5 files changed, 138 insertions, 52 deletions
diff --git a/meta-oe/recipes-extended/polkit/polkit/0002-jsauthority-port-to-mozjs-91.patch b/meta-oe/recipes-extended/polkit/polkit/0002-jsauthority-port-to-mozjs-91.patch
new file mode 100644
index 0000000000..5b3660da2f
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/polkit/0002-jsauthority-port-to-mozjs-91.patch
@@ -0,0 +1,38 @@
+From 4ce27b66bb07b72cb96d3d43a75108a5a6e7e156 Mon Sep 17 00:00:00 2001
+From: Xi Ruoyao <xry111@mengyan1223.wang>
+Date: Tue, 10 Aug 2021 19:09:42 +0800
+Subject: [PATCH] jsauthority: port to mozjs-91
+Upstream-Status: Submitted [https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/92]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ configure.ac | 2 +-
+ meson.build  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+diff --git a/configure.ac b/configure.ac
+index d807086..5a7fc11 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -80,7 +80,7 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
+ AC_SUBST(GLIB_CFLAGS)
+ AC_SUBST(GLIB_LIBS)
+ 
+-PKG_CHECK_MODULES(LIBJS, [mozjs-78])
+PKG_CHECK_MODULES(LIBJS, [mozjs-91])
+ 
+ AC_SUBST(LIBJS_CFLAGS)
+ AC_SUBST(LIBJS_CXXFLAGS)
+diff --git a/meson.build b/meson.build
+index b3702be..733bbff 100644
+--- a/meson.build
+++ b/meson.build
+@@ -126,7 +126,7 @@ expat_dep = dependency('expat')
+ assert(cc.has_header('expat.h', dependencies: expat_dep), 'Can\'t find expat.h. Please install expat.')
+ assert(cc.has_function('XML_ParserCreate', dependencies: expat_dep), 'Can\'t find expat library. Please install expat.')
+ 
+-mozjs_dep = dependency('mozjs-78')
+mozjs_dep = dependency('mozjs-91')
+ 
+ dbus_dep = dependency('dbus-1')
+ dbus_confdir = dbus_dep.get_pkgconfig_variable('datadir', define_variable: ['datadir', pk_prefix / pk_datadir])   #changed from sysconfdir with respect to commit#8eada3836465838
diff --git a/meta-oe/recipes-extended/polkit/polkit/0003-jsauthority-ensure-to-call-JS_Init-and-JS_ShutDown-e.patch b/meta-oe/recipes-extended/polkit/polkit/0003-jsauthority-ensure-to-call-JS_Init-and-JS_ShutDown-e.patch
new file mode 100644
index 0000000000..9e9755e44f
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/polkit/0003-jsauthority-ensure-to-call-JS_Init-and-JS_ShutDown-e.patch
@@ -0,0 +1,63 @@
+From 7799441b9aa55324160deefbc65f9d918b8c94c1 Mon Sep 17 00:00:00 2001
+From: Xi Ruoyao <xry111@mengyan1223.wang>
+Date: Tue, 10 Aug 2021 18:52:56 +0800
+Subject: [PATCH] jsauthority: ensure to call JS_Init() and JS_ShutDown()
+ exactly once
+Before this commit, we were calling JS_Init() in
+polkit_backend_js_authority_class_init and never called JS_ShutDown.
+This is actually a misusage of SpiderMonkey API.  Quote from a comment
+in js/Initialization.h (both mozjs-78 and mozjs-91):
+    It is currently not possible to initialize SpiderMonkey multiple
+    times (that is, calling JS_Init/JSAPI methods/JS_ShutDown in that
+    order, then doing so again).
+This misusage does not cause severe issues with mozjs-78.  However, when
+we eventually port jsauthority to use mozjs-91, bad thing will happen:
+see the test failure mentioned in #150.
+This commit is tested with both mozjs-78 and mozjs-91, all tests pass
+with it.
+Upstream-Status: Submitted [https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/91]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ src/polkitbackend/polkitbackendjsauthority.cpp | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
+index 41d8d5c..38dc001 100644
+--- a/src/polkitbackend/polkitbackendjsauthority.cpp
+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
+@@ -75,6 +75,13 @@
+ 
+ /* ---------------------------------------------------------------------------------------------------- */
+ 
+static class JsInitHelperType
+{
+public:
+       JsInitHelperType() { JS_Init(); }
+       ~JsInitHelperType() { JS_ShutDown(); }
+} JsInitHelper;
+
+ struct _PolkitBackendJsAuthorityPrivate
+ {
+   gchar **rules_dirs;
+@@ -589,7 +596,6 @@ polkit_backend_js_authority_finalize (GObject *object)
+   delete authority->priv->js_polkit;
+ 
+   JS_DestroyContext (authority->priv->cx);
+-  /* JS_ShutDown (); */
+ 
+   G_OBJECT_CLASS (polkit_backend_js_authority_parent_class)->finalize (object);
+ }
+@@ -665,8 +671,6 @@ polkit_backend_js_authority_class_init (PolkitBackendJsAuthorityClass *klass)
+ 
+ 
+   g_type_class_add_private (klass, sizeof (PolkitBackendJsAuthorityPrivate));
+-
+-  JS_Init ();
+ }
+ 
+ /* ---------------------------------------------------------------------------------------------------- */
diff --git a/meta-oe/recipes-extended/polkit/polkit/0003-make-netgroup-support-optional.patch b/meta-oe/recipes-extended/polkit/polkit/0003-make-netgroup-support-optional.patch
index fd7251369e..1a268f2d0d 100644
--- a/meta-oe/recipes-extended/polkit/polkit/0003-make-netgroup-support-optional.patch
+++ b/meta-oe/recipes-extended/polkit/polkit/0003-make-netgroup-support-optional.patch
@@ -1,4 +1,4 @@
-From 21aa2747e8f0048759aab184b07dd6389666d5e6 Mon Sep 17 00:00:00 2001
+From 0c1debb380fee7f5b2bc62406e45856dc9c9e1a1 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Wed, 22 May 2019 13:18:55 -0700
 Subject: [PATCH] make netgroup support optional
@@ -17,20 +17,23 @@ Fixes bug 50145.
 Closes polkit/polkit#14.
 Signed-off-by: A. Wilcox <AWilcox@Wilcox-Tech.com>
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 ---
 configure.ac                                     |  2 +-
 src/polkit/polkitidentity.c                      | 16 ++++++++++++++++
 src/polkit/polkitunixnetgroup.c                  |  3 +++
 .../polkitbackendinteractiveauthority.c          | 14 ++++++++------
- src/polkitbackend/polkitbackendjsauthority.cpp   |  2 ++
+ src/polkitbackend/polkitbackendjsauthority.cpp   |  3 +++
 test/polkit/polkitidentitytest.c                 |  9 ++++++++-
 test/polkit/polkitunixnetgrouptest.c             |  3 +++
 .../test-polkitbackendjsauthority.c              |  2 ++
- 8 files changed, 43 insertions(+), 8 deletions(-)
+ 8 files changed, 44 insertions(+), 8 deletions(-)
+diff --git a/configure.ac b/configure.ac
+index b625743..d807086 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -99,7 +99,7 @@ AC_CHECK_LIB(expat,XML_ParserCreate,[EXP
+@@ -100,7 +100,7 @@ AC_CHECK_LIB(expat,XML_ParserCreate,[EXPAT_LIBS="-lexpat"],
             [AC_MSG_ERROR([Can't find expat library. Please install expat.])])
 AC_SUBST(EXPAT_LIBS)
 
