+++ /dev/null
-From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
-From: Jan Rybar <jrybar@redhat.com>
-Date: Tue, 25 Jan 2022 17:21:46 +0000
-Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
-
----
- src/programs/pkcheck.c | 5 +++++
- src/programs/pkexec.c | 23 ++++++++++++++++++++---
- 2 files changed, 25 insertions(+), 3 deletions(-)
-
-diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
-index f1bb4e1..768525c 100644
---- a/src/programs/pkcheck.c
-+++ b/src/programs/pkcheck.c
-@@ -363,6 +363,11 @@ main (int argc, char *argv[])
- local_agent_handle = NULL;
- ret = 126;
-
-+ if (argc < 1)
-+ {
-+ exit(126);
-+ }
-+
- /* Disable remote file access from GIO. */
- setenv ("GIO_USE_VFS", "local", 1);
-
-diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
-index 7698c5c..84e5ef6 100644
---- a/src/programs/pkexec.c
-+++ b/src/programs/pkexec.c
-@@ -488,6 +488,15 @@ main (int argc, char *argv[])
- pid_t pid_of_caller;
- gpointer local_agent_handle;
-
-+
-+ /*
-+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
-+ */
-+ if (argc<1)
-+ {
-+ exit(127);
-+ }
-+
- ret = 127;
- authority = NULL;
- subject = NULL;
-@@ -614,10 +623,10 @@ main (int argc, char *argv[])
-
- path = g_strdup (pwstruct.pw_shell);
- if (!path)
-- {
-+ {
- g_printerr ("No shell configured or error retrieving pw_shell\n");
- goto out;
-- }
-+ }
- /* If you change this, be sure to change the if (!command_line)
- case below too */
- command_line = g_strdup (path);
-@@ -636,7 +645,15 @@ main (int argc, char *argv[])
- goto out;
- }
- g_free (path);
-- argv[n] = path = s;
-+ path = s;
-+
-+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
-+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
-+ */
-+ if (argv[n] != NULL)
-+ {
-+ argv[n] = path;
-+ }
- }
- if (access (path, F_OK) != 0)
- {
---
-GitLab
-
# Conditional build:
%bcond_without apidocs # build without apidocs
%bcond_without consolekit # ConsoleKit fallback
+%bcond_with mozjs # build with mozjs as JS backend instead of duktape
%bcond_without systemd # use systemd-login for session tracking (fallback to ConsoleKit on runtime)
%bcond_with elogind # use elogind instead of systemd-login
Summary: A framework for defining policy for system-wide components
Summary(pl.UTF-8): Szkielet do definiowania polityki dla komponentów systemowych
Name: polkit
-Version: 0.120
-Release: 2
+Version: 121
+Release: 1
License: LGPL v2+
Group: Libraries
Source0: https://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz
-# Source0-md5: a6efe21d021fafe4191ee30331ef801c
+# Source0-md5: 255761abdc616805a6592bb5fffae178
Patch0: systemd-fallback.patch
-Patch1: CVE-2021-4034.patch
URL: https://www.freedesktop.org/wiki/Software/polkit
-BuildRequires: autoconf >= 2.60
-BuildRequires: automake >= 1:1.7
+BuildRequires: dbus-devel
BuildRequires: docbook-dtd412-xml
BuildRequires: docbook-style-xsl
+%{!?with_mozjs:BuildRequires: duktape-devel >= 2.2.0}
%{?with_elogind:BuildRequires: elogind-devel}
BuildRequires: expat-devel >= 1:1.95.8
BuildRequires: gettext-tools
BuildRequires: gtk-doc >= 1.3
BuildRequires: gtk-doc-automake >= 1.3
BuildRequires: libstdc++-devel >= 6:7
-BuildRequires: libtool >= 2:1.5
BuildRequires: libxslt-progs
-BuildRequires: mozjs78-devel
+BuildRequires: meson >= 0.50.0
+%{?with_mozjs:BuildRequires: mozjs91-devel}
+BuildRequires: ninja
BuildRequires: pam-devel >= 0.80
BuildRequires: pkgconfig
BuildRequires: rpm-build >= 4.6
-BuildRequires: rpmbuild(macros) >= 1.647
+BuildRequires: rpmbuild(macros) >= 1.736
%{?with_systemd:BuildRequires: systemd-devel}
Requires: %{name}-libs = %{version}-%{release}
%if %{without systemd} && %{without elogind}
Requires: ConsoleKit >= 0.4.1
%endif
Requires: dbus >= 1.1.2-5
+%{!?with_mozjs:Requires: duktape >= 2.2.0}
%if %{with systemd}
Requires: systemd-units >= 38
%endif
%description devel -l pl.UTF-8
Pliki nagłówkowe PolicyKit.
-%package static
-Summary: Static PolicyKit libraries
-Summary(pl.UTF-8): Statyczne biblioteki PolicyKit
-Group: Development/Libraries
-Requires: %{name}-devel = %{version}-%{release}
-Obsoletes: PolicyKit-static
-
-%description static
-Static PolicyKit libraries.
