me/guix
Archived
1
0
Fork 0
Code Activity

gnu: polkit: Update to 121.

Browse source 
* gnu/packages/polkit.scm (polkit-mozjs): Update to 121.
[source](patches): Remove.
[source](snippet): Adjust for build system changes.
[build-system]: Change to MESON-BUILD-SYSTEM.
[inputs]: Replace MOZJS-78 with MOZJS-91.
[native-inputs]: Add GETTEXT-MINIMAL and LIBXML2.
[arguments]: Remove #:phases.  Adjust #:configure-flags for build system
changes.  Use G-expression.
(polkit-duktape)[source]: Remove.
[arguments]: Adjust for build build system changes.
* gnu/packages/patches/polkit-CVE-2021-4034.patch,
gnu/packages/patches/polkit-configure-elogind.patch,
gnu/packages/patches/polkit-use-duktape.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
This commit is contained in:
Marius Bakke 2022-08-25 12:59:42 +02:00
parent 5ddc99da69
commit 290ac5cd1e
No known key found for this signature in database
GPG key ID: A2A06DF2A33A54FA
5 changed files with 36 additions and 5204 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
gnu/local.mk
View file

@ -1650,9 +1650,6 @@ dist_patch_DATA = \
%D%/packages/patches/plib-CVE-2011-4620.patch \ %D%/packages/patches/plib-CVE-2011-4620.patch \
%D%/packages/patches/plib-CVE-2012-4552.patch \ %D%/packages/patches/plib-CVE-2012-4552.patch \
%D%/packages/patches/plotutils-spline-test.patch \ %D%/packages/patches/plotutils-spline-test.patch \
%D%/packages/patches/polkit-CVE-2021-4034.patch \
%D%/packages/patches/polkit-configure-elogind.patch \
%D%/packages/patches/polkit-use-duktape.patch \
%D%/packages/patches/portaudio-audacity-compat.patch \ %D%/packages/patches/portaudio-audacity-compat.patch \
%D%/packages/patches/portmidi-modular-build.patch \ %D%/packages/patches/portmidi-modular-build.patch \
%D%/packages/patches/postgresql-disable-resolve_symlinks.patch \ %D%/packages/patches/postgresql-disable-resolve_symlinks.patch \

82
gnu/packages/patches/polkit-CVE-2021-4034.patch
View file

@ -1,82 +0,0 @@
Fixes CVE-2021-4034, local privilege escalation with 'pkexec':
https://www.openwall.com/lists/oss-security/2022/01/25/11
Patch from <https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683>.
From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
From: Jan Rybar <jrybar@redhat.com>
Date: Tue, 25 Jan 2022 17:21:46 +0000
Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
---
src/programs/pkcheck.c | 5 +++++
src/programs/pkexec.c | 23 ++++++++++++++++++++---
2 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
index f1bb4e1..768525c 100644
--- a/src/programs/pkcheck.c
+++ b/src/programs/pkcheck.c
@@ -363,6 +363,11 @@ main (int argc, char *argv[])
local_agent_handle = NULL;
ret = 126;
+ if (argc < 1)
+ {
+ exit(126);
+ }
+
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
index 7698c5c..84e5ef6 100644
--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
@@ -488,6 +488,15 @@ main (int argc, char *argv[])
pid_t pid_of_caller;
gpointer local_agent_handle;
+
+ /*
+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
+ */
+ if (argc<1)
+ {
+ exit(127);
+ }
+
ret = 127;
authority = NULL;
subject = NULL;
@@ -614,10 +623,10 @@ main (int argc, char *argv[])
path = g_strdup (pwstruct.pw_shell);
if (!path)
- {
+ {
g_printerr ("No shell configured or error retrieving pw_shell\n");
goto out;
- }
+ }
/* If you change this, be sure to change the if (!command_line)
case below too */
command_line = g_strdup (path);
@@ -636,7 +645,15 @@ main (int argc, char *argv[])
goto out;
}
g_free (path);
- argv[n] = path = s;
+ path = s;
+
+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
+ */
+ if (argv[n] != NULL)
+ {
+ argv[n] = path;
+ }
}
if (access (path, F_OK) != 0)
{