@@ -39,9 +42,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
 
 if test "x$GCC" = "xyes"; then
   LDFLAGS="-Wl,--as-needed $LDFLAGS"
+diff --git a/src/polkit/polkitidentity.c b/src/polkit/polkitidentity.c
+index 3aa1f7f..10e9c17 100644
 --- a/src/polkit/polkitidentity.c
 +++ b/src/polkit/polkitidentity.c
-@@ -182,7 +182,15 @@ polkit_identity_from_string  (const gcha
+@@ -182,7 +182,15 @@ polkit_identity_from_string  (const gchar   *str,
     }
   else if (g_str_has_prefix (str, "unix-netgroup:"))
     {
@@ -57,7 +62,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
     }
 
   if (identity == NULL && (error != NULL && *error == NULL))
-@@ -344,6 +352,13 @@ polkit_identity_new_for_gvariant (GVaria
+@@ -344,6 +352,13 @@ polkit_identity_new_for_gvariant (GVariant  *variant,
       GVariant *v;
       const char *name;
 
@@ -71,7 +76,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
       v = lookup_asv (details_gvariant, "name", G_VARIANT_TYPE_STRING, error);
       if (v == NULL)
         {
-@@ -353,6 +368,7 @@ polkit_identity_new_for_gvariant (GVaria
+@@ -353,6 +368,7 @@ polkit_identity_new_for_gvariant (GVariant  *variant,
       name = g_variant_get_string (v, NULL);
       ret = polkit_unix_netgroup_new (name);
       g_variant_unref (v);
@@ -79,9 +84,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
     }
   else
     {
+diff --git a/src/polkit/polkitunixnetgroup.c b/src/polkit/polkitunixnetgroup.c
+index 8a2b369..83f8d4a 100644
 --- a/src/polkit/polkitunixnetgroup.c
 +++ b/src/polkit/polkitunixnetgroup.c
-@@ -194,6 +194,9 @@ polkit_unix_netgroup_set_name (PolkitUni
+@@ -194,6 +194,9 @@ polkit_unix_netgroup_set_name (PolkitUnixNetgroup *group,
 PolkitIdentity *
 polkit_unix_netgroup_new (const gchar *name)
 {
@@ -91,9 +98,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
   g_return_val_if_fail (name != NULL, NULL);
   return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_NETGROUP,
                                        "name", name,
+diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
+index 056d9a8..36c2f3d 100644
 --- a/src/polkitbackend/polkitbackendinteractiveauthority.c
 +++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
-@@ -2233,25 +2233,26 @@ get_users_in_net_group (PolkitIdentity
+@@ -2233,25 +2233,26 @@ get_users_in_net_group (PolkitIdentity                    *group,
   GList *ret;
 
   ret = NULL;
@@ -126,7 +135,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
       PolkitIdentity *user;
       GError *error = NULL;
 
-@@ -2282,6 +2283,7 @@ get_users_in_net_group (PolkitIdentity
+@@ -2282,6 +2283,7 @@ get_users_in_net_group (PolkitIdentity                    *group,
 
  out:
   endnetgrent ();
@@ -134,9 +143,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
   return ret;
 }
 
+diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
+index ca17108..41d8d5c 100644
 --- a/src/polkitbackend/polkitbackendjsauthority.cpp
 +++ b/src/polkitbackend/polkitbackendjsauthority.cpp
-@@ -1502,6 +1502,7 @@ js_polkit_user_is_in_netgroup (JSContext
+@@ -1520,6 +1520,7 @@ js_polkit_user_is_in_netgroup (JSContext  *cx,
 
   JS::CallArgs args = JS::CallArgsFromVp (argc, vp);
 
@@ -144,14 +155,17 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
   JS::RootedString usrstr (authority->priv->cx);
   usrstr = args[0].toString();
   user = JS_EncodeStringToUTF8 (cx, usrstr);
-@@ -1519,6 +1520,7 @@ js_polkit_user_is_in_netgroup (JSContext
+@@ -1535,6 +1536,8 @@ js_polkit_user_is_in_netgroup (JSContext  *cx,
+       is_in_netgroup =  true;
+     }
 
-   JS_free (cx, netgroup);
-   JS_free (cx, user);
 +#endif
- 
+
   ret = true;
 
+   args.rval ().setBoolean (is_in_netgroup);
+diff --git a/test/polkit/polkitidentitytest.c b/test/polkit/polkitidentitytest.c
+index e91967b..e829aaa 100644
 --- a/test/polkit/polkitidentitytest.c
 +++ b/test/polkit/polkitidentitytest.c
 @@ -19,6 +19,7 @@
@@ -162,7 +176,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
 #include "glib.h"
 #include <polkit/polkit.h>
 #include <polkit/polkitprivate.h>
-@@ -145,11 +146,15 @@ struct ComparisonTestData comparison_tes
+@@ -145,11 +146,15 @@ struct ComparisonTestData comparison_test_data [] = {
   {"unix-group:root", "unix-group:jane", FALSE},
   {"unix-group:jane", "unix-group:jane", TRUE},
 
@@ -193,6 +207,8 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
 
   add_comparison_tests ();
 
