1 files changed, 194 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch
new file mode 100644
index 000000000..32ea0bacc
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch
@@ -0,0 +1,194 @@
+From cd80aa29c85745ca073cf0581ccdcf2f80aa30db Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Mon, 3 Dec 2018 10:28:58 +0100
+Subject: [PATCH 1/3] Allow negative uids/gids in PolkitUnixUser and Group
+ objects
+(uid_t) -1 is still used as placeholder to mean "unset". This is OK, since
+there should be no users with such number, see
+https://systemd.io/UIDS-GIDS#special-linux-uids.
+(uid_t) -1 is used as the default value in class initialization.
+When a user or group above INT32_MAX is created, the numeric uid or
+gid wraps around to negative when the value is assigned to gint, and
+polkit gets confused. Let's accept such gids, except for -1.
+A nicer fix would be to change the underlying type to e.g. uint32 to
+not have negative values. But this cannot be done without breaking the
+API, so likely new functions will have to be added (a
+polkit_unix_user_new variant that takes a unsigned, and the same for
+_group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will
+require a bigger patch.
+Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74.
+CVE: CVE-2018-19788
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/polkit/polkit/commit/2cb40c4d5feeaa09325522bd7d97910f1b59e379]
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ src/polkit/polkitunixgroup.c   | 15 +++++++++++----
+ src/polkit/polkitunixprocess.c | 12 ++++++++----
+ src/polkit/polkitunixuser.c    | 13 ++++++++++---
+ 3 files changed, 29 insertions(+), 11 deletions(-)
+diff --git a/src/polkit/polkitunixgroup.c b/src/polkit/polkitunixgroup.c
+index c57a1aa..309f689 100644
+--- a/src/polkit/polkitunixgroup.c
+++ b/src/polkit/polkitunixgroup.c
+@@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup, polkit_unix_group, G_TYPE_OBJECT,
+ static void
+ polkit_unix_group_init (PolkitUnixGroup *unix_group)
+ {
+  unix_group->gid = -1; /* (git_t) -1 is not a valid GID under Linux */
+ }
+ 
+ static void
+@@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject      *object,
+                                GParamSpec   *pspec)
+ {
+   PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object);
+  gint val;
+ 
+   switch (prop_id)
+     {
+     case PROP_GID:
+-      unix_group->gid = g_value_get_int (value);
+      val = g_value_get_int (value);
+      g_return_if_fail (val != -1);
+      unix_group->gid = val;
+       break;
+ 
+     default:
+@@ -131,9 +135,9 @@ polkit_unix_group_class_init (PolkitUnixGroupClass *klass)
+                                    g_param_spec_int ("gid",
+                                                      "Group ID",
+                                                      "The UNIX group ID",
+-                                                     0,
+                                                     G_MININT,
+                                                      G_MAXINT,
+-                                                     0,
+                                                     -1,
+                                                      G_PARAM_CONSTRUCT |
+                                                      G_PARAM_READWRITE |
+                                                      G_PARAM_STATIC_NAME |
+@@ -166,9 +170,10 @@ polkit_unix_group_get_gid (PolkitUnixGroup *group)
+  */
+ void
+ polkit_unix_group_set_gid (PolkitUnixGroup *group,
+-                          gint gid)
+                           gint gid)
+ {
+   g_return_if_fail (POLKIT_IS_UNIX_GROUP (group));
+  g_return_if_fail (gid != -1);
+   group->gid = gid;
+ }
+ 
+@@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group,
+ PolkitIdentity *
+ polkit_unix_group_new (gint gid)
+ {
+  g_return_val_if_fail (gid != -1, NULL);
+
+   return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP,
+                                        "gid", gid,
+                                        NULL));
+diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
+index 972b777..b02b258 100644
+--- a/src/polkit/polkitunixprocess.c
+++ b/src/polkit/polkitunixprocess.c
+@@ -159,9 +159,14 @@ polkit_unix_process_set_property (GObject      *object,
+       polkit_unix_process_set_pid (unix_process, g_value_get_int (value));
+       break;
+ 
+-    case PROP_UID:
+-      polkit_unix_process_set_uid (unix_process, g_value_get_int (value));
+    case PROP_UID: {
+      gint val;
+
+      val = g_value_get_int (value);
+      g_return_if_fail (val != -1);
+      polkit_unix_process_set_uid (unix_process, val);
+       break;
+    }
+ 
+     case PROP_START_TIME:
+       polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value));
