1 files changed, 53 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p3.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p3.patch
new file mode 100644
index 000000000..b97a6b06d
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p3.patch
@@ -0,0 +1,53 @@
+From 0fd5884a943a92aa076fa3276bd83f502dcb934e Mon Sep 17 00:00:00 2001
+From: Matthew Leeds <matthew.leeds@endlessm.com>
+Date: Tue, 11 Dec 2018 12:04:26 -0800
+Subject: [PATCH 3/3] Allow uid of -1 for a PolkitUnixProcess
+Commit 2cb40c4d5 changed PolkitUnixUser, PolkitUnixGroup, and
+PolkitUnixProcess to allow negative values for their uid/gid properties,
+since these are values above INT_MAX which wrap around but are still
+valid, with the exception of -1 which is not valid. However,
+PolkitUnixProcess allows a uid of -1 to be passed to
+polkit_unix_process_new_for_owner() which means polkit is expected to
+figure out the uid on its own (this happens in the _constructed
+function). So this commit removes the check in
+polkit_unix_process_set_property() so that new_for_owner() can be used
+as documented without producing a critical error message.
+This does not affect the protection against CVE-2018-19788 which is
+based on creating a user with a UID up to but not including 4294967295
+(-1).
+CVE: CVE-2018-19788
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/polkit/polkit/commit/c05472b86222a72505adc5eec460493980224ef8]
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ src/polkit/polkitunixprocess.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
+index b02b258..e2a3c03 100644
+--- a/src/polkit/polkitunixprocess.c
+++ b/src/polkit/polkitunixprocess.c
+@@ -159,14 +159,9 @@ polkit_unix_process_set_property (GObject      *object,
+       polkit_unix_process_set_pid (unix_process, g_value_get_int (value));
+       break;
+ 
+-    case PROP_UID: {
+-      gint val;
+-
+-      val = g_value_get_int (value);
+-      g_return_if_fail (val != -1);
+-      polkit_unix_process_set_uid (unix_process, val);
+    case PROP_UID:
+      polkit_unix_process_set_uid (unix_process, g_value_get_int (value));
+       break;
+-    }
+ 
+     case PROP_START_TIME:
+       polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value));
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8

diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p3.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p3.patch new file mode 100644 index 000000000..b97a6b06d --- /dev/null +++ b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p3.patch
@@ -0,0 +1,53 @@
	1	From 0fd5884a943a92aa076fa3276bd83f502dcb934e Mon Sep 17 00:00:00 2001
	2	From: Matthew Leeds <matthew.leeds@endlessm.com>
	3	Date: Tue, 11 Dec 2018 12:04:26 -0800
	4	Subject: [PATCH 3/3] Allow uid of -1 for a PolkitUnixProcess
	5
	6	Commit 2cb40c4d5 changed PolkitUnixUser, PolkitUnixGroup, and
	7	PolkitUnixProcess to allow negative values for their uid/gid properties,
	8	since these are values above INT_MAX which wrap around but are still
	9	valid, with the exception of -1 which is not valid. However,
	10	PolkitUnixProcess allows a uid of -1 to be passed to
	11	polkit_unix_process_new_for_owner() which means polkit is expected to
	12	figure out the uid on its own (this happens in the _constructed
	13	function). So this commit removes the check in
	14	polkit_unix_process_set_property() so that new_for_owner() can be used
	15	as documented without producing a critical error message.
	16
	17	This does not affect the protection against CVE-2018-19788 which is
	18	based on creating a user with a UID up to but not including 4294967295
	19	(-1).
	20
	21	CVE: CVE-2018-19788
	22	Upstream-Status: Backport
	23	[https://gitlab.freedesktop.org/polkit/polkit/commit/c05472b86222a72505adc5eec460493980224ef8]
	24
	25	Signed-off-by: Dan Tran <dantran@microsoft.com>
	26	---
	27	src/polkit/polkitunixprocess.c \| 9 ++-------
	28	1 file changed, 2 insertions(+), 7 deletions(-)
	29
	30	diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
	31	index b02b258..e2a3c03 100644
	32	--- a/src/polkit/polkitunixprocess.c
	33	+++ b/src/polkit/polkitunixprocess.c
	34	@@ -159,14 +159,9 @@ polkit_unix_process_set_property (GObject *object,
	35	polkit_unix_process_set_pid (unix_process, g_value_get_int (value));
	36	break;
	37
	38	- case PROP_UID: {
	39	- gint val;
	40	-
	41	- val = g_value_get_int (value);
	42	- g_return_if_fail (val != -1);
	43	- polkit_unix_process_set_uid (unix_process, val);
	44	+ case PROP_UID:
	45	+ polkit_unix_process_set_uid (unix_process, g_value_get_int (value));
	46	break;
	47	- }
	48
	49	case PROP_START_TIME:
	50	polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value));
	51	--
	52	2.22.0.vfs.1.1.57.gbaf16c8
	53