Hello community,
here is the log from the commit of package polkit for openSUSE:Factory
checked in at Wed Apr 27 11:16:39 CEST 2011.
--------
--- polkit/polkit.changes 2010-11-10 16:04:42.000000000 +0100
+++ /mounts/work_src_done/STABLE/polkit/polkit.changes 2011-04-26 21:20:59.000000000 +0200
@@ -1,0 +2,22 @@
+Tue Apr 26 21:19:32 CEST 2011 - kay.sievers@novell.com
+
+- use LGPLv2.1+ in spec file
+
+-------------------------------------------------------------------
+Tue Apr 26 18:24:01 CEST 2011 - kay.sievers@novell.com
+
+- stat race condition (CVE-2011-1485) (bnc#688788)
+
+-------------------------------------------------------------------
+Wed Apr 6 15:40:51 UTC 2011 - fcrozat@novell.com
+
+- Remove PolkitAgent-1.0.typelib from main package, it is in
+ library package.
+
+-------------------------------------------------------------------
+Wed Mar 9 13:54:11 UTC 2011 - coolo@novell.com
+
+- update to 0.101:
+ * tons of bug fixes, see NEWS
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
polkit-0.99.tar.bz2
New:
----
_service
_service:recompress:download_url:polkit-0.101.tar.bz2
polkit-0.101.tar.bz2
polkit-CVE-2011-1485-1.patch
polkit-CVE-2011-1485-2.patch
polkit-CVE-2011-1485-3.patch
polkit-CVE-2011-1485-4.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ polkit.spec ++++++
--- /var/tmp/diff_new_pack.WlIaey/_old 2011-04-27 11:15:52.000000000 +0200
+++ /var/tmp/diff_new_pack.WlIaey/_new 2011-04-27 11:15:52.000000000 +0200
@@ -1,7 +1,7 @@
#
-# spec file for package polkit (Version 0.99)
+# spec file for package polkit
#
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,16 +19,16 @@
Name: polkit
Summary: PolicyKit Authorization Framework
-Version: 0.99
-Release: 2
-License: LGPLv2+
+Version: 0.101
+Release: 1
+License: LGPLv2.1+
Url: http://www.freedesktop.org/wiki/Software/PolicyKit
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Group: System/Libraries
Source0: http://hal.freedesktop.org/releases/%{name}-%{version}.tar.bz2
Source99: baselibs.conf
-BuildRequires: glib2-devel
-BuildRequires: gobject-introspection-devel
+BuildRequires: glib2-devel >= 2.25.12
+BuildRequires: gobject-introspection-devel >= 0.6.2
BuildRequires: gtk-doc
BuildRequires: intltool
BuildRequires: libexpat-devel
@@ -37,13 +37,23 @@
Requires: dbus-1
Requires: libpolkit0 = %{version}-%{release}
+Patch10: polkit-CVE-2011-1485-1.patch
+Patch11: polkit-CVE-2011-1485-2.patch
+Patch12: polkit-CVE-2011-1485-3.patch
+Patch13: polkit-CVE-2011-1485-4.patch
+
+# Upstream First - Policy:
+# Never add any patches to this package without the upstream commit id
+# in the patch. Any patches added here without a very good reason to make
+# an exception will be silently removed with the next version update.
+
%description
PolicyKit is a toolkit for defining and handling authorizations.
It is used for allowing unprivileged processes to speak to privileged
processes.
%package devel
-License: LGPLv2+
+License: LGPLv2.1+
Summary: Development files for PolicyKit
Group: Development/Libraries/C and C++
Requires: %name = %{version}-%{release}
@@ -54,7 +64,7 @@
Development files for PolicyKit Authorization Framework.
%package doc
-License: LGPLv2+
+License: LGPLv2.1+
Summary: Development documentation for PolicyKit
Group: Development/Libraries/C and C++
%if 0%{?suse_version} >= 1120
@@ -65,7 +75,7 @@
Development documentation for PolicyKit Authorization Framework.