-
-%description static -l pl.UTF-8
-Statyczne biblioteki PolicyKit.
-
%prep
-%setup -q
+%setup -q -n %{name}-v.%{version}
%if %{with consolekit} && (%{with systemd} || %{with elogind})
%patch0 -p1
%endif
-%patch1 -p1
%build
-%{__gtkdocize}
-%{__gettextize}
-%{__libtoolize}
-%{__aclocal}
-%{__autoconf}
-%{__autoheader}
-%{__automake}
-%configure \
- %{__enable_disable apidocs gtk-doc} \
- --disable-silent-rules \
- --disable-test \
- %{__enable_disable elogind libelogind} \
- %{__enable_disable systemd libsystemd-login} \
- --with-html-dir=%{_gtkdocdir} \
- --with-pam-include=system-auth \
- --with-pam-module-dir=/%{_lib}/security \
- --with-polkitd-user=polkitd
-
-LC_ALL=C.UTF-8 \
-%{__make} -j1
+%meson build \
+ -Dgtk_doc=%{__true_false apidocs} \
+ -Dtests=false \
+ -Dsession_tracking=%{?with_systemd:libsystemd-login}%{?with_elogind:libelogind} \
+ -Dpam_include=system-auth \
+ -Dpam_module_dir=/%{_lib}/security \
+ -Dpolkitd_user=polkitd \
+ -Dexamples=true \
+ -Djs_engine=%{!?with_mozjs:duktape}%{?with_mozjs:mozjs} \
+ -Dman=true
+
+%ninja_build -C build
%install
rm -rf $RPM_BUILD_ROOT
-%{__make} install \
- DESTDIR=$RPM_BUILD_ROOT
-
-%{__rm} $RPM_BUILD_ROOT%{_libdir}/*.la
+%ninja_install -C build
%find_lang polkit-1
%files -f polkit-1.lang
%defattr(644,root,root,755)
-%doc AUTHORS NEWS README
+%doc AUTHORS NEWS.md README.md
%attr(755,root,root) %{_bindir}/pkaction
%attr(755,root,root) %{_bindir}/pkcheck
%attr(4755,root,root) %{_bindir}/pkexec
%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/polkit-1/rules.d/50-default.rules
/etc/pam.d/polkit-1
%dir %{_datadir}/polkit-1
+%{_datadir}/polkit-1/policyconfig-1.dtd
%{_datadir}/polkit-1/actions
%attr(700,polkitd,root) %dir %{_datadir}/polkit-1/rules.d
%{_datadir}/dbus-1/system-services/org.freedesktop.PolicyKit1.service
%{_datadir}/gir-1.0/PolkitAgent-1.0.gir
%{_datadir}/gettext/its/polkit.its
%{_datadir}/gettext/its/polkit.loc
-
-%files static
-%defattr(644,root,root,755)
-%{_libdir}/libpolkit-agent-1.a
-%{_libdir}/libpolkit-gobject-1.a
-diff -ruN polkit-0.113.orig/configure.ac polkit-0.113/configure.ac
---- polkit-0.113.orig/configure.ac 2015-06-19 22:31:02.000000000 +0200
-+++ polkit-0.113/configure.ac 2015-09-26 23:40:21.669982142 +0200
-@@ -200,7 +200,7 @@
- [have_libsystemd=yes],
- dnl if libsystemd is not available, fall back to the older libsystemd-login
- [PKG_CHECK_MODULES([LIBSYSTEMD_LOGIN],
-- [libsystemd-login],
-+ [libsystemd-login libsystemd-daemon],
- [
- have_libsystemd=yes
- LIBSYSTEMD_CFLAGS="$LIBSYSTEMD_LOGIN_CFLAGS"
-diff -ruN polkit-0.113.orig/src/polkit/Makefile.am polkit-0.113/src/polkit/Makefile.am
---- polkit-0.113.orig/src/polkit/Makefile.am 2015-06-19 22:31:02.000000000 +0200
-+++ polkit-0.113/src/polkit/Makefile.am 2015-09-26 23:40:21.669982142 +0200
-@@ -79,15 +79,7 @@
- polkitimplicitauthorization.c polkitimplicitauthorization.h \
- polkittemporaryauthorization.c polkittemporaryauthorization.h \
- polkitpermission.c polkitpermission.h \
-- $(NULL)
--
--if HAVE_LIBSYSTEMD
--libpolkit_gobject_1_la_SOURCES += \
-- polkitunixsession-systemd.c polkitunixsession.h
--else
--libpolkit_gobject_1_la_SOURCES += \
- polkitunixsession.c polkitunixsession.h
--endif
-
- libpolkit_gobject_1_la_CFLAGS = \
- -D_POLKIT_COMPILATION \
--- polkit-0.114/src/polkit/polkitunixsession.c.orig 2018-03-23 16:09:30.000000000 +0100
+++ polkit-0.114/src/polkit/polkitunixsession.c 2018-04-12 19:03:50.775644785 +0200
@@ -29,6 +29,12 @@
-{
- /* use default implementation to run GInitable code in a thread */
-}
-diff -ruN polkit-0.113.orig/src/polkitbackend/Makefile.am polkit-0.113/src/polkitbackend/Makefile.am
---- polkit-0.113.orig/src/polkitbackend/Makefile.am 2015-06-19 22:31:02.000000000 +0200
-+++ polkit-0.113/src/polkitbackend/Makefile.am 2015-09-26 23:40:21.674982125 +0200
-@@ -36,15 +36,7 @@
- polkitbackendjsauthority.h polkitbackendjsauthority.cpp \
- polkitbackendactionpool.h polkitbackendactionpool.c \
- polkitbackendactionlookup.h polkitbackendactionlookup.c \
-- $(NULL)
--
--if HAVE_LIBSYSTEMD
--libpolkit_backend_1_la_SOURCES += \
-- polkitbackendsessionmonitor.h polkitbackendsessionmonitor-systemd.c
--else
--libpolkit_backend_1_la_SOURCES += \
- polkitbackendsessionmonitor.h polkitbackendsessionmonitor.c
--endif
-
- libpolkit_backend_1_la_CFLAGS = \
- -D_POLKIT_COMPILATION \
---- polkit-0.114.orig/src/polkitbackend/polkitbackendjsauthority.cpp 2015-06-19 22:39:58.000000000 +0200
-+++ polkit-0.114/src/polkitbackend/polkitbackendjsauthority.cpp 2015-09-26 23:40:21.674982125 +0200
-@@ -36,6 +36,7 @@
+--- polkit-v.121/src/polkitbackend/polkitbackendcommon.h.orig 2022-07-11 10:46:06.000000000 +0200
++++ polkit-v.121/src/polkitbackend/polkitbackendcommon.h 2022-07-13 23:30:49.653425289 +0200
+@@ -47,6 +47,7 @@
#include <polkit/polkitprivate.h>
#ifdef HAVE_LIBSYSTEMD
#include <systemd/sd-login.h>
#endif /* HAVE_LIBSYSTEMD */
+--- polkit-0.114.orig/src/polkitbackend/polkitbackendjsauthority.cpp 2015-06-19 22:39:58.000000000 +0200
++++ polkit-0.114/src/polkitbackend/polkitbackendjsauthority.cpp 2015-09-26 23:40:21.674982125 +0200
@@ -794,6 +795,8 @@
}
- return sd_session_is_active (session_id);
-}
-
+diff -ur polkit-v.121.orig/meson.build polkit-v.121/meson.build
+--- polkit-v.121.orig/meson.build 2022-07-11 10:46:06.000000000 +0200
++++ polkit-v.121/meson.build 2022-07-13 23:02:30.432622964 +0200
+@@ -187,7 +187,8 @@
+ if session_tracking == 'libsystemd-login'
+ logind_dep = dependency('libsystemd', required: false)
+ if not logind_dep.found()
+- logind_dep = dependency('libsystemd-login', not_found_message: 'libsystemd support requested but libsystemd or libsystemd-login library not found')
++ logind_dep = [ dependency('libsystemd-login', not_found_message: 'libsystemd support requested but libsystemd or libsystemd-login library not found'),dependency('libsystemd-daemon', not_found_message: 'libsystemd support requested but libsystemd or libsystemd-daemon library not found')]
++
+ endif
+ else
+ logind_dep = dependency('libelogind', not_found_message: 'libelogind support requested but libelogind library not found')
+diff -ur polkit-v.121.orig/src/polkit/meson.build polkit-v.121/src/polkit/meson.build
+--- polkit-v.121.orig/src/polkit/meson.build 2022-07-11 10:46:06.000000000 +0200
++++ polkit-v.121/src/polkit/meson.build 2022-07-13 23:11:05.333520578 +0200
+@@ -77,13 +77,11 @@
+ c_flags = '-D_POLKIT_COMPILATION'
+
+ if enable_logind
+- sources += 'polkitunixsession-systemd.c'
+-
+ deps += logind_dep
+-else
+- sources += 'polkitunixsession.c'
+ endif
+
++ sources += 'polkitunixsession.c'
++
+ libpolkit_gobject = shared_library(
+ name,
+ sources: sources,
+diff -ur polkit-v.121.orig/src/polkitbackend/meson.build polkit-v.121/src/polkitbackend/meson.build
+--- polkit-v.121.orig/src/polkitbackend/meson.build 2022-07-11 10:46:06.000000000 +0200
++++ polkit-v.121/src/polkitbackend/meson.build 2022-07-13 23:05:09.917827287 +0200
+@@ -43,12 +43,9 @@
+ endif
+
+ if enable_logind
+- sources += files('polkitbackendsessionmonitor-systemd.c')
+-
+ deps += logind_dep
+-else
+- sources += files('polkitbackendsessionmonitor.c')
+ endif
++ sources += files('polkitbackendsessionmonitor.c')
+
+ libpolkit_backend = static_library(
+ name,
projects / packages / polkit.git / commitdiff