[packages/polkit] - updated to 0.115 (fixes CVE-2018-1116) - updated systemd-fallback patch
qboosh
qboosh at pld-linux.org
Sat Sep 29 19:30:21 CEST 2018
commit 4e85edc68e217e508a991e32f86163c72dc8d0cb
Author: Jakub Bogusz <qboosh at pld-linux.org>
Date: Sat Sep 29 19:33:37 2018 +0200
- updated to 0.115 (fixes CVE-2018-1116)
- updated systemd-fallback patch
polkit.spec | 7 +--
systemd-fallback.patch | 137 +++++++++++++++++++++++++++----------------------
2 files changed, 77 insertions(+), 67 deletions(-)
---
diff --git a/polkit.spec b/polkit.spec
index 0f6877a..ad30329 100644
--- a/polkit.spec
+++ b/polkit.spec
@@ -1,4 +1,3 @@
-# NOTE: elogind also supported (--disable-libsystemd-login --enable-libelogind)
#
# Conditional build:
%bcond_without apidocs # build without apidocs
@@ -12,14 +11,13 @@
Summary: A framework for defining policy for system-wide components
Summary(pl.UTF-8): Szkielet do definiowania polityki dla komponentów systemowych
Name: polkit
-Version: 0.114
+Version: 0.115
Release: 1
License: LGPL v2+
Group: Libraries
Source0: https://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz
-# Source0-md5: 93ff41874e7df8c62ed9e41893817f04
+# Source0-md5: f03b055d6ae5fc8eac76838c7d83d082
Patch0: systemd-fallback.patch
-Patch1: %{name}-format.patch
URL: https://www.freedesktop.org/wiki/Software/polkit
BuildRequires: autoconf >= 2.60
BuildRequires: automake >= 1:1.7
@@ -128,7 +126,6 @@ Statyczne biblioteki PolicyKit.
%if %{with consolekit} && (%{with systemd} || %{with elogind})
%patch0 -p1
%endif
-%patch1 -p1
%build
%{?with_apidocs:%{__gtkdocize}}
diff --git a/systemd-fallback.patch b/systemd-fallback.patch
index 90ef297..988d2a2 100644
--- a/systemd-fallback.patch
+++ b/systemd-fallback.patch
@@ -759,9 +759,8 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/Makefile.am polkit-0.113/src/polki
#endif /* HAVE_LIBSYSTEMD */
g_assert (POLKIT_IS_UNIX_USER (user_for_subject));
-diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polkit-0.113/src/polkitbackend/polkitbackendsessionmonitor.c
---- polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c 2015-06-06 01:24:06.000000000 +0200
-+++ polkit-0.113/src/polkitbackend/polkitbackendsessionmonitor.c 2015-09-26 23:40:39.451918791 +0200
+--- polkit-0.115/src/polkitbackend/polkitbackendsessionmonitor.c.orig 2018-06-26 15:17:52.000000000 +0200
++++ polkit-0.115/src/polkitbackend/polkitbackendsessionmonitor.c 2018-09-29 10:42:52.104190929 +0200
@@ -26,6 +26,12 @@
#include <string.h>
#include <glib/gstdio.h>
@@ -773,9 +772,9 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
+#endif /* HAVE_LIBSYSTEMD */
+
#include <polkit/polkit.h>
+ #include <polkit/polkitprivate.h>
#include "polkitbackendsessionmonitor.h"
-
-@@ -39,6 +45,88 @@
+@@ -40,6 +46,88 @@
* The #PolkitBackendSessionMonitor class is a utility class to track and monitor sessions.
