diff options
| author | Praveen Kumar <praveen.kumar@windriver.com> | 2025-09-26 12:39:55 +0530 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@intel.com> | 2025-10-06 16:00:16 +0800 |
| commit | 0d88144a27e2222366c8f3f2fcc50623f96afe7d (patch) | |
| tree | 44f1ef59b9b6cd89cc3608a985770633275eb0f4 | |
| parent | 8b5cb4ee987e55f8c4bbf7e626ebd7ae17c6d65c (diff) | |
| download | meta-openembedded-0d88144a27e2222366c8f3f2fcc50623f96afe7d.tar.gz | |
polkit: fix CVE-2025-7519
A flaw was found in polkit. When processing an XML policy with 32 or
more nested elements in depth, an out-of-bounds write can be triggered.
This issue can lead to a crash or other unexpected behavior, and
arbitrary code execution is not discarded. To exploit this flaw, a
high-privilege account is needed as it's required to place the
malicious policy file properly.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-7519
Upstream-patch:
https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
| -rw-r--r-- | meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch | 34 | ||||
| -rw-r--r-- | meta-oe/recipes-extended/polkit/polkit_124.bb | 5 |
2 files changed, 38 insertions, 1 deletions
diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch b/meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch new file mode 100644 index 0000000000..78945a88fc --- /dev/null +++ b/meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch | |||
| @@ -0,0 +1,34 @@ | |||
| 1 | From 107d3801361b9f9084f78710178e683391f1d245 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jan Rybar <jrybar@redhat.com> | ||
| 3 | Date: Fri, 6 Jun 2025 13:25:55 +0200 | ||
| 4 | Subject: [PATCH] Nested .policy files cause xml parsing overflow leading to | ||
| 5 | crash | ||
| 6 | |||
| 7 | CVE: CVE-2025-7519 | ||
| 8 | |||
| 9 | Upstream-Status: Backport [https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245] | ||
| 10 | |||
| 11 | Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> | ||
| 12 | --- | ||
| 13 | src/polkitbackend/polkitbackendactionpool.c | 6 ++++++ | ||
| 14 | 1 file changed, 6 insertions(+) | ||
| 15 | |||
| 16 | diff --git a/src/polkitbackend/polkitbackendactionpool.c b/src/polkitbackend/polkitbackendactionpool.c | ||
| 17 | index 43f89cb..f4acca9 100644 | ||
| 18 | --- a/src/polkitbackend/polkitbackendactionpool.c | ||
| 19 | +++ b/src/polkitbackend/polkitbackendactionpool.c | ||
| 20 | @@ -739,6 +739,12 @@ _start (void *data, const char *el, const char **attr) | ||
| 21 | guint num_attr; | ||
| 22 | ParserData *pd = data; | ||
| 23 | |||
| 24 | + if (pd->stack_depth < 0 || pd->stack_depth >= PARSER_MAX_DEPTH) | ||
| 25 | + { | ||
| 26 | + g_warning ("XML parsing reached max depth?"); | ||
| 27 | + goto error; | ||
| 28 | + } | ||
| 29 | + | ||
| 30 | for (num_attr = 0; attr[num_attr] != NULL; num_attr++) | ||
| 31 | ; | ||
| 32 | |||
| 33 | -- | ||
| 34 | 2.40.0 | ||
diff --git a/meta-oe/recipes-extended/polkit/polkit_124.bb b/meta-oe/recipes-extended/polkit/polkit_124.bb index a597b40ee3..3709aa0ef4 100644 --- a/meta-oe/recipes-extended/polkit/polkit_124.bb +++ b/meta-oe/recipes-extended/polkit/polkit_124.bb | |||
| @@ -5,7 +5,10 @@ LICENSE = "LGPL-2.0-or-later" | |||
| 5 | LIC_FILES_CHKSUM = "file://COPYING;md5=155db86cdbafa7532b41f390409283eb" | 5 | LIC_FILES_CHKSUM = "file://COPYING;md5=155db86cdbafa7532b41f390409283eb" |
| 6 | BUGTRACKER = "https://github.com/polkit-org/polkit/issues" | 6 | BUGTRACKER = "https://github.com/polkit-org/polkit/issues" |
| 7 | 7 | ||
| 8 | SRC_URI = "git://github.com/polkit-org/polkit.git;protocol=https;branch=main" | 8 | SRC_URI = "\ |
| 9 | git://github.com/polkit-org/polkit.git;protocol=https;branch=main \ | ||
| 10 | file://CVE-2025-7519.patch \ | ||
| 11 | " | ||
| 9 | 12 | ||
| 10 | S = "${WORKDIR}/git" | 13 | S = "${WORKDIR}/git" |
| 11 | SRCREV = "82f0924dc0eb23b9df68e88dbaf9e07c81940a5a" | 14 | SRCREV = "82f0924dc0eb23b9df68e88dbaf9e07c81940a5a" |
