[packages/polkit] - updated to 0.115 (fixes CVE-2018-1116) - updated systemd-fallback patch

qboosh qboosh at pld-linux.org
Sat Sep 29 19:30:21 CEST 2018


commit 4e85edc68e217e508a991e32f86163c72dc8d0cb
Author: Jakub Bogusz <qboosh at pld-linux.org>
Date:   Sat Sep 29 19:33:37 2018 +0200

    - updated to 0.115 (fixes CVE-2018-1116)
    - updated systemd-fallback patch

 polkit.spec            |   7 +--
 systemd-fallback.patch | 137 +++++++++++++++++++++++++++----------------------
 2 files changed, 77 insertions(+), 67 deletions(-)
---
diff --git a/polkit.spec b/polkit.spec
index 0f6877a..ad30329 100644
--- a/polkit.spec
+++ b/polkit.spec
@@ -1,4 +1,3 @@
-# NOTE: elogind also supported (--disable-libsystemd-login --enable-libelogind)
 #
 # Conditional build:
 %bcond_without	apidocs		# build without apidocs
@@ -12,14 +11,13 @@
 Summary:	A framework for defining policy for system-wide components
 Summary(pl.UTF-8):	Szkielet do definiowania polityki dla komponentów systemowych
 Name:		polkit
-Version:	0.114
+Version:	0.115
 Release:	1
 License:	LGPL v2+
 Group:		Libraries
 Source0:	https://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz
-# Source0-md5:	93ff41874e7df8c62ed9e41893817f04
+# Source0-md5:	f03b055d6ae5fc8eac76838c7d83d082
 Patch0:		systemd-fallback.patch
-Patch1:		%{name}-format.patch
 URL:		https://www.freedesktop.org/wiki/Software/polkit
 BuildRequires:	autoconf >= 2.60
 BuildRequires:	automake >= 1:1.7
@@ -128,7 +126,6 @@ Statyczne biblioteki PolicyKit.
 %if %{with consolekit} && (%{with systemd} || %{with elogind})
 %patch0 -p1
 %endif
-%patch1 -p1
 
 %build
 %{?with_apidocs:%{__gtkdocize}}
diff --git a/systemd-fallback.patch b/systemd-fallback.patch
index 90ef297..988d2a2 100644
--- a/systemd-fallback.patch
+++ b/systemd-fallback.patch
@@ -759,9 +759,8 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/Makefile.am polkit-0.113/src/polki
  #endif /* HAVE_LIBSYSTEMD */
  
    g_assert (POLKIT_IS_UNIX_USER (user_for_subject));
-diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polkit-0.113/src/polkitbackend/polkitbackendsessionmonitor.c
---- polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c	2015-06-06 01:24:06.000000000 +0200
-+++ polkit-0.113/src/polkitbackend/polkitbackendsessionmonitor.c	2015-09-26 23:40:39.451918791 +0200
+--- polkit-0.115/src/polkitbackend/polkitbackendsessionmonitor.c.orig	2018-06-26 15:17:52.000000000 +0200
++++ polkit-0.115/src/polkitbackend/polkitbackendsessionmonitor.c	2018-09-29 10:42:52.104190929 +0200
 @@ -26,6 +26,12 @@
  #include <string.h>
  #include <glib/gstdio.h>
@@ -773,9 +772,9 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
 +#endif /* HAVE_LIBSYSTEMD */
 +
  #include <polkit/polkit.h>
+ #include <polkit/polkitprivate.h>
  #include "polkitbackendsessionmonitor.h"
- 
-@@ -39,6 +45,88 @@
+@@ -40,6 +46,88 @@
   * The #PolkitBackendSessionMonitor class is a utility class to track and monitor sessions.
   */
  
@@ -864,7 +863,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
  struct _PolkitBackendSessionMonitor
  {
    GObject parent_instance;
-@@ -48,6 +136,10 @@
+@@ -49,6 +137,10 @@
    GKeyFile *database;
    GFileMonitor *database_monitor;
    time_t database_mtime;
@@ -875,7 +874,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
  };
  
  struct _PolkitBackendSessionMonitorClass
-@@ -70,6 +162,18 @@
+@@ -71,6 +163,18 @@
  
  /* ---------------------------------------------------------------------------------------------------- */
  
@@ -894,7 +893,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
  static gboolean
  reload_database (PolkitBackendSessionMonitor  *monitor,
                   GError                      **error)
-@@ -176,31 +280,47 @@
+@@ -177,31 +281,47 @@
        g_error_free (error);
      }
  
