diff options
author | Dan Tran <dantran@microsoft.com> | 2019-09-25 17:12:49 +0000 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2019-10-05 09:01:00 -0700 |
commit | eb9b369b2491aabdbda08c3b3c87f36caa0bdd0f (patch) | |
tree | 3ef3038a03afd8a3f7de57d8850ba00fc158281c /meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch | |
parent | 436cf0aa2b2802da706588d4daa1a8240d172df8 (diff) | |
download | meta-openembedded-eb9b369b2491aabdbda08c3b3c87f36caa0bdd0f.tar.gz |
polkit: Fix CVE-2018-19788
Signed-off-by: Dan Tran <dantran@microsoft.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch')
-rw-r--r-- | meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch | 194 |
1 files changed, 194 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch new file mode 100644 index 000000000..32ea0bacc --- /dev/null +++ b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch | |||
@@ -0,0 +1,194 @@ | |||
1 | From cd80aa29c85745ca073cf0581ccdcf2f80aa30db Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> | ||
3 | Date: Mon, 3 Dec 2018 10:28:58 +0100 | ||
4 | Subject: [PATCH 1/3] Allow negative uids/gids in PolkitUnixUser and Group | ||
5 | objects | ||
6 | |||
7 | (uid_t) -1 is still used as placeholder to mean "unset". This is OK, since | ||
8 | there should be no users with such number, see | ||
9 | https://systemd.io/UIDS-GIDS#special-linux-uids. | ||
10 | |||
11 | (uid_t) -1 is used as the default value in class initialization. | ||
12 | |||
13 | When a user or group above INT32_MAX is created, the numeric uid or | ||
14 | gid wraps around to negative when the value is assigned to gint, and | ||
15 | polkit gets confused. Let's accept such gids, except for -1. | ||
16 | |||
17 | A nicer fix would be to change the underlying type to e.g. uint32 to | ||
18 | not have negative values. But this cannot be done without breaking the | ||
19 | API, so likely new functions will have to be added (a | ||
20 | polkit_unix_user_new variant that takes a unsigned, and the same for | ||
21 | _group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will | ||
22 | require a bigger patch. | ||
23 | |||
24 | Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74. | ||
25 | |||
26 | CVE: CVE-2018-19788 | ||
27 | Upstream-Status: Backport | ||
28 | [https://gitlab.freedesktop.org/polkit/polkit/commit/2cb40c4d5feeaa09325522bd7d97910f1b59e379] | ||
29 | |||
30 | Signed-off-by: Dan Tran <dantran@microsoft.com> | ||
31 | --- | ||
32 | src/polkit/polkitunixgroup.c | 15 +++++++++++---- | ||
33 | src/polkit/polkitunixprocess.c | 12 ++++++++---- | ||
34 | src/polkit/polkitunixuser.c | 13 ++++++++++--- | ||
35 | 3 files changed, 29 insertions(+), 11 deletions(-) | ||
36 | |||
37 | diff --git a/src/polkit/polkitunixgroup.c b/src/polkit/polkitunixgroup.c | ||
38 | index c57a1aa..309f689 100644 | ||
39 | --- a/src/polkit/polkitunixgroup.c | ||
40 | +++ b/src/polkit/polkitunixgroup.c | ||
41 | @@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup, polkit_unix_group, G_TYPE_OBJECT, | ||
42 | static void | ||
43 | polkit_unix_group_init (PolkitUnixGroup *unix_group) | ||
44 | { | ||
45 | + unix_group->gid = -1; /* (git_t) -1 is not a valid GID under Linux */ | ||
46 | } | ||
47 | |||
48 | static void | ||
49 | @@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject *object, | ||
50 | GParamSpec *pspec) | ||
51 | { | ||
52 | PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object); | ||
53 | + gint val; | ||
54 | |||
55 | switch (prop_id) | ||
56 | { | ||
57 | case PROP_GID: | ||
58 | - unix_group->gid = g_value_get_int (value); | ||
59 | + val = g_value_get_int (value); | ||
60 | + g_return_if_fail (val != -1); | ||
61 | + unix_group->gid = val; | ||
62 | break; | ||
63 | |||
64 | default: | ||
65 | @@ -131,9 +135,9 @@ polkit_unix_group_class_init (PolkitUnixGroupClass *klass) | ||
66 | g_param_spec_int ("gid", | ||
67 | "Group ID", | ||
68 | "The UNIX group ID", | ||
69 | - 0, | ||
70 | + G_MININT, | ||
71 | G_MAXINT, | ||
72 | - 0, | ||
73 | + -1, | ||
74 | G_PARAM_CONSTRUCT | | ||
75 | G_PARAM_READWRITE | | ||
76 | G_PARAM_STATIC_NAME | | ||
77 | @@ -166,9 +170,10 @@ polkit_unix_group_get_gid (PolkitUnixGroup *group) | ||
