* [meta-oe][dunfell][PATCH] polkit: Fix for CVE-2021-4115
@ 2022-03-01 12:30 Ranjitsinh Rathod
2022-03-25 17:29 ` Ranjitsinh Rathod
0 siblings, 1 reply; 2+ messages in thread
From: Ranjitsinh Rathod @ 2022-03-01 12:30 UTC (permalink / raw)
To: openembedded-devel; +Cc: akuster808, Ranjitsinh Rathod
From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Add patch to fix CVE-2021-4115
Also, add a support patch to cleanly apply CVE patch
Link: https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/109
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
---
...thentication-bypass-vulnerability-in.patch | 32 +++++++
.../polkit/files/CVE-2021-4115.patch | 87 +++++++++++++++++++
.../recipes-extended/polkit/polkit_0.116.bb | 2 +
3 files changed, 121 insertions(+)
create mode 100644 meta-oe/recipes-extended/polkit/files/0001-GHSL-2021-074-authentication-bypass-vulnerability-in.patch
create mode 100644 meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch
diff --git a/meta-oe/recipes-extended/polkit/files/0001-GHSL-2021-074-authentication-bypass-vulnerability-in.patch b/meta-oe/recipes-extended/polkit/files/0001-GHSL-2021-074-authentication-bypass-vulnerability-in.patch
new file mode 100644
index 000000000..2a2373ed5
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/files/0001-GHSL-2021-074-authentication-bypass-vulnerability-in.patch
@@ -0,0 +1,32 @@
+From a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Wed, 2 Jun 2021 15:43:38 +0200
+Subject: [PATCH] GHSL-2021-074: authentication bypass vulnerability in polkit
+
+initial values returned if error caught
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81.patch]
+CVE: CVE-2021-4115
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/polkit/polkitsystembusname.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8daa12c..8ed1363 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
+ while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+ g_main_context_iteration (tmp_context, TRUE);
+
++ if (data.caught_error)
++ goto out;
++
+ if (out_uid)
+ *out_uid = data.uid;
+ if (out_pid)
+--
+GitLab
+
diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch b/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch
new file mode 100644
index 000000000..37e0d6063
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch
@@ -0,0 +1,87 @@
+From 41cb093f554da8772362654a128a84dd8a5542a7 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Mon, 21 Feb 2022 08:29:05 +0000
+Subject: [PATCH] CVE-2021-4115 (GHSL-2021-077) fix
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/polkit/polkit/-/commit/41cb093f554da8772362654a128a84dd8a5542a7.patch]
+CVE: CVE-2021-4115
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/polkit/polkitsystembusname.c | 38 ++++++++++++++++++++++++++++----
+ 1 file changed, 34 insertions(+), 4 deletions(-)
+
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8ed1363..2fbf5f1 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -62,6 +62,10 @@ enum
+ PROP_NAME,
+ };
+
++
++guint8 dbus_call_respond_fails; // has to be global because of callback
++
++
+ static void subject_iface_init (PolkitSubjectIface *subject_iface);
+
+ G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT,
+@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src,
+ if (!v)
+ {
+ data->caught_error = TRUE;
++ dbus_call_respond_fails += 1;
+ }
+ else
+ {
+@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
+ tmp_context = g_main_context_new ();
+ g_main_context_push_thread_default (tmp_context);
+
++ dbus_call_respond_fails = 0;
++
+ /* Do two async calls as it's basically as fast as one sync call.
+ */
+ g_dbus_connection_call (connection,
+@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
+ on_retrieved_unix_uid_pid,
+ &data);
+
+- while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+- g_main_context_iteration (tmp_context, TRUE);
++ while (TRUE)
++ {
++ /* If one dbus call returns error, we must wait until the other call
++ * calls _call_finish(), otherwise fd leak is possible.