*/
@@ -864,7 +863,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
struct _PolkitBackendSessionMonitor
{
GObject parent_instance;
-@@ -48,6 +136,10 @@
+@@ -49,6 +137,10 @@
GKeyFile *database;
GFileMonitor *database_monitor;
time_t database_mtime;
@@ -875,7 +874,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
};
struct _PolkitBackendSessionMonitorClass
-@@ -70,6 +162,18 @@
+@@ -71,6 +163,18 @@
/* ---------------------------------------------------------------------------------------------------- */
@@ -894,7 +893,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
static gboolean
reload_database (PolkitBackendSessionMonitor *monitor,
GError **error)
-@@ -176,31 +280,47 @@
+@@ -177,31 +281,47 @@
g_error_free (error);
}
@@ -961,7 +960,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
}
}
-@@ -218,6 +338,12 @@
+@@ -219,6 +339,12 @@
if (monitor->database != NULL)
g_key_file_free (monitor->database);
@@ -974,57 +973,42 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
if (G_OBJECT_CLASS (polkit_backend_session_monitor_parent_class)->finalize != NULL)
G_OBJECT_CLASS (polkit_backend_session_monitor_parent_class)->finalize (object);
}
-@@ -310,22 +436,38 @@
+@@ -332,6 +458,26 @@
}
else if (POLKIT_IS_UNIX_SESSION (subject))
{
-- if (!ensure_database (monitor, error))
+#ifdef HAVE_LIBSYSTEMD
+ if (monitor->sd_source != NULL)
- {
-- g_prefix_error (error, "Error getting user for session: Error ensuring CK database at " CKDB_PATH ": ");
-- goto out;
-+ if (sd_session_get_uid (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject)), &uid) < 0)
-+ {
-+ g_set_error (error,
-+ POLKIT_ERROR,
-+ POLKIT_ERROR_FAILED,
-+ "Error getting uid for session");
-+ goto out;
-+ }
- }
--
-- group = g_strdup_printf ("Session %s", polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject)));
-- local_error = NULL;
-- uid = g_key_file_get_integer (monitor->database, group, "uid", &local_error);
-- if (local_error != NULL)
++ {
++ uid_t uid;
++
++ if (sd_session_get_uid (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject)), &uid) < 0)
++ {
++ g_set_error (error,
++ POLKIT_ERROR,
++ POLKIT_ERROR_FAILED,
++ "Error getting uid for session");
++ goto out;
++ }
++
++ ret = polkit_unix_user_new (uid);
++ matches = TRUE;
++ }
+ else
+#endif /* HAVE_LIBSYSTEMD */
- {
-- g_propagate_prefixed_error (error, local_error, "Error getting uid using " CKDB_PATH ": ");
-+ if (!ensure_database (monitor, error))
-+ {
-+ g_prefix_error (error, "Error getting user for session: Error ensuring CK database at " CKDB_PATH ": ");
-+ goto out;
-+ }
-+
-+ group = g_strdup_printf ("Session %s", polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject)));
-+ local_error = NULL;
-+ uid = g_key_file_get_integer (monitor->database, group, "uid", &local_error);
-+ if (local_error != NULL)
-+ {
-+ g_propagate_prefixed_error (error, local_error, "Error getting uid using " CKDB_PATH ": ");
-+ g_free (group);
-+ goto out;
-+ }
- g_free (group);
-- goto out;
- }
-- g_free (group);
++ {
+ gint uid;
+ gchar *group;
+
+@@ -354,6 +500,7 @@
ret = polkit_unix_user_new (uid);
+ matches = TRUE;
++ }
}
-@@ -349,35 +491,26 @@
+
+ out:
+@@ -379,35 +526,26 @@
PolkitSubject *subject,
GError **error)
{
@@ -1076,7 +1060,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
GVariant *result;
result = g_dbus_connection_call_sync (monitor->system_bus,
-@@ -395,23 +528,7 @@
+@@ -425,23 +563,7 @@
goto out;
g_variant_get (result, "(u)", &pid);
g_variant_unref (result);
@@ -1101,7 +1085,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
}
else
{
-@@ -420,8 +537,57 @@
+@@ -450,8 +572,57 @@
POLKIT_ERROR_NOT_SUPPORTED,
"Cannot get user for subject of type %s",
g_type_name (G_TYPE_FROM_INSTANCE (subject)));
@@ -1159,7 +1143,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
out:
return session;
-@@ -472,7 +638,22 @@
+@@ -502,7 +673,22 @@
polkit_backend_session_monitor_is_session_local (PolkitBackendSessionMonitor *monitor,
PolkitSubject *session)
{
@@ -1183,7 +1167,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
}
-@@ -480,6 +661,44 @@
+@@ -510,6 +696,44 @@
polkit_backend_session_monitor_is_session_active (PolkitBackendSessionMonitor *monitor,
PolkitSubject *session)
{
@@ -1229,10 +1213,9 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
+ return get_boolean (monitor, session, "is_active");
}
-diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor-systemd.c polkit-0.113/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
---- polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor-systemd.c 2015-06-19 22:31:02.000000000 +0200
-+++ polkit-0.113/src/polkitbackend/polkitbackendsessionmonitor-systemd.c 1970-01-01 01:00:00.000000000 +0100
-@@ -1,425 +0,0 @@
+--- polkit-0.115/src/polkitbackend/polkitbackendsessionmonitor-systemd.c.orig 2018-09-29 09:48:19.240894967 +0200
++++ polkit-0.115/src/polkitbackend/polkitbackendsessionmonitor-systemd.c 1970-01-01 01:00:00.000000000 +0100
+@@ -1,455 +0,0 @@
-/*
- * Copyright (C) 2011 Red Hat, Inc.