+@@ -239,7 +244,7 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass)
+                                    g_param_spec_int ("uid",
+                                                      "User ID",
+                                                      "The UNIX user ID",
+-                                                     -1,
+                                                     G_MININT,
+                                                      G_MAXINT,
+                                                      -1,
+                                                      G_PARAM_CONSTRUCT |
+@@ -303,7 +308,6 @@ polkit_unix_process_set_uid (PolkitUnixProcess *process,
+                              gint               uid)
+ {
+   g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process));
+-  g_return_if_fail (uid >= -1);
+   process->uid = uid;
+ }
+ 
+diff --git a/src/polkit/polkitunixuser.c b/src/polkit/polkitunixuser.c
+index 8bfd3a1..234a697 100644
+--- a/src/polkit/polkitunixuser.c
+++ b/src/polkit/polkitunixuser.c
+@@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, polkit_unix_user, G_TYPE_OBJECT,
+ static void
+ polkit_unix_user_init (PolkitUnixUser *unix_user)
+ {
+  unix_user->uid = -1;  /* (uid_t) -1 is not a valid UID under Linux */
+   unix_user->name = NULL;
+ }
+ 
+@@ -112,11 +113,14 @@ polkit_unix_user_set_property (GObject      *object,
+                                GParamSpec   *pspec)
+ {
+   PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object);
+  gint val;
+ 
+   switch (prop_id)
+     {
+     case PROP_UID:
+-      unix_user->uid = g_value_get_int (value);
+      val = g_value_get_int (value);
+      g_return_if_fail (val != -1);
+      unix_user->uid = val;
+       break;
+ 
+     default:
+@@ -144,9 +148,9 @@ polkit_unix_user_class_init (PolkitUnixUserClass *klass)
+                                    g_param_spec_int ("uid",
+                                                      "User ID",
+                                                      "The UNIX user ID",
+-                                                     0,
+                                                     G_MININT,
+                                                      G_MAXINT,
+-                                                     0,
+                                                     -1,
+                                                      G_PARAM_CONSTRUCT |
+                                                      G_PARAM_READWRITE |
+                                                      G_PARAM_STATIC_NAME |
+@@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
+                           gint uid)
+ {
+   g_return_if_fail (POLKIT_IS_UNIX_USER (user));
+  g_return_if_fail (uid != -1);
+   user->uid = uid;
+ }
+ 
+@@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
+ PolkitIdentity *
+ polkit_unix_user_new (gint uid)
+ {
+  g_return_val_if_fail (uid != -1, NULL);
+
+   return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER,
+                                         "uid", uid,
+                                         NULL));
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8

diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch new file mode 100644 index 000000000..32ea0bacc --- /dev/null +++ b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p1.patch
@@ -0,0 +1,194 @@
	1	From cd80aa29c85745ca073cf0581ccdcf2f80aa30db Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
	3	Date: Mon, 3 Dec 2018 10:28:58 +0100
	4	Subject: [PATCH 1/3] Allow negative uids/gids in PolkitUnixUser and Group
	5	objects
	6
	7	(uid_t) -1 is still used as placeholder to mean "unset". This is OK, since
	8	there should be no users with such number, see
	9	https://systemd.io/UIDS-GIDS#special-linux-uids.
	10
	11	(uid_t) -1 is used as the default value in class initialization.
	12
	13	When a user or group above INT32_MAX is created, the numeric uid or
	14	gid wraps around to negative when the value is assigned to gint, and
	15	polkit gets confused. Let's accept such gids, except for -1.
	16
	17	A nicer fix would be to change the underlying type to e.g. uint32 to
	18	not have negative values. But this cannot be done without breaking the
	19	API, so likely new functions will have to be added (a
	20	polkit_unix_user_new variant that takes a unsigned, and the same for
	21	_group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will
	22	require a bigger patch.
	23
	24	Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74.
	25
	26	CVE: CVE-2018-19788
	27	Upstream-Status: Backport
	28	[https://gitlab.freedesktop.org/polkit/polkit/commit/2cb40c4d5feeaa09325522bd7d97910f1b59e379]
	29
	30	Signed-off-by: Dan Tran <dantran@microsoft.com>
	31	---
	32	src/polkit/polkitunixgroup.c \| 15 +++++++++++----
	33	src/polkit/polkitunixprocess.c \| 12 ++++++++----