++ * Resolves: GHSL-2021-077
++ */
+
+- if (data.caught_error)
+- goto out;
++ if ( (dbus_call_respond_fails > 1) )
++ {
++ // we got two faults, we can leave
++ goto out;
++ }
++
++ if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid)))
++ {
++ // we got one fault and the other call finally finished, we can leave
++ goto out;
++ }
++
++ if ( !(data.retrieved_uid && data.retrieved_pid) )
++ {
++ g_main_context_iteration (tmp_context, TRUE);
++ }
++ else
++ {
++ break;
++ }
++ }
+
+ if (out_uid)
+ *out_uid = data.uid;
+--
+GitLab
+
diff --git a/meta-oe/recipes-extended/polkit/polkit_0.116.bb b/meta-oe/recipes-extended/polkit/polkit_0.116.bb
index 77288b008..aceb68699 100644
--- a/meta-oe/recipes-extended/polkit/polkit_0.116.bb
+++ b/meta-oe/recipes-extended/polkit/polkit_0.116.bb
@@ -26,6 +26,8 @@ SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
file://0003-make-netgroup-support-optional.patch \
file://CVE-2021-4034.patch \
+ file://0001-GHSL-2021-074-authentication-bypass-vulnerability-in.patch \
+ file://CVE-2021-4115.patch \
"
SRC_URI[md5sum] = "4b37258583393e83069a0e2e89c0162a"
SRC_URI[sha256sum] = "88170c9e711e8db305a12fdb8234fac5706c61969b94e084d0f117d8ec5d34b1"
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [meta-oe][dunfell][PATCH] polkit: Fix for CVE-2021-4115
2022-03-01 12:30 [meta-oe][dunfell][PATCH] polkit: Fix for CVE-2021-4115 Ranjitsinh Rathod
@ 2022-03-25 17:29 ` Ranjitsinh Rathod
0 siblings, 0 replies; 2+ messages in thread
From: Ranjitsinh Rathod @ 2022-03-25 17:29 UTC (permalink / raw)
To: openembedded-devel; +Cc: akuster808, Ranjitsinh Rathod
[-- Attachment #1: Type: text/plain, Size: 6732 bytes --]
May I know by when this fix will be available in the dunfell branch??
I can see it is available in the testing branch since many days.
Thanks,
Ranjitsinh Rathod
On Tue, 1 Mar, 2022, 6:01 pm Ranjitsinh Rathod, <
ranjitsinhrathod1991@gmail.com> wrote:
> From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
>
> Add patch to fix CVE-2021-4115
> Also, add a support patch to cleanly apply CVE patch
> Link: https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/109
>
> Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
> ---
> ...thentication-bypass-vulnerability-in.patch | 32 +++++++
> .../polkit/files/CVE-2021-4115.patch | 87 +++++++++++++++++++
> .../recipes-extended/polkit/polkit_0.116.bb | 2 +
> 3 files changed, 121 insertions(+)
> create mode 100644
> meta-oe/recipes-extended/polkit/files/0001-GHSL-2021-074-authentication-bypass-vulnerability-in.patch
> create mode 100644
> meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch
>
> diff --git
> a/meta-oe/recipes-extended/polkit/files/0001-GHSL-2021-074-authentication-bypass-vulnerability-in.patch
> b/meta-oe/recipes-extended/polkit/files/0001-GHSL-2021-074-authentication-bypass-vulnerability-in.patch
> new file mode 100644
> index 000000000..2a2373ed5
> --- /dev/null
> +++
> b/meta-oe/recipes-extended/polkit/files/0001-GHSL-2021-074-authentication-bypass-vulnerability-in.patch
> @@ -0,0 +1,32 @@
> +From a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Mon Sep 17 00:00:00 2001
> +From: Jan Rybar <jrybar@redhat.com>
> +Date: Wed, 2 Jun 2021 15:43:38 +0200
> +Subject: [PATCH] GHSL-2021-074: authentication bypass vulnerability in
> polkit
> +
> +initial values returned if error caught
> +
> +Upstream-Status: Backport [
> https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81.patch
> ]
> +CVE: CVE-2021-4115
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +
> +---
> + src/polkit/polkitsystembusname.c | 3 +++
> + 1 file changed, 3 insertions(+)
> +
> +diff --git a/src/polkit/polkitsystembusname.c
> b/src/polkit/polkitsystembusname.c
> +index 8daa12c..8ed1363 100644
> +--- a/src/polkit/polkitsystembusname.c
> ++++ b/src/polkit/polkitsystembusname.c
> +@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync
> (PolkitSystemBusName *system_bus
> + while (!((data.retrieved_uid && data.retrieved_pid) ||
> data.caught_error))
> + g_main_context_iteration (tmp_context, TRUE);
> +
> ++ if (data.caught_error)
> ++ goto out;
> ++
> + if (out_uid)
