package/develop/polkit/CVE-2021-4034.patch

   1 # --- T2-COPYRIGHT-NOTE-BEGIN ---
   2 # T2 SDE: package/*/polkit/CVE-2021-4034.patch
   3 # Copyright (C) 2022 The T2 SDE Project
   4 #
   5 # This Copyright note is generated by scripts/Create-CopyPatch,
   6 # more information can be found in the files COPYING and README.
   7 #
   8 # This patch file is dual-licensed. It is available under the license the
   9 # patched project is licensed under, as long as it is an OpenSource license
  10 # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
  11 # of the GNU General Public License version 2 as used by the T2 SDE.
  12 # --- T2-COPYRIGHT-NOTE-END ---
  13
  14 From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
  15 From: Jan Rybar <jrybar@redhat.com>
  16 Date: Tue, 25 Jan 2022 17:21:46 +0000
  17 Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
  18
  19 ---
  20  src/programs/pkcheck.c |  5 +++++
  21  src/programs/pkexec.c  | 23 ++++++++++++++++++++---
  22  2 files changed, 25 insertions(+), 3 deletions(-)
  23
  24 diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
  25 index f1bb4e1..768525c 100644
  26 --- a/src/programs/pkcheck.c
  27 +++ b/src/programs/pkcheck.c
  28 @@ -363,6 +363,11 @@ main (int argc, char *argv[])
  29    local_agent_handle = NULL;
  30    ret = 126;
  31
  32 +  if (argc < 1)
  33 +    {
  34 +      exit(126);
  35 +    }
  36 +
  37    /* Disable remote file access from GIO. */
  38    setenv ("GIO_USE_VFS", "local", 1);
  39
  40 diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
  41 index 7698c5c..84e5ef6 100644
  42 --- a/src/programs/pkexec.c
  43 +++ b/src/programs/pkexec.c
  44 @@ -488,6 +488,15 @@ main (int argc, char *argv[])
  45    pid_t pid_of_caller;
  46    gpointer local_agent_handle;
  47
  48 +
  49 +  /*
  50 +   * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
  51 +   */
  52 +  if (argc<1)
  53 +    {
  54 +      exit(127);
  55 +    }
  56 +
  57    ret = 127;
  58    authority = NULL;
  59    subject = NULL;
  60 @@ -614,10 +623,10 @@ main (int argc, char *argv[])
  61
  62        path = g_strdup (pwstruct.pw_shell);
  63        if (!path)
  64 -       {
  65 +        {
  66            g_printerr ("No shell configured or error retrieving pw_shell\n");
  67            goto out;
  68 -       }
  69 +        }
  70        /* If you change this, be sure to change the if (!command_line)
  71          case below too */
  72        command_line = g_strdup (path);
  73 @@ -636,7 +645,15 @@ main (int argc, char *argv[])
  74            goto out;
  75          }
  76        g_free (path);
  77 -      argv[n] = path = s;
  78 +      path = s;
  79 +
  80 +      /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
  81 +       * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
  82 +       */
  83 +      if (argv[n] != NULL)
  84 +      {
  85 +        argv[n] = path;
  86 +      }
  87      }
  88    if (access (path, F_OK) != 0)
  89      {
  90 --
  91 GitLab
  92