	34	src/polkit/polkitunixuser.c \| 13 ++++++++++---
	35	3 files changed, 29 insertions(+), 11 deletions(-)
	36
	37	diff --git a/src/polkit/polkitunixgroup.c b/src/polkit/polkitunixgroup.c
	38	index c57a1aa..309f689 100644
	39	--- a/src/polkit/polkitunixgroup.c
	40	+++ b/src/polkit/polkitunixgroup.c
	41	@@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup, polkit_unix_group, G_TYPE_OBJECT,
	42	static void
	43	polkit_unix_group_init (PolkitUnixGroup *unix_group)
	44	{
	45	+ unix_group->gid = -1; /* (git_t) -1 is not a valid GID under Linux */
	46	}
	47
	48	static void
	49	@@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject *object,
	50	GParamSpec *pspec)
	51	{
	52	PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object);
	53	+ gint val;
	54
	55	switch (prop_id)
	56	{
	57	case PROP_GID:
	58	- unix_group->gid = g_value_get_int (value);
	59	+ val = g_value_get_int (value);
	60	+ g_return_if_fail (val != -1);
	61	+ unix_group->gid = val;
	62	break;
	63
	64	default:
	65	@@ -131,9 +135,9 @@ polkit_unix_group_class_init (PolkitUnixGroupClass *klass)
	66	g_param_spec_int ("gid",
	67	"Group ID",
	68	"The UNIX group ID",
	69	- 0,
	70	+ G_MININT,
	71	G_MAXINT,
	72	- 0,
	73	+ -1,
	74	G_PARAM_CONSTRUCT \|
	75	G_PARAM_READWRITE \|
	76	G_PARAM_STATIC_NAME \|
	77	@@ -166,9 +170,10 @@ polkit_unix_group_get_gid (PolkitUnixGroup *group)
	78	*/
	79	void
	80	polkit_unix_group_set_gid (PolkitUnixGroup *group,
	81	- gint gid)
	82	+ gint gid)
	83	{
	84	g_return_if_fail (POLKIT_IS_UNIX_GROUP (group));
	85	+ g_return_if_fail (gid != -1);
	86	group->gid = gid;
	87	}
	88
	89	@@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group,
	90	PolkitIdentity *
	91	polkit_unix_group_new (gint gid)
	92	{
	93	+ g_return_val_if_fail (gid != -1, NULL);
	94	+
	95	return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP,
	96	"gid", gid,
	97	NULL));
	98	diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
	99	index 972b777..b02b258 100644
	100	--- a/src/polkit/polkitunixprocess.c
	101	+++ b/src/polkit/polkitunixprocess.c
	102	@@ -159,9 +159,14 @@ polkit_unix_process_set_property (GObject *object,
	103	polkit_unix_process_set_pid (unix_process, g_value_get_int (value));
	104	break;
	105
	106	- case PROP_UID:
	107	- polkit_unix_process_set_uid (unix_process, g_value_get_int (value));
	108	+ case PROP_UID: {
	109	+ gint val;
	110	+
	111	+ val = g_value_get_int (value);
	112	+ g_return_if_fail (val != -1);
	113	+ polkit_unix_process_set_uid (unix_process, val);
	114	break;
	115	+ }
	116
	117	case PROP_START_TIME:
	118	polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value));
	119	@@ -239,7 +244,7 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass)
	120	g_param_spec_int ("uid",
	121	"User ID",
	122	"The UNIX user ID",
	123	- -1,
	124	+ G_MININT,
	125	G_MAXINT,
	126	-1,
	127	G_PARAM_CONSTRUCT \|
	128	@@ -303,7 +308,6 @@ polkit_unix_process_set_uid (PolkitUnixProcess *process,
	129	gint uid)
	130	{
	131	g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process));
	132	- g_return_if_fail (uid >= -1);
	133	process->uid = uid;
	134	}
	135
	136	diff --git a/src/polkit/polkitunixuser.c b/src/polkit/polkitunixuser.c
	137	index 8bfd3a1..234a697 100644
	138	--- a/src/polkit/polkitunixuser.c
	139	+++ b/src/polkit/polkitunixuser.c
	140	@@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, polkit_unix_user, G_TYPE_OBJECT,
	141	static void
	142	polkit_unix_user_init (PolkitUnixUser *unix_user)
	143	{
	144	+ unix_user->uid = -1; /* (uid_t) -1 is not a valid UID under Linux */
	145	unix_user->name = NULL;
	146	}
	147
	148	@@ -112,11 +113,14 @@ polkit_unix_user_set_property (GObject *object,
	149	GParamSpec *pspec)
	150	{
	151	PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object);
	152	+ gint val;
	153
	154	switch (prop_id)
	155	{
	156	case PROP_UID:
	157	- unix_user->uid = g_value_get_int (value);
	158	+ val = g_value_get_int (value);
	159	+ g_return_if_fail (val != -1);
	160	+ unix_user->uid = val;
	161	break;
	162
	163	default:
	164	@@ -144,9 +148,9 @@ polkit_unix_user_class_init (PolkitUnixUserClass *klass)
	165	g_param_spec_int ("uid",
	166	"User ID",
	167	"The UNIX user ID",
	168	- 0,
	169	+ G_MININT,
	170	G_MAXINT,
	171	- 0,
	172	+ -1,
	173	G_PARAM_CONSTRUCT \|
	174	G_PARAM_READWRITE \|
	175	G_PARAM_STATIC_NAME \|
	176	@@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
	177	gint uid)
	178	{
	179	g_return_if_fail (POLKIT_IS_UNIX_USER (user));
	180	+ g_return_if_fail (uid != -1);
	181	user->uid = uid;
	182	}
	183
	184	@@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
	185	PolkitIdentity *
	186	polkit_unix_user_new (gint uid)
	187	{
	188	+ g_return_val_if_fail (uid != -1, NULL);
	189	+
	190	return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER,
	191	"uid", uid,
	192	NULL));
	193	--
	194	2.22.0.vfs.1.1.57.gbaf16c8