@@ -961,7 +960,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
      }
  }
  
-@@ -218,6 +338,12 @@
+@@ -219,6 +339,12 @@
    if (monitor->database != NULL)
      g_key_file_free (monitor->database);
  
@@ -974,57 +973,42 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
    if (G_OBJECT_CLASS (polkit_backend_session_monitor_parent_class)->finalize != NULL)
      G_OBJECT_CLASS (polkit_backend_session_monitor_parent_class)->finalize (object);
  }
-@@ -310,22 +436,38 @@
+@@ -332,6 +458,26 @@
      }
    else if (POLKIT_IS_UNIX_SESSION (subject))
      {
--      if (!ensure_database (monitor, error))
 +#ifdef HAVE_LIBSYSTEMD
 +      if (monitor->sd_source != NULL)
-         {
--          g_prefix_error (error, "Error getting user for session: Error ensuring CK database at " CKDB_PATH ": ");
--          goto out;
-+          if (sd_session_get_uid (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject)), &uid) < 0)
-+            {
-+              g_set_error (error,
-+                          POLKIT_ERROR,
-+                          POLKIT_ERROR_FAILED,
-+                          "Error getting uid for session");
-+              goto out;
-+            }
-         }
--
--      group = g_strdup_printf ("Session %s", polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject)));
--      local_error = NULL;
--      uid = g_key_file_get_integer (monitor->database, group, "uid", &local_error);
--      if (local_error != NULL)
++      {
++      uid_t uid;
++
++      if (sd_session_get_uid (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject)), &uid) < 0)
++        {
++          g_set_error (error,
++                       POLKIT_ERROR,
++                       POLKIT_ERROR_FAILED,
++                       "Error getting uid for session");
++          goto out;
++        }
++
++      ret = polkit_unix_user_new (uid);
++      matches = TRUE;
++      }
 +      else
 +#endif /* HAVE_LIBSYSTEMD */
-         {
--          g_propagate_prefixed_error (error, local_error, "Error getting uid using " CKDB_PATH ": ");
-+          if (!ensure_database (monitor, error))
-+            {
-+              g_prefix_error (error, "Error getting user for session: Error ensuring CK database at " CKDB_PATH ": ");
-+              goto out;
-+            }
-+
-+          group = g_strdup_printf ("Session %s", polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject)));
-+          local_error = NULL;
-+          uid = g_key_file_get_integer (monitor->database, group, "uid", &local_error);
-+          if (local_error != NULL)
-+            {
-+              g_propagate_prefixed_error (error, local_error, "Error getting uid using " CKDB_PATH ": ");
-+              g_free (group);
-+              goto out;
-+            }
-           g_free (group);
--          goto out;
-         }
--      g_free (group);
++      {
+       gint uid;
+       gchar *group;
+ 
+@@ -354,6 +500,7 @@
  
        ret = polkit_unix_user_new (uid);
+       matches = TRUE;
++      }
      }
-@@ -349,35 +491,26 @@
+ 
+  out:
+@@ -379,35 +526,26 @@
                                                          PolkitSubject               *subject,
                                                          GError                     **error)
  {
@@ -1076,7 +1060,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
        GVariant *result;
  
        result = g_dbus_connection_call_sync (monitor->system_bus,
-@@ -395,23 +528,7 @@
+@@ -425,23 +563,7 @@
          goto out;
        g_variant_get (result, "(u)", &pid);
        g_variant_unref (result);
@@ -1101,7 +1085,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
      }
    else
      {
-@@ -420,8 +537,57 @@
+@@ -450,8 +572,57 @@
                     POLKIT_ERROR_NOT_SUPPORTED,
                     "Cannot get user for subject of type %s",
                     g_type_name (G_TYPE_FROM_INSTANCE (subject)));
@@ -1159,7 +1143,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
   out:
  
    return session;
-@@ -472,7 +638,22 @@
+@@ -502,7 +673,22 @@
  polkit_backend_session_monitor_is_session_local  (PolkitBackendSessionMonitor *monitor,
                                                    PolkitSubject               *session)
  {
@@ -1183,7 +1167,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
  }
  
  
-@@ -480,6 +661,44 @@
+@@ -510,6 +696,44 @@
  polkit_backend_session_monitor_is_session_active (PolkitBackendSessionMonitor *monitor,
                                                    PolkitSubject               *session)
  {
@@ -1229,10 +1213,9 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor.c polk
 +    return get_boolean (monitor, session, "is_active");
  }
  
-diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor-systemd.c polkit-0.113/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
---- polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor-systemd.c	2015-06-19 22:31:02.000000000 +0200
-+++ polkit-0.113/src/polkitbackend/polkitbackendsessionmonitor-systemd.c	1970-01-01 01:00:00.000000000 +0100
-@@ -1,425 +0,0 @@
+--- polkit-0.115/src/polkitbackend/polkitbackendsessionmonitor-systemd.c.orig	2018-09-29 09:48:19.240894967 +0200
++++ polkit-0.115/src/polkitbackend/polkitbackendsessionmonitor-systemd.c	1970-01-01 01:00:00.000000000 +0100
+@@ -1,455 +0,0 @@
 -/*
 - * Copyright (C) 2011 Red Hat, Inc.
 - *
@@ -1264,6 +1247,7 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor-system
 -#include <stdlib.h>
 -
 -#include <polkit/polkit.h>
+-#include <polkit/polkitprivate.h>
 -#include "polkitbackendsessionmonitor.h"
 -
 -/* <internal>
@@ -1481,26 +1465,40 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor-system
 - * polkit_backend_session_monitor_get_user:
 - * @monitor: A #PolkitBackendSessionMonitor.
 - * @subject: A #PolkitSubject.
+- * @result_matches: If not %NULL, set to indicate whether the return value matches current (RACY) state.
 - * @error: Return location for error.
 - *
 - * Gets the user corresponding to @subject or %NULL if no user exists.
 - *
+- * NOTE: For a #PolkitUnixProcess, the UID is read from @subject (which may
+- * come from e.g. a D-Bus client), so it may not correspond to the actual UID
+- * of the referenced process (at any point in time).  This is indicated by
+- * setting @result_matches to %FALSE; the caller may reject such subjects or
+- * require additional privileges. @result_matches == %TRUE only indicates that
+- * the UID matched the underlying process at ONE point in time, it may not match
+- * later.
+- *
 - * Returns: %NULL if @error is set otherwise a #PolkitUnixUser that should be freed with g_object_unref().
 - */
 -PolkitIdentity *
 -polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor  *monitor,
 -                                                     PolkitSubject                *subject,
+-                                                     gboolean                     *result_matches,
 -                                                     GError                      **error)
 -{
 -  PolkitIdentity *ret;
--  guint32 uid;
+-  gboolean matches;
 -
 -  ret = NULL;
+-  matches = FALSE;
 -
 -  if (POLKIT_IS_UNIX_PROCESS (subject))
 -    {
--      uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject));
--      if ((gint) uid == -1)
+-      gint subject_uid, current_uid;
+-      GError *local_error;
+-
+-      subject_uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject));
+-      if (subject_uid == -1)
 -        {
 -          g_set_error (error,
 -                       POLKIT_ERROR,
@@ -1508,14 +1506,24 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor-system
 -                       "Unix process subject does not have uid set");
 -          goto out;
 -        }
--      ret = polkit_unix_user_new (uid);
+-      local_error = NULL;
+-      current_uid = polkit_unix_process_get_racy_uid__ (POLKIT_UNIX_PROCESS (subject), &local_error);
+-      if (local_error != NULL)
+-	{
+-	  g_propagate_error (error, local_error);
+-	  goto out;
+-	}
+-      ret = polkit_unix_user_new (subject_uid);
+-      matches = (subject_uid == current_uid);
 -    }
 -  else if (POLKIT_IS_SYSTEM_BUS_NAME (subject))
 -    {
 -      ret = (PolkitIdentity*)polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error);
+-      matches = TRUE;
 -    }
 -  else if (POLKIT_IS_UNIX_SESSION (subject))
 -    {
+-      uid_t uid;
 -
 -      if (sd_session_get_uid (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject)), &uid) < 0)
 -        {
@@ -1527,9 +1535,14 @@ diff -ruN polkit-0.113.orig/src/polkitbackend/polkitbackendsessionmonitor-system
 -        }
 -
 -      ret = polkit_unix_user_new (uid);
+-      matches = TRUE;
 -    }
 -
 - out:
+-  if (result_matches != NULL)
+-    {
+-      *result_matches = matches;
+-    }
 -  return ret;
 -}
 -
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/polkit.git/commitdiff/4e85edc68e217e508a991e32f86163c72dc8d0cb



More information about the pld-cvs-commit mailing list