+diff --git a/test/polkit/polkitunixnetgrouptest.c b/test/polkit/polkitunixnetgrouptest.c
+index 3701ba1..e3352eb 100644
 --- a/test/polkit/polkitunixnetgrouptest.c
 +++ b/test/polkit/polkitunixnetgrouptest.c
 @@ -19,6 +19,7 @@
@@ -213,6 +229,8 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
 +#endif
   return g_test_run ();
 }
+diff --git a/test/polkitbackend/test-polkitbackendjsauthority.c b/test/polkitbackend/test-polkitbackendjsauthority.c
+index f97e0e0..fc52149 100644
 --- a/test/polkitbackend/test-polkitbackendjsauthority.c
 +++ b/test/polkitbackend/test-polkitbackendjsauthority.c
 @@ -137,12 +137,14 @@ test_get_admin_identities (void)
diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch
deleted file mode 100644
index 76308ffdb9..0000000000
--- a/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Mon Sep 17 00:00:00 2001
-From: Jan Rybar <jrybar@redhat.com>
-Date: Wed, 2 Jun 2021 15:43:38 +0200
-Subject: [PATCH] GHSL-2021-074: authentication bypass vulnerability in polkit
-initial values returned if error caught
-CVE: CVE-2021-3560
-Upstream-Status: Backport [https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81]
-Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
- src/polkit/polkitsystembusname.c | 3 +++
- 1 file changed, 3 insertions(+)
-diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
-index 8daa12c..8ed1363 100644
--- a/src/polkit/polkitsystembusname.c
-+++ b/src/polkit/polkitsystembusname.c
-@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
-   while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
-     g_main_context_iteration (tmp_context, TRUE);
- 
-+  if (data.caught_error)
-+    goto out;
-+
-   if (out_uid)
-     *out_uid = data.uid;
-   if (out_pid)
-- 
-2.29.2
diff --git a/meta-oe/recipes-extended/polkit/polkit_0.116.bb b/meta-oe/recipes-extended/polkit/polkit_0.119.bb
index 6408933ea3..a41b0fecad 100644
--- a/meta-oe/recipes-extended/polkit/polkit_0.116.bb
+++ b/meta-oe/recipes-extended/polkit/polkit_0.119.bb
@@ -25,10 +25,10 @@ PAM_SRC_URI = "file://polkit-1_pam.patch"
 SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.gz \
           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
           file://0003-make-netgroup-support-optional.patch \
-           file://CVE-2021-3560.patch \
+           file://0002-jsauthority-port-to-mozjs-91.patch \
+           file://0003-jsauthority-ensure-to-call-JS_Init-and-JS_ShutDown-e.patch \
           "
-SRC_URI[md5sum] = "4b37258583393e83069a0e2e89c0162a"
+SRC_URI[sha256sum] = "c8579fdb86e94295404211285fee0722ad04893f0213e571bd75c00972fd1f5c"
-SRC_URI[sha256sum] = "88170c9e711e8db305a12fdb8234fac5706c61969b94e084d0f117d8ec5d34b1"
 EXTRA_OECONF = "--with-os-type=moblin \
                --disable-man-pages \

diff --git a/meta-oe/recipes-extended/polkit/polkit/0002-jsauthority-port-to-mozjs-91.patch b/meta-oe/recipes-extended/polkit/polkit/0002-jsauthority-port-to-mozjs-91.patch new file mode 100644 index 0000000000..5b3660da2f --- /dev/null +++ b/meta-oe/recipes-extended/polkit/polkit/0002-jsauthority-port-to-mozjs-91.patch
@@ -0,0 +1,38 @@
		1	From 4ce27b66bb07b72cb96d3d43a75108a5a6e7e156 Mon Sep 17 00:00:00 2001
		2	From: Xi Ruoyao <xry111@mengyan1223.wang>
		3	Date: Tue, 10 Aug 2021 19:09:42 +0800
		4	Subject: [PATCH] jsauthority: port to mozjs-91
		5
		6	Upstream-Status: Submitted [https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/92]
		7	Signed-off-by: Alexander Kanavin <alex@linutronix.de>
		8	---
		9	configure.ac \| 2 +-
		10	meson.build \| 2 +-
		11	2 files changed, 2 insertions(+), 2 deletions(-)
		12
		13	diff --git a/configure.ac b/configure.ac
		14	index d807086..5a7fc11 100644
		15	--- a/configure.ac
		16	+++ b/configure.ac
		17	@@ -80,7 +80,7 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
		18	AC_SUBST(GLIB_CFLAGS)
		19	AC_SUBST(GLIB_LIBS)
		20
		21	-PKG_CHECK_MODULES(LIBJS, [mozjs-78])
		22	+PKG_CHECK_MODULES(LIBJS, [mozjs-91])
		23
		24	AC_SUBST(LIBJS_CFLAGS)
		25	AC_SUBST(LIBJS_CXXFLAGS)
		26	diff --git a/meson.build b/meson.build
		27	index b3702be..733bbff 100644
		28	--- a/meson.build
		29	+++ b/meson.build
		30	@@ -126,7 +126,7 @@ expat_dep = dependency('expat')
		31	assert(cc.has_header('expat.h', dependencies: expat_dep), 'Can\'t find expat.h. Please install expat.')
		32	assert(cc.has_function('XML_ParserCreate', dependencies: expat_dep), 'Can\'t find expat library. Please install expat.')
		33
		34	-mozjs_dep = dependency('mozjs-78')
		35	+mozjs_dep = dependency('mozjs-91')
		36
		37	dbus_dep = dependency('dbus-1')
		38	dbus_confdir = dbus_dep.get_pkgconfig_variable('datadir', define_variable: ['datadir', pk_prefix / pk_datadir]) #changed from sysconfdir with respect to commit#8eada3836465838


