diff options
Diffstat (limited to 'polkit')
| -rw-r--r-- | polkit/.signature | 6 | ||||
| -rw-r--r-- | polkit/99.patch | 42 | ||||
| -rw-r--r-- | polkit/CVE-2021-4034.patch | 79 | ||||
| -rw-r--r-- | polkit/Pkgfile | 30 |
4 files changed, 16 insertions, 141 deletions
diff --git a/polkit/.signature b/polkit/.signature index 458b85745..dde1c8ae8 100644 --- a/polkit/.signature +++ b/polkit/.signature @@ -1,8 +1,6 @@ untrusted comment: verify with /etc/ports/opt.pub -RWSE3ohX2g5d/cJcXxgvaFUfUqabDG6yWjKx4YqteyS9uDrMT/PuXFQ27uzUQoUTNDQk4PGD5PkfEvgDE+pEjayarAKLV7jGbwM= -SHA256 (Pkgfile) = 7e95701a361d4763ecc9558caa81525fd11e14b3609d1668b90c7e67f07c9581 +RWSE3ohX2g5d/QhiVCMPEPYVae16VJlL8IR35AmVRcqFKezwDUFRL2uVcPKs+mhF04TkVcP1zno8SOrQ2HiyhLYduLKo5FZ8Fgo= +SHA256 (Pkgfile) = 63447086178823009c214d780c18d8857f10fba1756458999b706fec1a288d52 SHA256 (.footprint) = f17510d487840ddd9bcccb8cf41353a8975e2028d83fc573221a4b4a10cb0f1b SHA256 (polkit-121.tar.gz) = 9dc7ae341a797c994a5a36da21963f0c5c8e3e5a1780ccc2a5f52e7be01affaa SHA256 (polkit-1) = 9045eb2a1e2e403b0144d14a5cfe903dc97cfef979c956815a56777c0eb1bf1a -SHA256 (CVE-2021-4034.patch) = 5930a48bf4262a7c89f8737a1a5a648bd41cfdb6476dcca1140cba6555b67d2c -SHA256 (99.patch) = 9a84b59d38b3f86c70c5fc3a28cbfe8d7a22cf190eb20ff433f7f53f5ff73a9a diff --git a/polkit/99.patch b/polkit/99.patch deleted file mode 100644 index 5e144688d..000000000 --- a/polkit/99.patch +++ /dev/null @@ -1,42 +0,0 @@ -From e7f3d9e8341df64e2abc3910dafb1113a84bff07 Mon Sep 17 00:00:00 2001 -From: Simon McVittie <smcv@debian.org> -Date: Mon, 25 Oct 2021 20:21:27 +0100 -Subject: [PATCH] Don't pass positional parameters to i18n.merge_file - -These were always ignored, and Meson 0.60.0 disallowed them. - -Resolves: https://gitlab.freedesktop.org/polkit/polkit/-/issues/160 -Reference: https://github.com/mesonbuild/meson/pull/9445 -Signed-off-by: Simon McVittie <smcv@debian.org> ---- - actions/meson.build | 1 - - src/examples/meson.build | 1 - - 2 files changed, 2 deletions(-) - -diff --git a/actions/meson.build b/actions/meson.build -index 2abaaf3..1e3f370 100644 ---- a/actions/meson.build -+++ b/actions/meson.build -@@ -1,7 +1,6 @@ - policy = 'org.freedesktop.policykit.policy' - - i18n.merge_file( -- policy, - input: policy + '.in', - output: '@BASENAME@', - po_dir: po_dir, -diff --git a/src/examples/meson.build b/src/examples/meson.build -index c6305ab..8c18de5 100644 ---- a/src/examples/meson.build -+++ b/src/examples/meson.build -@@ -1,7 +1,6 @@ - policy = 'org.freedesktop.policykit.examples.pkexec.policy' - - i18n.merge_file( -- policy, - input: policy + '.in', - output: '@BASENAME@', - po_dir: po_dir, --- -GitLab - diff --git a/polkit/CVE-2021-4034.patch b/polkit/CVE-2021-4034.patch deleted file mode 100644 index a06300a53..000000000 --- a/polkit/CVE-2021-4034.patch +++ /dev/null @@ -1,79 +0,0 @@ -From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001 -From: Jan Rybar <jrybar@redhat.com> -Date: Tue, 25 Jan 2022 17:21:46 +0000 -Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034) - ---- - src/programs/pkcheck.c | 5 +++++ - src/programs/pkexec.c | 23 ++++++++++++++++++++--- - 2 files changed, 25 insertions(+), 3 deletions(-) - -diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c -index f1bb4e1..768525c 100644 ---- a/src/programs/pkcheck.c -+++ b/src/programs/pkcheck.c -@@ -363,6 +363,11 @@ main (int argc, char *argv[]) - local_agent_handle = NULL; - ret = 126; - -+ if (argc < 1) -+ { -+ exit(126); -+ } -+ - /* Disable remote file access from GIO. */ - setenv ("GIO_USE_VFS", "local", 1); - -diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c -index 7698c5c..84e5ef6 100644 ---- a/src/programs/pkexec.c -+++ b/src/programs/pkexec.c -@@ -488,6 +488,15 @@ main (int argc, char *argv[]) - pid_t pid_of_caller; - gpointer local_agent_handle; - -+ -+ /* -+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out. -+ */ -+ if (argc<1) -+ { -+ exit(127); -+ } -+ - ret = 127; - authority = NULL; - subject = NULL; -@@ -614,10 +623,10 @@ main (int argc, char *argv[]) - - path = g_strdup (pwstruct.pw_shell); - if (!path) -- { -+ { - g_printerr ("No shell configured or error retrieving pw_shell\n"); - goto out; -- } -+ } - /* If you change this, be sure to change the if (!command_line) - case below too */ - command_line = g_strdup (path); -@@ -636,7 +645,15 @@ main (int argc, char *argv[]) - goto out; - } - g_free (path); -- argv[n] = path = s; -+ path = s; -+ -+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated. -+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination -+ */ -+ if (argv[n] != NULL) -+ { -+ argv[n] = path; -+ } - } - if (access (path, F_OK) != 0) - { --- -GitLab - diff --git a/polkit/Pkgfile b/polkit/Pkgfile index e61cf5935..1989ae899 100644 --- a/polkit/Pkgfile +++ b/polkit/Pkgfile @@ -7,25 +7,23 @@ name=polkit version=121 release=1 source=(https://freedesktop.org/software/polkit/releases/$name-$version.tar.gz - polkit-1 - CVE-2021-4034.patch - 99.patch) + polkit-1) build() { - prt-get isinst mozjs78 && PKGMK_POLKIT+=' -D js_engine=mozjs' + prt-get isinst mozjs91 && PKGMK_POLKIT+=' -D js_engine=mozjs' - meson setup $name-v.$version build $PKGMK_POLKIT \ - --prefix=/usr \ - --buildtype=plain \ - --wrap-mode nodownload \ - -D b_lto=true \ - -D b_pie=true - meson compile -C build - DESTDIR=$PKG meson install -C build + meson setup $name-v.$version build $PKGMK_POLKIT \ + --prefix=/usr \ + --buildtype=plain \ + --wrap-mode nodownload \ + -D b_lto=true \ + -D b_pie=true + meson compile -C build + DESTDIR=$PKG meson install -C build - chmod 4775 $PKG/usr/bin/pkexec - chmod 4755 $PKG/usr/lib/polkit-1/polkit-agent-helper-1 - install -m 0644 $SRC/polkit-1 $PKG/etc/pam.d + chmod 4775 $PKG/usr/bin/pkexec + chmod 4755 $PKG/usr/lib/polkit-1/polkit-agent-helper-1 + install -m 0644 $SRC/polkit-1 $PKG/etc/pam.d - rm -r $PKG/usr/share/locale + rm -r $PKG/usr/share/locale } |