%package -n libpolkit0
-License: LGPLv2+
+License: LGPLv2.1+
Summary: Libraries required for polkit
Group: System/Libraries
Requires: %{name} = %{version}
@@ -79,6 +89,10 @@
%prep
%setup -q
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
%build
export V=1
@@ -118,6 +132,7 @@
%defattr(-,root,root,-)
%{_libdir}/lib*.so.*
%{_libdir}/girepository-1.0/Polkit-1.0.typelib
+%{_libdir}/girepository-1.0/PolkitAgent-1.0.typelib
%files -f polkit-1.lang
%defattr(-,root,root,-)
@@ -164,6 +179,7 @@
%files doc
%defattr(-,root,root,-)
+%doc NEWS
%{_datadir}/gtk-doc/html/*
%changelog
++++++ _service ++++++
<services>
<service name="download_url">
<param name="protocol">http</param>
<param name="host">hal.freedesktop.org</param>
<param name="path">/releases/polkit-0.101.tar.gz</param>
</service>
<service name="verify_file">
<param name="file">_service:download_url:polkit-0.101.tar.gz</param>
<param name="verifier">sha256</param>
<param name="checksum">927f65760e4fce23d7cdeae90245c22986eb0a39335a344915302158f73f9f1b</param>
</service>
<service name="recompress">
<param name="file">*.tar.gz</param>
<param name="compression">bz2</param>
</service>
</services>
++++++ polkit-0.99.tar.bz2 -> polkit-0.101.tar.bz2 ++++++
++++ 31897 lines of diff (skipped)
++++++ polkit-CVE-2011-1485-1.patch ++++++
From dd848a42a64a3b22a0cc60f6657b56ce9b6010ae Mon Sep 17 00:00:00 2001
From: David Zeuthen
Date: Thu, 31 Mar 2011 16:59:09 +0000
Subject: PolkitUnixProcess: Clarify that the real uid is returned, not the effective one
On Linux, also switch to parsing /proc/<pid>/status instead of relying
on the st_uid returned by stat(2) to be the uid we want.
This was pointed out by Neel Mehta . Thanks!
Signed-off-by: David Zeuthen
---
diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
index d95a1d4..876da69 100644
--- a/src/polkit/polkitunixprocess.c
+++ b/src/polkit/polkitunixprocess.c
@@ -24,9 +24,7 @@
#endif
#include
-#ifndef HAVE_FREEBSD
-#include
-#else
+#ifdef HAVE_FREEBSD
#include
#include
#include
@@ -34,6 +32,7 @@
#include
#include
#include
+#include
#include "polkitunixprocess.h"
#include "polkitsubject.h"
@@ -208,6 +207,8 @@ polkit_unix_process_get_pid (PolkitUnixProcess *process)
*
* Gets the uid of the owner of @process.
*
+ * Note that this returns the real user-id (not the effective user-id) of @process.
+ *
* Returns: The UNIX user id of the owner for @process or 0 if @error is set.
**/
gint
@@ -215,17 +216,21 @@ polkit_unix_process_get_owner (PolkitUnixProcess *process,
GError **error)
{
gint result;
+ gchar *contents;
+ gchar **lines;
#ifdef HAVE_FREEBSD
struct kinfo_proc p;
#else
- struct stat statbuf;
- char procbuf[32];
+ gchar filename[64];
+ guint n;
#endif
g_return_val_if_fail (POLKIT_IS_UNIX_PROCESS (process), 0);
g_return_val_if_fail (error == NULL || *error == NULL, 0);
result = 0;
+ lines = NULL;
+ contents = NULL;
#ifdef HAVE_FREEBSD
if (get_kinfo_proc (process->pid, &p) == 0)
@@ -241,23 +246,52 @@ polkit_unix_process_get_owner (PolkitUnixProcess *process,
result = p.ki_uid;
#else
- g_snprintf (procbuf, sizeof procbuf, "/proc/%d", process->pid);
- if (stat (procbuf, &statbuf) != 0)
+
+ /* see 'man proc' for layout of the status file
+ *
+ * Uid, Gid: Real, effective, saved set, and file system UIDs (GIDs).
