Skip to content
Snippets Groups Projects
Commit 89320b20 authored by Salvatore Bonaccorso's avatar Salvatore Bonaccorso Committed by Simon McVittie
Browse files

Import Debian changes 0.105-31.1

policykit-1 (0.105-31.1) unstable; urgency=high
.
  * Non-maintainer upload.
  * Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)
parent 4305a378
No related branches found
Tags debian/0.105-31.1
No related merge requests found
policykit-1 (0.105-31.1) unstable; urgency=high
* Non-maintainer upload.
* Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)
-- Salvatore Bonaccorso <carnil@debian.org> Thu, 13 Jan 2022 06:34:44 +0100
policykit-1 (0.105-31) unstable; urgency=medium
[ Salvatore Bonaccorso ]
......
From ffb7b93a68c13f80be980411286b7d3de4a18988 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 11 Jan 2022 23:18:04 +0100
Subject: [PATCH] Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)
[Salvatore Bonaccorso: Backport to 0.105:
- Refresh for context changes
- Drop help() printout in pkcheck, for versions before e8e18d180888
("Don't spawn man for --help") in 0.111. Instead call usage(). It
spawns a manpage, but pkcheck is not setuid root.
]
---
src/programs/pkcheck.c | 6 ++++++
src/programs/pkexec.c | 25 ++++++++++++++++++++++---
2 files changed, 28 insertions(+), 3 deletions(-)
--- a/src/programs/pkcheck.c
+++ b/src/programs/pkcheck.c
@@ -353,6 +353,12 @@ main (int argc, char *argv[])
local_agent_handle = NULL;
ret = 126;
+ if (argc < 1)
+ {
+ usage (argc, argv);
+ exit(1);
+ }
+
g_type_init ();
details = polkit_details_new ();
--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
@@ -475,6 +475,17 @@ main (int argc, char *argv[])
pid_t pid_of_caller;
gpointer local_agent_handle;
+
+ /*
+ * If 'pkexec' is called wrong, just show help and bail out.
+ */
+ if (argc<1)
+ {
+ clearenv();
+ usage (argc, argv);
+ exit(1);
+ }
+
ret = 127;
authority = NULL;
subject = NULL;
@@ -591,7 +602,15 @@ main (int argc, char *argv[])
goto out;
}
g_free (path);
- argv[n] = path = s;
+ path = s;
+
+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
+ */
+ if (argv[n] != NULL)
+ {
+ argv[n] = path;
+ }
}
if (access (path, F_OK) != 0)
{
......@@ -61,3 +61,4 @@ Move-D-Bus-policy-file-to-usr-share-dbus-1-system.d.patch
Statically-link-libpolkit-backend1-into-polkitd.patch
Remove-example-null-backend.patch
CVE-2021-3560.patch
Local-Privilege-Escalation-in-polkit-s-pkexec-CVE-20.patch
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment