[packages/polkit.git] / CVE-2021-4034.patch

From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
From: Jan Rybar <jrybar@redhat.com>
Date: Tue, 25 Jan 2022 17:21:46 +0000
Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)

---
 src/programs/pkcheck.c |  5 +++++
 src/programs/pkexec.c  | 23 ++++++++++++++++++++---
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
index f1bb4e1..768525c 100644
--- a/src/programs/pkcheck.c
+++ b/src/programs/pkcheck.c
@@ -363,6 +363,11 @@ main (int argc, char *argv[])
   local_agent_handle = NULL;
   ret = 126;
 
+  if (argc < 1)
+    {
+      exit(126);
+    }
+
   /* Disable remote file access from GIO. */
   setenv ("GIO_USE_VFS", "local", 1);
 
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
index 7698c5c..84e5ef6 100644
--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
@@ -488,6 +488,15 @@ main (int argc, char *argv[])
   pid_t pid_of_caller;
   gpointer local_agent_handle;
 
+
+  /*
+   * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
+   */
+  if (argc<1)
+    {
+      exit(127);
+    }
+
   ret = 127;
   authority = NULL;
   subject = NULL;
@@ -614,10 +623,10 @@ main (int argc, char *argv[])
 
       path = g_strdup (pwstruct.pw_shell);
       if (!path)
-	{
+        {
           g_printerr ("No shell configured or error retrieving pw_shell\n");
           goto out;
-	}
+        }
       /* If you change this, be sure to change the if (!command_line)
 	 case below too */
       command_line = g_strdup (path);
@@ -636,7 +645,15 @@ main (int argc, char *argv[])
           goto out;
         }
       g_free (path);
-      argv[n] = path = s;
+      path = s;
+
+      /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
+       * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
+       */
+      if (argv[n] != NULL)
+      {
+        argv[n] = path;
+      }
     }
   if (access (path, F_OK) != 0)
     {
-- 
GitLab
Commit	Line	Data
c59403dd AM	1	From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
	2	From: Jan Rybar <jrybar@redhat.com>
	3	Date: Tue, 25 Jan 2022 17:21:46 +0000
	4	Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
	5
	6	---
	7	src/programs/pkcheck.c \| 5 +++++
	8	src/programs/pkexec.c \| 23 ++++++++++++++++++++---
	9	2 files changed, 25 insertions(+), 3 deletions(-)
	10
	11	diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
	12	index f1bb4e1..768525c 100644
	13	--- a/src/programs/pkcheck.c
	14	+++ b/src/programs/pkcheck.c
	15	@@ -363,6 +363,11 @@ main (int argc, char *argv[])
	16	local_agent_handle = NULL;
	17	ret = 126;
	18
	19	+ if (argc < 1)
	20	+ {
	21	+ exit(126);
	22	+ }
	23	+
	24	/* Disable remote file access from GIO. */
	25	setenv ("GIO_USE_VFS", "local", 1);
	26
	27	diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
	28	index 7698c5c..84e5ef6 100644
	29	--- a/src/programs/pkexec.c
	30	+++ b/src/programs/pkexec.c
	31	@@ -488,6 +488,15 @@ main (int argc, char *argv[])
	32	pid_t pid_of_caller;
	33	gpointer local_agent_handle;
	34
	35	+
	36	+ /*
	37	+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
	38	+ */
	39	+ if (argc<1)
	40	+ {
	41	+ exit(127);
	42	+ }
	43	+
	44	ret = 127;
	45	authority = NULL;
	46	subject = NULL;
	47	@@ -614,10 +623,10 @@ main (int argc, char *argv[])
	48
	49	path = g_strdup (pwstruct.pw_shell);
	50	if (!path)
	51	- {
	52	+ {
	53	g_printerr ("No shell configured or error retrieving pw_shell\n");
	54	goto out;
	55	- }
	56	+ }
	57	/* If you change this, be sure to change the if (!command_line)
	58	case below too */
	59	command_line = g_strdup (path);
	60	@@ -636,7 +645,15 @@ main (int argc, char *argv[])
	61	goto out;
	62	}
	63	g_free (path);
	64	- argv[n] = path = s;
65	+ path = s;
66	+
67	+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
68	+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
69	+ */
70	+ if (argv[n] != NULL)
71	+ {
72	+ argv[n] = path;
73	+ }
74	}
75	if (access (path, F_OK) != 0)
76	{
77	--
78	GitLab
79