diff --git a/meta-oe/recipes-extended/polkit/polkit/0003-jsauthority-ensure-to-call-JS_Init-and-JS_ShutDown-e.patch b/meta-oe/recipes-extended/polkit/polkit/0003-jsauthority-ensure-to-call-JS_Init-and-JS_ShutDown-e.patch new file mode 100644 index 0000000000..9e9755e44f --- /dev/null +++ b/meta-oe/recipes-extended/polkit/polkit/0003-jsauthority-ensure-to-call-JS_Init-and-JS_ShutDown-e.patch
@@ -0,0 +1,63 @@
		1	From 7799441b9aa55324160deefbc65f9d918b8c94c1 Mon Sep 17 00:00:00 2001
		2	From: Xi Ruoyao <xry111@mengyan1223.wang>
		3	Date: Tue, 10 Aug 2021 18:52:56 +0800
		4	Subject: [PATCH] jsauthority: ensure to call JS_Init() and JS_ShutDown()
		5	exactly once
		6
		7	Before this commit, we were calling JS_Init() in
		8	polkit_backend_js_authority_class_init and never called JS_ShutDown.
		9	This is actually a misusage of SpiderMonkey API. Quote from a comment
		10	in js/Initialization.h (both mozjs-78 and mozjs-91):
		11
		12	It is currently not possible to initialize SpiderMonkey multiple
		13	times (that is, calling JS_Init/JSAPI methods/JS_ShutDown in that
		14	order, then doing so again).
		15
		16	This misusage does not cause severe issues with mozjs-78. However, when
		17	we eventually port jsauthority to use mozjs-91, bad thing will happen:
		18	see the test failure mentioned in #150.
		19
		20	This commit is tested with both mozjs-78 and mozjs-91, all tests pass
		21	with it.
		22
		23	Upstream-Status: Submitted [https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/91]
		24	Signed-off-by: Alexander Kanavin <alex@linutronix.de>
		25	---
		26	src/polkitbackend/polkitbackendjsauthority.cpp \| 10 +++++++---
		27	1 file changed, 7 insertions(+), 3 deletions(-)
		28
		29	diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
		30	index 41d8d5c..38dc001 100644
		31	--- a/src/polkitbackend/polkitbackendjsauthority.cpp
		32	+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
		33	@@ -75,6 +75,13 @@
		34
		35	/* ---------------------------------------------------------------------------------------------------- */
		36
		37	+static class JsInitHelperType
		38	+{
		39	+public:
		40	+ JsInitHelperType() { JS_Init(); }
		41	+ ~JsInitHelperType() { JS_ShutDown(); }
		42	+} JsInitHelper;
		43	+
		44	struct _PolkitBackendJsAuthorityPrivate
		45	{
		46	gchar **rules_dirs;
		47	@@ -589,7 +596,6 @@ polkit_backend_js_authority_finalize (GObject *object)
		48	delete authority->priv->js_polkit;
		49
		50	JS_DestroyContext (authority->priv->cx);
		51	- /* JS_ShutDown (); */
		52
		53	G_OBJECT_CLASS (polkit_backend_js_authority_parent_class)->finalize (object);
		54	}
		55	@@ -665,8 +671,6 @@ polkit_backend_js_authority_class_init (PolkitBackendJsAuthorityClass *klass)
		56
		57
		58	g_type_class_add_private (klass, sizeof (PolkitBackendJsAuthorityPrivate));
		59	-
		60	- JS_Init ();
		61	}
		62
		63	/* ---------------------------------------------------------------------------------------------------- */