15
gnu/packages/patches/polkit-configure-elogind.patch
View file

@ -1,15 +0,0 @@
Even when the polkit configure script detects elogind, it does not use
it. This patch ensures that elogind is used when it is detected.
diff -ruN a/configure b/configure
--- a/configure 1969-12-31 19:00:01.000000000 -0500
+++ b/configure 2021-11-19 00:04:55.581385020 -0500
@@ -20390,7 +20390,7 @@
- if test "$have_libsystemd" = "yes"; then
+ if test "$have_libsystemd" = "yes" || test "$have_libelogind" = "yes"; then
HAVE_LIBSYSTEMD_TRUE=
HAVE_LIBSYSTEMD_FALSE='#'
else

5030
gnu/packages/patches/polkit-use-duktape.patch
View file

File diff suppressed because it is too large Load diff

104
gnu/packages/polkit.scm
View file

@ -10,6 +10,7 @@
;;; Copyright © 2021 Morgan Smith <Morgan.J.Smith@outlook.com> ;;; Copyright © 2021 Morgan Smith <Morgan.J.Smith@outlook.com>
;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;; Copyright © 2022 Jean-Pierre De Jesus DIAZ <me@jeandudey.tech> ;;; Copyright © 2022 Jean-Pierre De Jesus DIAZ <me@jeandudey.tech>
;;; Copyright © 2022 Marius Bakke <marius@gnu.org>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
;;; ;;;
@ -29,14 +30,16 @@
(define-module (gnu packages polkit) (define-module (gnu packages polkit)
#:use-module ((guix licenses) #:select (lgpl2.0+)) #:use-module ((guix licenses) #:select (lgpl2.0+))
#:use-module (guix packages) #:use-module (guix packages)
#:use-module (guix gexp)
#:use-module (guix download) #:use-module (guix download)
#:use-module (guix memoization) #:use-module (guix memoization)
#:use-module (guix utils) #:use-module (guix utils)
#:use-module (guix build utils) #:use-module (guix build utils)
#:use-module (guix build-system cmake) #:use-module (guix build-system cmake)
#:use-module (guix build-system gnu) #:use-module (guix build-system gnu)
#:use-module (guix build-system meson)
#:use-module (gnu packages) #:use-module (gnu packages)
#:use-module (gnu packages autotools) #:use-module (gnu packages gettext)
#:use-module (gnu packages freedesktop) #:use-module (gnu packages freedesktop)
#:use-module (gnu packages glib) #:use-module (gnu packages glib)
#:use-module (gnu packages gtk) #:use-module (gnu packages gtk)
@ -54,7 +57,7 @@
(define-public polkit-mozjs (define-public polkit-mozjs
(package (package
(name "polkit") (name "polkit")
(version "0.120") (version "121")
(source (origin (source (origin
(method url-fetch) (method url-fetch)
(uri (string-append (uri (string-append
@ -62,22 +65,15 @@
name "-" version ".tar.gz")) name "-" version ".tar.gz"))
(sha256 (sha256
(base32 (base32
"00zfg9b9ivkcj2jcf5b92cpvvyljz8cmfwj86lkvy5rihnd5jypf")) "1apz3bh7nbpmlp1cr00pb8z8wp0c7yb23ninb959jz3r38saxiwx"))
(patches (search-patches "polkit-configure-elogind.patch"
"polkit-CVE-2021-4034.patch"))
(modules '((guix build utils))) (modules '((guix build utils)))
(snippet (snippet
'(begin '(begin
(use-modules (guix build utils))
;; Disable broken test.
(substitute* "test/Makefile.in"
(("SUBDIRS = mocklibc . polkit polkitbackend")
"SUBDIRS = mocklibc . polkit"))
;; Disable a test that requires Python, D-Bus and a few ;; Disable a test that requires Python, D-Bus and a few
;; libraries and fails with "ERROR: timed out waiting for bus ;; libraries and fails with "ERROR: timed out waiting for bus
;; process to terminate". ;; process to terminate".
(substitute* "test/polkitbackend/Makefile.am" (substitute* "test/meson.build"
(("TEST_PROGS \\+= polkitbackendjsauthoritytest-wrapper.py") (("subdir\\('polkitbackend'\\)")
"")) ""))
;; Guix System's polkit ;; Guix System's polkit
;; service stores actions under /etc/polkit-1/actions. ;; service stores actions under /etc/polkit-1/actions.
@ -88,58 +84,39 @@
(substitute* "src/polkitagent/polkitagentsession.c" (substitute* "src/polkitagent/polkitagentsession.c"
(("PACKAGE_PREFIX \"/lib/polkit-1/polkit-agent-helper-1\"") (("PACKAGE_PREFIX \"/lib/polkit-1/polkit-agent-helper-1\"")
"\"/run/setuid-programs/polkit-agent-helper-1\"")))))) "\"/run/setuid-programs/polkit-agent-helper-1\""))))))
