Message ID | 20210608084512.29608-1-ludo@gnu.org |
---|---|
State | Accepted |
Headers | show |
Series | [bug#48915] gnu: polkit: Graft a replacement for CVE-2021-3560. | expand |
Context | Check | Description |
---|---|---|
cbaines/applying patch | fail | View Laminar job |
cbaines/issue | success | View issue |
On Tue, Jun 08, 2021 at 10:45:12AM +0200, Ludovic Courtès wrote: > +(define-public polkit/fixed > + (package > + (inherit polkit) > + (version "0.11A") ;0.116 + patch > + (source (origin > + (inherit (package-source polkit)) > + (patches (search-patches "polkit-CVE-2021-3560.patch")))))) Typically, we don't change the version when creating replacement packages that apply a patch. We only change the version when the replacement package actually updates to a new version. Thanks for taking care of this!
Leo Famulari <leo@famulari.name> skribis: > On Tue, Jun 08, 2021 at 10:45:12AM +0200, Ludovic Courtès wrote: >> +(define-public polkit/fixed >> + (package >> + (inherit polkit) >> + (version "0.11A") ;0.116 + patch >> + (source (origin >> + (inherit (package-source polkit)) >> + (patches (search-patches "polkit-CVE-2021-3560.patch")))))) > > Typically, we don't change the version when creating replacement > packages that apply a patch. We only change the version when the > replacement package actually updates to a new version. Pushed as 9178566954cc7f34d2d991d31df4565adad93508! As discussed on IRC, I ended up making ‘polkit/fixed’ private, with the version string unchanged (inherited from ‘polkit’). We wondered whether Cuirass would build ‘polkit/fixed’ if it’s private. Turns out it does, but this comment in (gnu ci) is still valid: --8<---------------cut here---------------start------------->8--- (define (all-packages) "Return the list of packages to build." (define (adjust package result) (cond ((package-replacement package) ;; XXX: If PACKAGE and its replacement have the same name/version, ;; then both Cuirass jobs will have the same name, which ;; effectively means that the second one will be ignored. Thus, ;; return the replacement first. (cons* (package-replacement package) ;build both package result)) --8<---------------cut here---------------end--------------->8--- IOW, the replacement, and only the replacement, gets built. The current ‘zstd’ replacement is private <https://ci.guix.gnu.org/search?query=system%3Ax86_64-linux+spec%3Amaster+zstd> only shows derivations for the replacement, not for the original one. That’s okay though because the original one necessarily got built earlier. Thanks, Ludo’.
diff --git a/gnu/local.mk b/gnu/local.mk index 0599df8968..42c5ee0d31 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1555,6 +1555,7 @@ dist_patch_DATA = \ %D%/packages/patches/plib-CVE-2011-4620.patch \ %D%/packages/patches/plib-CVE-2012-4552.patch \ %D%/packages/patches/plotutils-spline-test.patch \ + %D%/packages/patches/polkit-CVE-2021-3560.patch \ %D%/packages/patches/portaudio-audacity-compat.patch \ %D%/packages/patches/portmidi-modular-build.patch \ %D%/packages/patches/postgresql-disable-resolve_symlinks.patch \ diff --git a/gnu/packages/patches/polkit-CVE-2021-3560.patch b/gnu/packages/patches/polkit-CVE-2021-3560.patch new file mode 100644 index 0000000000..9aa0373fda --- /dev/null +++ b/gnu/packages/patches/polkit-CVE-2021-3560.patch @@ -0,0 +1,21 @@ +This patch fixes CVE-2021-3560, "local privilege escalation using +polkit_system_bus_name_get_creds_sync()": + + https://www.openwall.com/lists/oss-security/2021/06/03/1 + +Patch from <https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13a>. + +diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c +index 8daa12cb9093c1d765c7b83654a2b8d0d382378e..8ed13631508dd96624898df90ee2ece4dcf3e1e5 100644 +--- a/src/polkit/polkitsystembusname.c ++++ b/src/polkit/polkitsystembusname.c +@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus + while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error)) + g_main_context_iteration (tmp_context, TRUE); + ++ if (data.caught_error) ++ goto out; ++ + if (out_uid) + *out_uid = data.uid; + if (out_pid) diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm index d868aceec2..fcd8633b7a 100644 --- a/gnu/packages/polkit.scm +++ b/gnu/packages/polkit.scm @@ -44,6 +44,7 @@ (package (name "polkit") (version "0.116") + (replacement polkit/fixed) (source (origin (method url-fetch) (uri (string-append @@ -135,6 +136,14 @@ making process with respect to granting access to privileged operations for unprivileged applications.") (license lgpl2.0+))) +(define-public polkit/fixed + (package + (inherit polkit) + (version "0.11A") ;0.116 + patch + (source (origin + (inherit (package-source polkit)) + (patches (search-patches "polkit-CVE-2021-3560.patch")))))) + (define-public polkit-qt (package (name "polkit-qt")