polkit: fix CVE-2025-7519

A flaw was found in polkit. When processing an XML policy with 32 or more nested elements in depth, an out-of-bounds write can be triggered. This issue can lead to a crash or other unexpected behavior, and arbitrary code execution is not discarded. To exploit this flaw, a high-privilege account is needed as it's required to place the malicious policy file properly. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-7519 Upstream-patch: https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245 Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Praveen Kumar <praveen.kumar@windriver.com> 2025-09-26 12:41:06 +0530
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-09-26 13:17:10 +0200
commit: 033f224986c46c111fd3cff4ce4a25b1875b39c3 (patch)
tree: a13d02a5e66c779b4d17ec5b80f17277030a63b1
parent: 8846a5a318b6f3d4db90b3aac12c6c3ca9370c61 (diff)
download: meta-openembedded-033f224986c46c111fd3cff4ce4a25b1875b39c3.tar.gz
2 files changed, 35 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch b/meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch
new file mode 100644
index 0000000000..78945a88fc
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch
@@ -0,0 +1,34 @@
+From 107d3801361b9f9084f78710178e683391f1d245 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Fri, 6 Jun 2025 13:25:55 +0200
+Subject: [PATCH] Nested .policy files cause xml parsing overflow leading to
+ crash
+CVE: CVE-2025-7519
+Upstream-Status: Backport [https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245]
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ src/polkitbackend/polkitbackendactionpool.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/src/polkitbackend/polkitbackendactionpool.c b/src/polkitbackend/polkitbackendactionpool.c
+index 43f89cb..f4acca9 100644
+--- a/src/polkitbackend/polkitbackendactionpool.c
+++ b/src/polkitbackend/polkitbackendactionpool.c
+@@ -739,6 +739,12 @@ _start (void *data, const char *el, const char **attr)
+   guint num_attr;
+   ParserData *pd = data;
+  if (pd->stack_depth < 0 || pd->stack_depth >= PARSER_MAX_DEPTH)
+    {
+      g_warning ("XML parsing reached max depth?");
+      goto error;
+    }
+
+   for (num_attr = 0; attr[num_attr] != NULL; num_attr++)
+     ;
+--
+2.40.0
diff --git a/meta-oe/recipes-extended/polkit/polkit_0.119.bb b/meta-oe/recipes-extended/polkit/polkit_0.119.bb
index eff80cd43d..6f39af9d78 100644
--- a/meta-oe/recipes-extended/polkit/polkit_0.119.bb
+++ b/meta-oe/recipes-extended/polkit/polkit_0.119.bb
@@ -28,6 +28,7 @@ SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.
           file://0002-CVE-2021-4115-GHSL-2021-077-fix.patch \
           file://0003-Added-support-for-duktape-as-JS-engine.patch \
           file://0004-Make-netgroup-support-optional.patch \
+           file://CVE-2025-7519.patch \
           "
 SRC_URI[sha256sum] = "c8579fdb86e94295404211285fee0722ad04893f0213e571bd75c00972fd1f5c"
author	Praveen Kumar <praveen.kumar@windriver.com>	2025-09-26 12:41:06 +0530
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-09-26 13:17:10 +0200
commit	033f224986c46c111fd3cff4ce4a25b1875b39c3 (patch)
tree	a13d02a5e66c779b4d17ec5b80f17277030a63b1
parent	8846a5a318b6f3d4db90b3aac12c6c3ca9370c61 (diff)
download	meta-openembedded-033f224986c46c111fd3cff4ce4a25b1875b39c3.tar.gz

diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch b/meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch new file mode 100644 index 0000000000..78945a88fc --- /dev/null +++ b/meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch
@@ -0,0 +1,34 @@
		1	From 107d3801361b9f9084f78710178e683391f1d245 Mon Sep 17 00:00:00 2001
		2	From: Jan Rybar <jrybar@redhat.com>
		3	Date: Fri, 6 Jun 2025 13:25:55 +0200
		4	Subject: [PATCH] Nested .policy files cause xml parsing overflow leading to
		5	crash
		6
		7	CVE: CVE-2025-7519
		8
		9	Upstream-Status: Backport [https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245]
		10
		11	Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
		12	---
		13	src/polkitbackend/polkitbackendactionpool.c \| 6 ++++++
		14	1 file changed, 6 insertions(+)
		15
		16	diff --git a/src/polkitbackend/polkitbackendactionpool.c b/src/polkitbackend/polkitbackendactionpool.c
		17	index 43f89cb..f4acca9 100644
		18	--- a/src/polkitbackend/polkitbackendactionpool.c
		19	+++ b/src/polkitbackend/polkitbackendactionpool.c
		20	@@ -739,6 +739,12 @@ _start (void data, const char el, const char **attr)
		21	guint num_attr;
		22	ParserData *pd = data;
		23
		24	+ if (pd->stack_depth < 0 \|\| pd->stack_depth >= PARSER_MAX_DEPTH)
		25	+ {
		26	+ g_warning ("XML parsing reached max depth?");
		27	+ goto error;
		28	+ }
		29	+
		30	for (num_attr = 0; attr[num_attr] != NULL; num_attr++)
		31	;
		32
		33	--
		34	2.40.0


diff --git a/meta-oe/recipes-extended/polkit/polkit_0.119.bb b/meta-oe/recipes-extended/polkit/polkit_0.119.bb index eff80cd43d..6f39af9d78 100644 --- a/meta-oe/recipes-extended/polkit/polkit_0.119.bb +++ b/meta-oe/recipes-extended/polkit/polkit_0.119.bb
@@ -28,6 +28,7 @@ SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.
28	file://0002-CVE-2021-4115-GHSL-2021-077-fix.patch \	28	file://0002-CVE-2021-4115-GHSL-2021-077-fix.patch \
29	file://0003-Added-support-for-duktape-as-JS-engine.patch \	29	file://0003-Added-support-for-duktape-as-JS-engine.patch \
30	file://0004-Make-netgroup-support-optional.patch \	30	file://0004-Make-netgroup-support-optional.patch \
		31	file://CVE-2025-7519.patch \
31	"	32	"
32	SRC_URI[sha256sum] = "c8579fdb86e94295404211285fee0722ad04893f0213e571bd75c00972fd1f5c"	33	SRC_URI[sha256sum] = "c8579fdb86e94295404211285fee0722ad04893f0213e571bd75c00972fd1f5c"
33		34