(build-system gnu-build-system) (build-system meson-build-system)
(inputs (inputs
(list expat linux-pam elogind mozjs-78 nspr)) (list elogind
expat
linux-pam
mozjs-91
nspr))
(propagated-inputs (propagated-inputs
(list glib)) ; required by polkit-gobject-1.pc (list glib)) ;required by polkit-gobject-1.pc
(native-inputs (native-inputs
(list pkg-config (list pkg-config
gettext-minimal
perl
`(,glib "bin") ;for glib-mkenums `(,glib "bin") ;for glib-mkenums
intltool
gobject-introspection gobject-introspection
libxml2 ;for man page generation
libxslt ;for man page generation libxslt ;for man page generation
docbook-xsl)) ;for man page generation docbook-xsl)) ;for man page generation
(arguments (arguments
`(#:configure-flags '("--sysconfdir=/etc" (list #:configure-flags
"--enable-man-pages" #~'("-Dman=true"
;; Prevent configure: error: cannot check for "-Dtests=true"
;; file existence when cross compiling. "-Djs_engine=mozjs"
,@(if (%current-target-system) ;; Work around broken gobject-introspection detection when
'("--with-os-type=unknown") ;; cross-compiling. The build system probes for the _target_
'())) ;; gobject-introspection, but if we change it to native, Meson
#:phases ;; fails with:
(modify-phases %standard-phases ;; ERROR: Pkg-config binary for machine MachineChoice.BUILD
(add-after ;; not found, giving up.
'unpack 'fix-introspection-install-dir ;; Just disable introspection for now.
(lambda* (#:key outputs #:allow-other-keys) #$@(if (%current-target-system)
(let ((out (assoc-ref outputs "out"))) '("-Dintrospection=false")
(substitute* (find-files "." "Makefile.in") '()))))
(("@INTROSPECTION_GIRDIR@")
(string-append out "/share/gir-1.0/"))
(("@INTROSPECTION_TYPELIBDIR@")
(string-append out "/lib/girepository-1.0/"))))))
(add-after 'unpack 'fix-manpage-generation
(lambda* (#:key inputs native-inputs #:allow-other-keys)
(let ((xsldoc (string-append
(assoc-ref (or native-inputs inputs) "docbook-xsl")
"/xml/xsl/docbook-xsl-"
,(package-version docbook-xsl))))
(substitute* '("docs/man/Makefile.am" "docs/man/Makefile.in")
(("http://docbook.sourceforge.net/release/xsl/current")
xsldoc)))))
(replace
'install
(lambda* (#:key outputs (make-flags '()) #:allow-other-keys)
;; Override sysconfdir during "make install", to avoid attempting
;; to install in /etc, and to instead install the skeletons in the
;; output directory.
(let ((out (assoc-ref outputs "out")))
(apply invoke "make" "install"
(string-append "sysconfdir=" out "/etc")
(string-append "polkit_actiondir="
out "/share/polkit-1/actions")
make-flags)))))))
(home-page "https://www.freedesktop.org/wiki/Software/polkit/") (home-page "https://www.freedesktop.org/wiki/Software/polkit/")
(synopsis "Authorization API for privilege management") (synopsis "Authorization API for privilege management")
(description "Polkit is an application-level toolkit for defining and (description "Polkit is an application-level toolkit for defining and
@ -155,25 +132,10 @@ for unprivileged applications.")
(let ((base polkit-mozjs)) (let ((base polkit-mozjs))
(package/inherit base (package/inherit base
(name "polkit-duktape") (name "polkit-duktape")
(source
(origin
(inherit (package-source base))
(patches
(append
(search-patches "polkit-use-duktape.patch")
(origin-patches (package-source base))))))
(arguments (arguments
(substitute-keyword-arguments (package-arguments base) (substitute-keyword-arguments (package-arguments base)
((#:configure-flags flags) ((#:configure-flags flags)
`(cons "--with-duktape" ,flags)) #~(delete "-Djs_engine=mozjs" #$flags))))
((#:phases phases)
`(modify-phases ,phases
(add-after 'unpack 'force-gnu-build-system-bootstrap
(lambda _
(delete-file "configure")))))))
(native-inputs
(modify-inputs (package-native-inputs base)
(prepend autoconf automake libtool)))
(inputs (inputs
(modify-inputs (package-inputs base) (modify-inputs (package-inputs base)
(replace "mozjs" duktape)))))) (replace "mozjs" duktape))))))