+ */
+ g_snprintf (filename, sizeof filename, "/proc/%d/status", process->pid);
+ if (!g_file_get_contents (filename,
+ &contents,
+ NULL,
+ error))
{
- g_set_error (error,
- POLKIT_ERROR,
- POLKIT_ERROR_FAILED,
- "stat() failed for /proc/%d: %s",
- process->pid,
- g_strerror (errno));
goto out;
}
+ lines = g_strsplit (contents, "\n", -1);
+ for (n = 0; lines != NULL && lines[n] != NULL; n++)
+ {
+ gint real_uid, effective_uid;
+ if (!g_str_has_prefix (lines[n], "Uid:"))
+ continue;
+ if (sscanf (lines[n] + 4, "%d %d", &real_uid, &effective_uid) != 2)
+ {
+ g_set_error (error,
+ POLKIT_ERROR,
+ POLKIT_ERROR_FAILED,
+ "Unexpected line `%s' in file %s",
+ lines[n],
+ filename);
+ goto out;
+ }
+ else
+ {
+ result = real_uid;
+ goto out;
+ }
+ }
- result = statbuf.st_uid;
+ g_set_error (error,
+ POLKIT_ERROR,
+ POLKIT_ERROR_FAILED,
+ "Didn't find any line starting with `Uid:' in file %s",
+ filename);
#endif
- out:
-
+out:
+ g_strfreev (lines);
+ g_free (contents);
return result;
}
--
cgit v0.8.3-6-g21f6
++++++ polkit-CVE-2011-1485-2.patch ++++++
++++ 615 lines (skipped)
++++++ polkit-CVE-2011-1485-3.patch ++++++
From c23d74447c7615dc74dae259f0fc3688ec988867 Mon Sep 17 00:00:00 2001
From: David Zeuthen
Date: Fri, 01 Apr 2011 16:12:27 +0000
Subject: Use polkit_unix_process_get_uid() to get the owner of a process
This avoids a TOCTTOU problem.
Signed-off-by: David Zeuthen
---
diff --git a/src/polkitbackend/polkitbackendsessionmonitor.c b/src/polkitbackend/polkitbackendsessionmonitor.c
index 495f752..9c331b6 100644
--- a/src/polkitbackend/polkitbackendsessionmonitor.c
+++ b/src/polkitbackend/polkitbackendsessionmonitor.c
@@ -293,14 +293,15 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor
if (POLKIT_IS_UNIX_PROCESS (subject))
{
- local_error = NULL;
- uid = polkit_unix_process_get_owner (POLKIT_UNIX_PROCESS (subject), &local_error);
- if (local_error != NULL)
+ uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject));
+ if ((gint) uid == -1)
{
- g_propagate_prefixed_error (error, local_error, "Error getting user for process: ");
+ g_set_error (error,
+ POLKIT_ERROR,
+ POLKIT_ERROR_FAILED,
+ "Unix process subject does not have uid set");
goto out;
}
-
ret = polkit_unix_user_new (uid);
}
else if (POLKIT_IS_SYSTEM_BUS_NAME (subject))
--
cgit v0.8.3-6-g21f6
++++++ polkit-CVE-2011-1485-4.patch ++++++
From 3b12cfac29dddd27f1f166a7574d8374cc1dccf2 Mon Sep 17 00:00:00 2001
From: David Zeuthen
Date: Fri, 01 Apr 2011 16:13:15 +0000
Subject: pkexec: Avoid TOCTTOU problems with parent process
In a nutshell, the parent process may change its uid (either real- or
effective uid) after launching pkexec. It can do this by exec()'ing
e.g. a setuid root program.
To avoid this problem, just use the uid the parent process had when it
executed pkexec. This happens to be the same uid of the pkexec process
itself.