78 | */ | ||
79 | void | ||
80 | polkit_unix_group_set_gid (PolkitUnixGroup *group, | ||
81 | - gint gid) | ||
82 | + gint gid) | ||
83 | { | ||
84 | g_return_if_fail (POLKIT_IS_UNIX_GROUP (group)); | ||
85 | + g_return_if_fail (gid != -1); | ||
86 | group->gid = gid; | ||
87 | } | ||
88 | |||
89 | @@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group, | ||
90 | PolkitIdentity * | ||
91 | polkit_unix_group_new (gint gid) | ||
92 | { | ||
93 | + g_return_val_if_fail (gid != -1, NULL); | ||
94 | + | ||
95 | return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP, | ||
96 | "gid", gid, | ||
97 | NULL)); | ||
98 | diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c | ||
99 | index 972b777..b02b258 100644 | ||
100 | --- a/src/polkit/polkitunixprocess.c | ||
101 | +++ b/src/polkit/polkitunixprocess.c | ||
102 | @@ -159,9 +159,14 @@ polkit_unix_process_set_property (GObject *object, | ||
103 | polkit_unix_process_set_pid (unix_process, g_value_get_int (value)); | ||
104 | break; | ||
105 | |||
106 | - case PROP_UID: | ||
107 | - polkit_unix_process_set_uid (unix_process, g_value_get_int (value)); | ||
108 | + case PROP_UID: { | ||
109 | + gint val; | ||
110 | + | ||
111 | + val = g_value_get_int (value); | ||
112 | + g_return_if_fail (val != -1); | ||
113 | + polkit_unix_process_set_uid (unix_process, val); | ||
114 | break; | ||
115 | + } | ||
116 | |||
117 | case PROP_START_TIME: | ||
118 | polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value)); | ||
119 | @@ -239,7 +244,7 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass) | ||
120 | g_param_spec_int ("uid", | ||
121 | "User ID", | ||
122 | "The UNIX user ID", | ||
123 | - -1, | ||
124 | + G_MININT, | ||
125 | G_MAXINT, | ||
126 | -1, | ||
127 | G_PARAM_CONSTRUCT | | ||
128 | @@ -303,7 +308,6 @@ polkit_unix_process_set_uid (PolkitUnixProcess *process, | ||
129 | gint uid) | ||
130 | { | ||
131 | g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process)); | ||
132 | - g_return_if_fail (uid >= -1); | ||
133 | process->uid = uid; | ||
134 | } | ||
135 | |||
136 | diff --git a/src/polkit/polkitunixuser.c b/src/polkit/polkitunixuser.c | ||
137 | index 8bfd3a1..234a697 100644 | ||
138 | --- a/src/polkit/polkitunixuser.c | ||
139 | +++ b/src/polkit/polkitunixuser.c | ||
140 | @@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, polkit_unix_user, G_TYPE_OBJECT, | ||
141 | static void | ||
142 | polkit_unix_user_init (PolkitUnixUser *unix_user) | ||
143 | { | ||
144 | + unix_user->uid = -1; /* (uid_t) -1 is not a valid UID under Linux */ | ||
145 | unix_user->name = NULL; | ||
146 | } | ||
147 | |||
148 | @@ -112,11 +113,14 @@ polkit_unix_user_set_property (GObject *object, | ||
149 | GParamSpec *pspec) | ||
150 | { | ||
151 | PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object); | ||
152 | + gint val; | ||
153 | |||
154 | switch (prop_id) | ||
155 | { | ||
156 | case PROP_UID: | ||
157 | - unix_user->uid = g_value_get_int (value); | ||
158 | + val = g_value_get_int (value); | ||
159 | + g_return_if_fail (val != -1); | ||
160 | + unix_user->uid = val; | ||
161 | break; | ||
162 | |||
163 | default: | ||
164 | @@ -144,9 +148,9 @@ polkit_unix_user_class_init (PolkitUnixUserClass *klass) | ||
165 | g_param_spec_int ("uid", | ||
166 | "User ID", | ||
167 | "The UNIX user ID", | ||
168 | - 0, | ||
169 | + G_MININT, | ||
170 | G_MAXINT, | ||
171 | - 0, | ||
172 | + -1, | ||
173 | G_PARAM_CONSTRUCT | | ||
174 | G_PARAM_READWRITE | | ||
175 | G_PARAM_STATIC_NAME | | ||
176 | @@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser *user, | ||
177 | gint uid) | ||
178 | { | ||
179 | g_return_if_fail (POLKIT_IS_UNIX_USER (user)); | ||
180 | + g_return_if_fail (uid != -1); | ||
181 | user->uid = uid; | ||
182 | } | ||
183 | |||
184 | @@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser *user, | ||
185 | PolkitIdentity * | ||
186 | polkit_unix_user_new (gint uid) | ||
187 | { | ||
188 | + g_return_val_if_fail (uid != -1, NULL); | ||
189 | + | ||
190 | return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER, | ||
191 | "uid", uid, | ||
192 | NULL)); | ||
193 | -- | ||
194 | 2.22.0.vfs.1.1.57.gbaf16c8 | ||