup (path);
		65	@@ -636,7 +645,15 @@ main (int argc, char *argv[])
		66	goto out;
		67	}
		68	g_free (path);
		69	- argv[n] = path = s;
		70	+ path = s;
		71	+
		72	+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
		73	+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
		74	+ */
		75	+ if (argv[n] != NULL)
		76	+ {
		77	+ argv[n] = path;
		78	+ }
		79	}
		80	if (access (path, F_OK) != 0)
		81	{
		82	--
		83	2.20.1
		84


diff --git a/meta-oe/recipes-extended/polkit/polkit/0002-CVE-2021-4115-GHSL-2021-077-fix.patch b/meta-oe/recipes-extended/polkit/polkit/0002-CVE-2021-4115-GHSL-2021-077-fix.patch new file mode 100644 index 0000000000..fcad872dc3 --- /dev/null +++ b/meta-oe/recipes-extended/polkit/polkit/0002-CVE-2021-4115-GHSL-2021-077-fix.patch
@@ -0,0 +1,88 @@
		1	From c86aea01a06ad4d6c428137e9cfe2f74b1ae7f01 Mon Sep 17 00:00:00 2001
		2	From: Jan Rybar <jrybar@redhat.com>
		3	Date: Mon, 21 Feb 2022 08:29:05 +0000
		4	Subject: [PATCH 2/3] CVE-2021-4115 (GHSL-2021-077) fix
		5
		6	Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
		7
		8	---
		9	src/polkit/polkitsystembusname.c \| 38 ++++++++++++++++++++++++++++----
		10	1 file changed, 34 insertions(+), 4 deletions(-)
		11
		12	CVE: CVE-2021-4115
		13	Upstream-Status: Backport [41cb093f554da8772362654a128a84dd8a5542a7]
		14
		15	diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
		16	index 8ed1363..2fbf5f1 100644
		17	--- a/src/polkit/polkitsystembusname.c
		18	+++ b/src/polkit/polkitsystembusname.c
		19	@@ -62,6 +62,10 @@ enum
		20	PROP_NAME,
		21	};
		22
		23	+
		24	+guint8 dbus_call_respond_fails; // has to be global because of callback
		25	+
		26	+
		27	static void subject_iface_init (PolkitSubjectIface *subject_iface);
		28
		29	G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT,
		30	@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src,
		31	if (!v)
		32	{
		33	data->caught_error = TRUE;
		34	+ dbus_call_respond_fails += 1;
		35	}
		36	else
		37	{
		38	@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
		39	tmp_context = g_main_context_new ();
		40	g_main_context_push_thread_default (tmp_context);
		41
		42	+ dbus_call_respond_fails = 0;
		43	+
		44	/* Do two async calls as it's basically as fast as one sync call.
		45	*/
		46	g_dbus_connection_call (connection,
		47	@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
		48	on_retrieved_unix_uid_pid,
		49	&data);
		50
		51	- while (!((data.retrieved_uid && data.retrieved_pid) \|\| data.caught_error))
		52	- g_main_context_iteration (tmp_context, TRUE);
		53	+ while (TRUE)
		54	+ {
		55	+ /* If one dbus call returns error, we must wait until the other call
		56	+ * calls _call_finish(), otherwise fd leak is possible.
		57	+ * Resolves: GHSL-2021-077
		58	+ */
		59
		60	- if (data.caught_error)
		61	- goto out;
		62	+ if ( (dbus_call_respond_fails > 1) )
		63	+ {
		64	+ // we got two faults, we can leave
		65	+ goto out;
		66	+ }
		67	+
		68	+ if ((data.caught_error && (data.retrieved_pid \|\| data.retrieved_uid)))
		69	+ {
		70	+ // we got one fault and the other call finally finished, we can leave
		71	+ goto out;
		72	+ }
		73	+
		74	+ if ( !(data.retrieved_uid && data.retrieved_pid) )
		75	+ {
		76	+ g_main_context_iteration (tmp_context, TRUE);
		77	+ }
		78	+ else
		79	+ {
		80	+ break;
		81	+ }
		82	+ }
		83
		84	if (out_uid)
		85	*out_uid = data.uid;
		86	--
		87	2.20.1
		88


diff --git a/meta-oe/recipes-extended/polkit/polkit_0.119.bb b/meta-oe/recipes-extended/polkit/polkit_0.119.bb index 8a326a9815..b68ecaf089 100644 --- a/meta-oe/recipes-extended/polkit/polkit_0.119.bb +++ b/meta-oe/recipes-extended/polkit/polkit_0.119.bb
@@ -27,6 +27,8 @@ SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.
27	file://0003-make-netgroup-support-optional.patch \	27	file://0003-make-netgroup-support-optional.patch \
28	file://0002-jsauthority-port-to-mozjs-91.patch \	28	file://0002-jsauthority-port-to-mozjs-91.patch \
29	file://0003-jsauthority-ensure-to-call-JS_Init-and-JS_ShutDown-e.patch \	29	file://0003-jsauthority-ensure-to-call-JS_Init-and-JS_ShutDown-e.patch \
		30	file://0001-pkexec-local-privilege-escalation-CVE-2021-4034.patch \
		31	file://0002-CVE-2021-4115-GHSL-2021-077-fix.patch \
30	"	32	"
31	SRC_URI[sha256sum] = "c8579fdb86e94295404211285fee0722ad04893f0213e571bd75c00972fd1f5c"	33	SRC_URI[sha256sum] = "c8579fdb86e94295404211285fee0722ad04893f0213e571bd75c00972fd1f5c"
32		34