summaryrefslogtreecommitdiffstats
path: root/meta-oe
diff options
context:
space:
mode:
authorPraveen Kumar <praveen.kumar@windriver.com>2025-09-26 12:39:55 +0530
committerAnuj Mittal <anuj.mittal@intel.com>2025-10-06 16:00:16 +0800
commit0d88144a27e2222366c8f3f2fcc50623f96afe7d (patch)
tree44f1ef59b9b6cd89cc3608a985770633275eb0f4 /meta-oe
parent8b5cb4ee987e55f8c4bbf7e626ebd7ae17c6d65c (diff)
downloadmeta-openembedded-0d88144a27e2222366c8f3f2fcc50623f96afe7d.tar.gz
polkit: fix CVE-2025-7519
A flaw was found in polkit. When processing an XML policy with 32 or more nested elements in depth, an out-of-bounds write can be triggered. This issue can lead to a crash or other unexpected behavior, and arbitrary code execution is not discarded. To exploit this flaw, a high-privilege account is needed as it's required to place the malicious policy file properly. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-7519 Upstream-patch: https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245 Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Diffstat (limited to 'meta-oe')
-rw-r--r--meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch34
-rw-r--r--meta-oe/recipes-extended/polkit/polkit_124.bb5
2 files changed, 38 insertions, 1 deletions
diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch b/meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch
new file mode 100644
index 0000000000..78945a88fc
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch
@@ -0,0 +1,34 @@
1From 107d3801361b9f9084f78710178e683391f1d245 Mon Sep 17 00:00:00 2001
2From: Jan Rybar <jrybar@redhat.com>
3Date: Fri, 6 Jun 2025 13:25:55 +0200
4Subject: [PATCH] Nested .policy files cause xml parsing overflow leading to
5 crash
6
7CVE: CVE-2025-7519
8
9Upstream-Status: Backport [https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245]
10
11Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
12---
13 src/polkitbackend/polkitbackendactionpool.c | 6 ++++++
14 1 file changed, 6 insertions(+)
15
16diff --git a/src/polkitbackend/polkitbackendactionpool.c b/src/polkitbackend/polkitbackendactionpool.c
17index 43f89cb..f4acca9 100644
18--- a/src/polkitbackend/polkitbackendactionpool.c
19+++ b/src/polkitbackend/polkitbackendactionpool.c
20@@ -739,6 +739,12 @@ _start (void *data, const char *el, const char **attr)
21 guint num_attr;
22 ParserData *pd = data;
23
24+ if (pd->stack_depth < 0 || pd->stack_depth >= PARSER_MAX_DEPTH)
25+ {
26+ g_warning ("XML parsing reached max depth?");
27+ goto error;
28+ }
29+
30 for (num_attr = 0; attr[num_attr] != NULL; num_attr++)
31 ;
32
33--
342.40.0
diff --git a/meta-oe/recipes-extended/polkit/polkit_124.bb b/meta-oe/recipes-extended/polkit/polkit_124.bb
index a597b40ee3..3709aa0ef4 100644
--- a/meta-oe/recipes-extended/polkit/polkit_124.bb
+++ b/meta-oe/recipes-extended/polkit/polkit_124.bb
@@ -5,7 +5,10 @@ LICENSE = "LGPL-2.0-or-later"
5LIC_FILES_CHKSUM = "file://COPYING;md5=155db86cdbafa7532b41f390409283eb" 5LIC_FILES_CHKSUM = "file://COPYING;md5=155db86cdbafa7532b41f390409283eb"
6BUGTRACKER = "https://github.com/polkit-org/polkit/issues" 6BUGTRACKER = "https://github.com/polkit-org/polkit/issues"
7 7
8SRC_URI = "git://github.com/polkit-org/polkit.git;protocol=https;branch=main" 8SRC_URI = "\
9 git://github.com/polkit-org/polkit.git;protocol=https;branch=main \
10 file://CVE-2025-7519.patch \
11"
9 12
10S = "${WORKDIR}/git" 13S = "${WORKDIR}/git"
11SRCREV = "82f0924dc0eb23b9df68e88dbaf9e07c81940a5a" 14SRCREV = "82f0924dc0eb23b9df68e88dbaf9e07c81940a5a"