diff --git a/meta-oe/recipes-extended/polkit/polkit/0003-make-netgroup-support-optional.patch b/meta-oe/recipes-extended/polkit/polkit/0003-make-netgroup-support-optional.patch index fd7251369e..1a268f2d0d 100644 --- a/meta-oe/recipes-extended/polkit/polkit/0003-make-netgroup-support-optional.patch +++ b/meta-oe/recipes-extended/polkit/polkit/0003-make-netgroup-support-optional.patch
@@ -1,4 +1,4 @@
1	From 21aa2747e8f0048759aab184b07dd6389666d5e6 Mon Sep 17 00:00:00 2001	1	From 0c1debb380fee7f5b2bc62406e45856dc9c9e1a1 Mon Sep 17 00:00:00 2001
2	From: Khem Raj <raj.khem@gmail.com>	2	From: Khem Raj <raj.khem@gmail.com>
3	Date: Wed, 22 May 2019 13:18:55 -0700	3	Date: Wed, 22 May 2019 13:18:55 -0700
4	Subject: [PATCH] make netgroup support optional	4	Subject: [PATCH] make netgroup support optional
@@ -17,20 +17,23 @@ Fixes bug 50145.
17	Closes polkit/polkit#14.	17	Closes polkit/polkit#14.
18	Signed-off-by: A. Wilcox <AWilcox@Wilcox-Tech.com>	18	Signed-off-by: A. Wilcox <AWilcox@Wilcox-Tech.com>
19	Signed-off-by: Khem Raj <raj.khem@gmail.com>	19	Signed-off-by: Khem Raj <raj.khem@gmail.com>
		20
20	---	21	---
21	configure.ac \| 2 +-	22	configure.ac \| 2 +-
22	src/polkit/polkitidentity.c \| 16 ++++++++++++++++	23	src/polkit/polkitidentity.c \| 16 ++++++++++++++++
23	src/polkit/polkitunixnetgroup.c \| 3 +++	24	src/polkit/polkitunixnetgroup.c \| 3 +++
24	.../polkitbackendinteractiveauthority.c \| 14 ++++++++------	25	.../polkitbackendinteractiveauthority.c \| 14 ++++++++------
25	src/polkitbackend/polkitbackendjsauthority.cpp \| 2 ++	26	src/polkitbackend/polkitbackendjsauthority.cpp \| 3 +++
26	test/polkit/polkitidentitytest.c \| 9 ++++++++-	27	test/polkit/polkitidentitytest.c \| 9 ++++++++-
27	test/polkit/polkitunixnetgrouptest.c \| 3 +++	28	test/polkit/polkitunixnetgrouptest.c \| 3 +++
28	.../test-polkitbackendjsauthority.c \| 2 ++	29	.../test-polkitbackendjsauthority.c \| 2 ++
29	8 files changed, 43 insertions(+), 8 deletions(-)	30	8 files changed, 44 insertions(+), 8 deletions(-)
30		31
		32	diff --git a/configure.ac b/configure.ac
		33	index b625743..d807086 100644
31	--- a/configure.ac	34	--- a/configure.ac
32	+++ b/configure.ac	35	+++ b/configure.ac
33	@@ -99,7 +99,7 @@ AC_CHECK_LIB(expat,XML_ParserCreate,[EXP	36	@@ -100,7 +100,7 @@ AC_CHECK_LIB(expat,XML_ParserCreate,[EXPAT_LIBS="-lexpat"],
34	[AC_MSG_ERROR([Can't find expat library. Please install expat.])])	37	[AC_MSG_ERROR([Can't find expat library. Please install expat.])])
35	AC_SUBST(EXPAT_LIBS)	38	AC_SUBST(EXPAT_LIBS)
36		39
@@ -39,9 +42,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
39		42
40	if test "x$GCC" = "xyes"; then	43	if test "x$GCC" = "xyes"; then
41	LDFLAGS="-Wl,--as-needed $LDFLAGS"	44	LDFLAGS="-Wl,--as-needed $LDFLAGS"
		45	diff --git a/src/polkit/polkitidentity.c b/src/polkit/polkitidentity.c
		46	index 3aa1f7f..10e9c17 100644
42	--- a/src/polkit/polkitidentity.c	47	--- a/src/polkit/polkitidentity.c
43	+++ b/src/polkit/polkitidentity.c	48	+++ b/src/polkit/polkitidentity.c
44	@@ -182,7 +182,15 @@ polkit_identity_from_string (const gcha	49	@@ -182,7 +182,15 @@ polkit_identity_from_string (const gchar *str,
45	}	50	}
46	else if (g_str_has_prefix (str, "unix-netgroup:"))	51	else if (g_str_has_prefix (str, "unix-netgroup:"))
47	{	52	{