> + *out_uid = data.uid;
> + if (out_pid)
> +--
> +GitLab
> +
> diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch
> b/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch
> new file mode 100644
> index 000000000..37e0d6063
> --- /dev/null
> +++ b/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch
> @@ -0,0 +1,87 @@
> +From 41cb093f554da8772362654a128a84dd8a5542a7 Mon Sep 17 00:00:00 2001
> +From: Jan Rybar <jrybar@redhat.com>
> +Date: Mon, 21 Feb 2022 08:29:05 +0000
> +Subject: [PATCH] CVE-2021-4115 (GHSL-2021-077) fix
> +
> +Upstream-Status: Backport [
> https://gitlab.freedesktop.org/polkit/polkit/-/commit/41cb093f554da8772362654a128a84dd8a5542a7.patch
> ]
> +CVE: CVE-2021-4115
> +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
> +
> +---
> + src/polkit/polkitsystembusname.c | 38 ++++++++++++++++++++++++++++----
> + 1 file changed, 34 insertions(+), 4 deletions(-)
> +
> +diff --git a/src/polkit/polkitsystembusname.c
> b/src/polkit/polkitsystembusname.c
> +index 8ed1363..2fbf5f1 100644
> +--- a/src/polkit/polkitsystembusname.c
> ++++ b/src/polkit/polkitsystembusname.c
> +@@ -62,6 +62,10 @@ enum
> + PROP_NAME,
> + };
> +
> ++
> ++guint8 dbus_call_respond_fails; // has to be global because of
> callback
> ++
> ++
> + static void subject_iface_init (PolkitSubjectIface *subject_iface);
> +
> + G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name,
> G_TYPE_OBJECT,
> +@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src,
> + if (!v)
> + {
> + data->caught_error = TRUE;
> ++ dbus_call_respond_fails += 1;
> + }
> + else
> + {
> +@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync
> (PolkitSystemBusName *system_bus
> + tmp_context = g_main_context_new ();
> + g_main_context_push_thread_default (tmp_context);
> +
> ++ dbus_call_respond_fails = 0;
> ++
> + /* Do two async calls as it's basically as fast as one sync call.
> + */
> + g_dbus_connection_call (connection,
> +@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync
> (PolkitSystemBusName *system_bus
> + on_retrieved_unix_uid_pid,
> + &data);
> +
> +- while (!((data.retrieved_uid && data.retrieved_pid) ||
> data.caught_error))
> +- g_main_context_iteration (tmp_context, TRUE);
> ++ while (TRUE)
> ++ {
> ++ /* If one dbus call returns error, we must wait until the other call
> ++ * calls _call_finish(), otherwise fd leak is possible.
> ++ * Resolves: GHSL-2021-077
> ++ */
> +
> +- if (data.caught_error)
> +- goto out;
> ++ if ( (dbus_call_respond_fails > 1) )
> ++ {
> ++ // we got two faults, we can leave
> ++ goto out;
> ++ }
> ++
> ++ if ((data.caught_error && (data.retrieved_pid ||
> data.retrieved_uid)))
> ++ {
> ++ // we got one fault and the other call finally finished, we can
> leave
> ++ goto out;
> ++ }
> ++
> ++ if ( !(data.retrieved_uid && data.retrieved_pid) )
> ++ {
> ++ g_main_context_iteration (tmp_context, TRUE);
> ++ }
> ++ else
> ++ {
> ++ break;
> ++ }
> ++ }
> +
> + if (out_uid)
> + *out_uid = data.uid;
> +--
> +GitLab
> +
> diff --git a/meta-oe/recipes-extended/polkit/polkit_0.116.bb
> b/meta-oe/recipes-extended/polkit/polkit_0.116.bb
> index 77288b008..aceb68699 100644
> --- a/meta-oe/recipes-extended/polkit/polkit_0.116.bb
> +++ b/meta-oe/recipes-extended/polkit/polkit_0.116.bb
> @@ -26,6 +26,8 @@ SRC_URI = "
> http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.
> ${@bb.utils.contains('DISTRO_FEATURES', 'pam',
> '${PAM_SRC_URI}', '', d)} \
> file://0003-make-netgroup-support-optional.patch \
> file://CVE-2021-4034.patch \
> +
> file://0001-GHSL-2021-074-authentication-bypass-vulnerability-in.patch \
> + file://CVE-2021-4115.patch \
> "
> SRC_URI[md5sum] = "4b37258583393e83069a0e2e89c0162a"
> SRC_URI[sha256sum] =
> "88170c9e711e8db305a12fdb8234fac5706c61969b94e084d0f117d8ec5d34b1"
> --
> 2.17.1
>
>
[-- Attachment #2: Type: text/html, Size: 9468 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-03-25 17:29 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-01 12:30 [meta-oe][dunfell][PATCH] polkit: Fix for CVE-2021-4115 Ranjitsinh Rathod
2022-03-25 17:29 ` Ranjitsinh Rathod
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.