Additionally, remove some dubious code that allowed pkexec to continue
when the parent process died as there is no reason to support
something like that. Also ensure that the pkexec process is killed if
the parent process dies.
This problem was pointed out by Neel Mehta .
Signed-off-by: David Zeuthen
---
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
index 9217954..3e656be 100644
--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
@@ -35,6 +35,10 @@
#include
#include
+#ifdef __linux__
+#include
+#endif
+
#include
#ifdef POLKIT_AUTHFW_PAM
@@ -423,7 +427,6 @@ main (int argc, char *argv[])
GPtrArray *saved_env;
gchar *opt_user;
pid_t pid_of_caller;
- uid_t uid_of_caller;
gpointer local_agent_handle;
ret = 127;
@@ -598,40 +601,49 @@ main (int argc, char *argv[])
*/
g_type_init ();
- /* now check if the program that invoked us is authorized */
+ /* make sure we are nuked if the parent process dies */
+#ifdef __linux__
+ if (prctl (PR_SET_PDEATHSIG, SIGTERM) != 0)
+ {
+ g_printerr ("prctl(PR_SET_PDEATHSIG, SIGTERM) failed: %s\n", g_strerror (errno));
+ goto out;
+ }
+#else
+#warning "Please add OS specific code to catch when the parent dies"
+#endif
+
+ /* Figure out the parent process */
pid_of_caller = getppid ();
if (pid_of_caller == 1)
{
/* getppid() can return 1 if the parent died (meaning that we are reaped
- * by /sbin/init); get process group leader instead - for example, this
- * happens when launching via gnome-panel (alt+f2, then 'pkexec gedit').
+ * by /sbin/init); In that case we simpy bail.
*/
- pid_of_caller = getpgrp ();
- }
-
- subject = polkit_unix_process_new (pid_of_caller);
- if (subject == NULL)
- {
- g_printerr ("No such process for pid %d: %s\n", (gint) pid_of_caller, error->message);
- g_error_free (error);
+ g_printerr ("Refusing to render service to dead parents.\n");
goto out;
}
- /* paranoia: check that the uid of pid_of_caller matches getuid() */
- error = NULL;
- uid_of_caller = polkit_unix_process_get_owner (POLKIT_UNIX_PROCESS (subject),
- &error);
- if (error != NULL)
- {
- g_printerr ("Error determing pid of caller (pid %d): %s\n", (gint) pid_of_caller, error->message);
- g_error_free (error);
- goto out;
- }
- if (uid_of_caller != getuid ())
- {
- g_printerr ("User of caller (%d) does not match our uid (%d)\n", uid_of_caller, getuid ());
- goto out;
- }
+ /* This process we want to check an authorization for is the process
+ * that launched us - our parent process.
+ *
+ * At the time the parent process fork()'ed and exec()'ed us, the
+ * process had the same real-uid that we have now. So we use this
+ * real-uid instead of of looking it up to avoid TOCTTOU issues
+ * (consider the parent process exec()'ing a setuid helper).
+ *
+ * On the other hand, the monotonic process start-time is guaranteed
+ * to never change so it's safe to look that up given only the PID
+ * since we are guaranteed to be nuked if the parent goes away
+ * (cf. the prctl(2) call above).
+ */
+ subject = polkit_unix_process_new_for_owner (pid_of_caller,
+ 0, /* 0 means "look up start-time in /proc" */
+ getuid ());
+ /* really double-check the invariants guaranteed by the PolkitUnixProcess class */
+ g_assert (subject != NULL);
+ g_assert (polkit_unix_process_get_pid (POLKIT_UNIX_PROCESS (subject)) == pid_of_caller);
+ g_assert (polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject)) >= 0);
+ g_assert (polkit_unix_process_get_start_time (POLKIT_UNIX_PROCESS (subject)) > 0);
error = NULL;
authority = polkit_authority_get_sync (NULL /* GCancellable* */, &error);
--
cgit v0.8.3-6-g21f6
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org