@@ -57,7 +62,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
57	}	62	}
58		63
59	if (identity == NULL && (error != NULL && *error == NULL))	64	if (identity == NULL && (error != NULL && *error == NULL))
60	@@ -344,6 +352,13 @@ polkit_identity_new_for_gvariant (GVaria	65	@@ -344,6 +352,13 @@ polkit_identity_new_for_gvariant (GVariant *variant,
61	GVariant *v;	66	GVariant *v;
62	const char *name;	67	const char *name;
63		68
@@ -71,7 +76,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
71	v = lookup_asv (details_gvariant, "name", G_VARIANT_TYPE_STRING, error);	76	v = lookup_asv (details_gvariant, "name", G_VARIANT_TYPE_STRING, error);
72	if (v == NULL)	77	if (v == NULL)
73	{	78	{
74	@@ -353,6 +368,7 @@ polkit_identity_new_for_gvariant (GVaria	79	@@ -353,6 +368,7 @@ polkit_identity_new_for_gvariant (GVariant *variant,
75	name = g_variant_get_string (v, NULL);	80	name = g_variant_get_string (v, NULL);
76	ret = polkit_unix_netgroup_new (name);	81	ret = polkit_unix_netgroup_new (name);
77	g_variant_unref (v);	82	g_variant_unref (v);
@@ -79,9 +84,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
79	}	84	}
80	else	85	else
81	{	86	{
		87	diff --git a/src/polkit/polkitunixnetgroup.c b/src/polkit/polkitunixnetgroup.c
		88	index 8a2b369..83f8d4a 100644
82	--- a/src/polkit/polkitunixnetgroup.c	89	--- a/src/polkit/polkitunixnetgroup.c
83	+++ b/src/polkit/polkitunixnetgroup.c	90	+++ b/src/polkit/polkitunixnetgroup.c
84	@@ -194,6 +194,9 @@ polkit_unix_netgroup_set_name (PolkitUni	91	@@ -194,6 +194,9 @@ polkit_unix_netgroup_set_name (PolkitUnixNetgroup *group,
85	PolkitIdentity *	92	PolkitIdentity *
86	polkit_unix_netgroup_new (const gchar *name)	93	polkit_unix_netgroup_new (const gchar *name)
87	{	94	{
@@ -91,9 +98,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
91	g_return_val_if_fail (name != NULL, NULL);	98	g_return_val_if_fail (name != NULL, NULL);
92	return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_NETGROUP,	99	return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_NETGROUP,
93	"name", name,	100	"name", name,
		101	diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
		102	index 056d9a8..36c2f3d 100644
94	--- a/src/polkitbackend/polkitbackendinteractiveauthority.c	103	--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
95	+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c	104	+++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
96	@@ -2233,25 +2233,26 @@ get_users_in_net_group (PolkitIdentity	105	@@ -2233,25 +2233,26 @@ get_users_in_net_group (PolkitIdentity *group,
97	GList *ret;	106	GList *ret;
98		107
99	ret = NULL;	108	ret = NULL;
@@ -126,7 +135,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
126	PolkitIdentity *user;	135	PolkitIdentity *user;
127	GError *error = NULL;	136	GError *error = NULL;
128		137
129	@@ -2282,6 +2283,7 @@ get_users_in_net_group (PolkitIdentity	138	@@ -2282,6 +2283,7 @@ get_users_in_net_group (PolkitIdentity *group,
130		139
131	out:	140	out:
132	endnetgrent ();	141	endnetgrent ();
@@ -134,9 +143,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
134	return ret;	143	return ret;
135	}	144	}
136		145
		146	diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
		147	index ca17108..41d8d5c 100644
137	--- a/src/polkitbackend/polkitbackendjsauthority.cpp	148	--- a/src/polkitbackend/polkitbackendjsauthority.cpp