- *
@@ -1264,6 +1247,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor-system
-#include <stdlib.h>
-
-#include <polkit/polkit.h>
+-#include <polkit/polkitprivate.h>
-#include "polkitbackendsessionmonitor.h"
-
-/* <internal>
@@ -1481,26 +1465,40 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor-system
- * polkit_backend_session_monitor_get_user:
- * @monitor: A #PolkitBackendSessionMonitor.
- * @subject: A #PolkitSubject.
+- * @result_matches: If not %NULL, set to indicate whether the return value matches current (RACY) state.
- * @error: Return location for error.
- *
- * Gets the user corresponding to @subject or %NULL if no user exists.
- *
+- * NOTE: For a #PolkitUnixProcess, the UID is read from @subject (which may
+- * come from e.g. a D-Bus client), so it may not correspond to the actual UID
+- * of the referenced process (at any point in time). This is indicated by
+- * setting @result_matches to %FALSE; the caller may reject such subjects or
+- * require additional privileges. @result_matches == %TRUE only indicates that
+- * the UID matched the underlying process at ONE point in time, it may not match
+- * later.
+- *
- * Returns: %NULL if @error is set otherwise a #PolkitUnixUser that should be freed with g_object_unref().
- */
-PolkitIdentity *
-polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor *monitor,
- PolkitSubject *subject,
+- gboolean *result_matches,
- GError **error)
-{
- PolkitIdentity *ret;
-- guint32 uid;
+- gboolean matches;
-
- ret = NULL;
+- matches = FALSE;
-
- if (POLKIT_IS_UNIX_PROCESS (subject))
- {
-- uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject));
-- if ((gint) uid == -1)
+- gint subject_uid, current_uid;
+- GError *local_error;
+-
+- subject_uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject));
+- if (subject_uid == -1)
- {
- g_set_error (error,
- POLKIT_ERROR,
@@ -1508,14 +1506,24 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor-system
- "Unix process subject does not have uid set");
- goto out;
- }
-- ret = polkit_unix_user_new (uid);
+- local_error = NULL;
+- current_uid = polkit_unix_process_get_racy_uid__ (POLKIT_UNIX_PROCESS (subject), &local_error);
+- if (local_error != NULL)
+- {
+- g_propagate_error (error, local_error);
+- goto out;
+- }
+- ret = polkit_unix_user_new (subject_uid);
+- matches = (subject_uid == current_uid);
- }
- else if (POLKIT_IS_SYSTEM_BUS_NAME (subject))
- {
- ret = (PolkitIdentity*)polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error);
+- matches = TRUE;
- }
- else if (POLKIT_IS_UNIX_SESSION (subject))
- {
+- uid_t uid;
-
- if (sd_session_get_uid (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject)), &uid) < 0)
- {
@@ -1527,9 +1535,14 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor-system
- }
-
- ret = polkit_unix_user_new (uid);
+- matches = TRUE;
- }
-
- out:
+- if (result_matches != NULL)
+- {
+- *result_matches = matches;
+- }
- return ret;
-}
-
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/polkit.git/commitdiff/4e85edc68e217e508a991e32f86163c72dc8d0cb
More information about the pld-cvs-commit
mailing list