138	+++ b/src/polkitbackend/polkitbackendjsauthority.cpp	149	+++ b/src/polkitbackend/polkitbackendjsauthority.cpp
139	@@ -1502,6 +1502,7 @@ js_polkit_user_is_in_netgroup (JSContext	150	@@ -1520,6 +1520,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx,
140		151
141	JS::CallArgs args = JS::CallArgsFromVp (argc, vp);	152	JS::CallArgs args = JS::CallArgsFromVp (argc, vp);
142		153
@@ -144,14 +155,17 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
144	JS::RootedString usrstr (authority->priv->cx);	155	JS::RootedString usrstr (authority->priv->cx);
145	usrstr = args[0].toString();	156	usrstr = args[0].toString();
146	user = JS_EncodeStringToUTF8 (cx, usrstr);	157	user = JS_EncodeStringToUTF8 (cx, usrstr);
147	@@ -1519,6 +1520,7 @@ js_polkit_user_is_in_netgroup (JSContext	158	@@ -1535,6 +1536,8 @@ js_polkit_user_is_in_netgroup (JSContext *cx,
		159	is_in_netgroup = true;
		160	}
148		161
149	JS_free (cx, netgroup);
150	JS_free (cx, user);
151	+#endif	162	+#endif
152		163	+
153	ret = true;	164	ret = true;
154		165
		166	args.rval ().setBoolean (is_in_netgroup);
		167	diff --git a/test/polkit/polkitidentitytest.c b/test/polkit/polkitidentitytest.c
		168	index e91967b..e829aaa 100644
155	--- a/test/polkit/polkitidentitytest.c	169	--- a/test/polkit/polkitidentitytest.c
156	+++ b/test/polkit/polkitidentitytest.c	170	+++ b/test/polkit/polkitidentitytest.c
157	@@ -19,6 +19,7 @@	171	@@ -19,6 +19,7 @@
@@ -162,7 +176,7 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
162	#include "glib.h"	176	#include "glib.h"
163	#include <polkit/polkit.h>	177	#include <polkit/polkit.h>
164	#include <polkit/polkitprivate.h>	178	#include <polkit/polkitprivate.h>
165	@@ -145,11 +146,15 @@ struct ComparisonTestData comparison_tes	179	@@ -145,11 +146,15 @@ struct ComparisonTestData comparison_test_data [] = {
166	{"unix-group:root", "unix-group:jane", FALSE},	180	{"unix-group:root", "unix-group:jane", FALSE},
167	{"unix-group:jane", "unix-group:jane", TRUE},	181	{"unix-group:jane", "unix-group:jane", TRUE},
168		182
@@ -193,6 +207,8 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
193		207
194	add_comparison_tests ();	208	add_comparison_tests ();
195		209
		210	diff --git a/test/polkit/polkitunixnetgrouptest.c b/test/polkit/polkitunixnetgrouptest.c
		211	index 3701ba1..e3352eb 100644
196	--- a/test/polkit/polkitunixnetgrouptest.c	212	--- a/test/polkit/polkitunixnetgrouptest.c
197	+++ b/test/polkit/polkitunixnetgrouptest.c	213	+++ b/test/polkit/polkitunixnetgrouptest.c
198	@@ -19,6 +19,7 @@	214	@@ -19,6 +19,7 @@
@@ -213,6 +229,8 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
213	+#endif	229	+#endif
214	return g_test_run ();	230	return g_test_run ();
215	}	231	}
		232	diff --git a/test/polkitbackend/test-polkitbackendjsauthority.c b/test/polkitbackend/test-polkitbackendjsauthority.c
		233	index f97e0e0..fc52149 100644
216	--- a/test/polkitbackend/test-polkitbackendjsauthority.c	234	--- a/test/polkitbackend/test-polkitbackendjsauthority.c
217	+++ b/test/polkitbackend/test-polkitbackendjsauthority.c	235	+++ b/test/polkitbackend/test-polkitbackendjsauthority.c
218	@@ -137,12 +137,14 @@ test_get_admin_identities (void)	236	@@ -137,12 +137,14 @@ test_get_admin_identities (void)


diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch deleted file mode 100644 index 76308ffdb9..0000000000 --- a/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch +++ /dev/null
@@ -1,33 +0,0 @@
1	From a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Mon Sep 17 00:00:00 2001
2	From: Jan Rybar <jrybar@redhat.com>
3	Date: Wed, 2 Jun 2021 15:43:38 +0200
4	Subject: [PATCH] GHSL-2021-074: authentication bypass vulnerability in polkit
5
6	initial values returned if error caught
7
8	CVE: CVE-2021-3560
9
10	Upstream-Status: Backport [https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81]
11
12	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
13	---
14	src/polkit/polkitsystembusname.c \| 3 +++
15	1 file changed, 3 insertions(+)
16
17	diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
18	index 8daa12c..8ed1363 100644
19	--- a/src/polkit/polkitsystembusname.c
20	+++ b/src/polkit/polkitsystembusname.c
21	@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
22	while (!((data.retrieved_uid && data.retrieved_pid) \|\| data.caught_error))
23	g_main_context_iteration (tmp_context, TRUE);
24
25	+ if (data.caught_error)
26	+ goto out;
27	+
28	if (out_uid)
29	*out_uid = data.uid;
30	if (out_pid)
31	--
32	2.29.2
33


diff --git a/meta-oe/recipes-extended/polkit/polkit_0.116.bb b/meta-oe/recipes-extended/polkit/polkit_0.119.bb index 6408933ea3..a41b0fecad 100644 --- a/meta-oe/recipes-extended/polkit/polkit_0.116.bb +++ b/meta-oe/recipes-extended/polkit/polkit_0.119.bb
@@ -25,10 +25,10 @@ PAM_SRC_URI = "file://polkit-1_pam.patch"
25	SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.gz \	25	SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.gz \
26	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \	26	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
27	file://0003-make-netgroup-support-optional.patch \	27	file://0003-make-netgroup-support-optional.patch \
28	file://CVE-2021-3560.patch \	28	file://0002-jsauthority-port-to-mozjs-91.patch \
		29	file://0003-jsauthority-ensure-to-call-JS_Init-and-JS_ShutDown-e.patch \
29	"	30	"
30	SRC_URI[md5sum] = "4b37258583393e83069a0e2e89c0162a"	31	SRC_URI[sha256sum] = "c8579fdb86e94295404211285fee0722ad04893f0213e571bd75c00972fd1f5c"
31	SRC_URI[sha256sum] = "88170c9e711e8db305a12fdb8234fac5706c61969b94e084d0f117d8ec5d34b1"
32		32
33	EXTRA_OECONF = "--with-os-type=moblin \	33	EXTRA_OECONF = "--with-os-type=moblin \
34	--disable-man-pages \	34	--disable-man-pages \