diff options
| author |   Doug Goldstein <cardoe@gentoo.org> | 2013-09-19 16:07:55 +0000 |
|---|---|---|
| committer | Doug Goldstein <cardoe@gentoo.org> | 2013-09-19 16:07:55 +0000 |
| commit | 26a1707b6f31aaf164007da65ad1711a900d0b4f (patch) | |
| tree | 81318e0153682518a16b19e8d59e123d053c0d2a /sys-auth | |
| parent | gnu_andrew never wanted to be a proxied maintainer for this package and has a... (diff) | |
| download | historical-26a1707b6f31aaf164007da65ad1711a900d0b4f.tar.gz historical-26a1707b6f31aaf164007da65ad1711a900d0b4f.tar.bz2 historical-26a1707b6f31aaf164007da65ad1711a900d0b4f.zip | |
Bump for CVE-2013-4288
Package-Manager: portage-2.2.1/cvs/Linux x86_64
Manifest-Sign-Key: 0xD7DFA8D318FA9AEF!
Diffstat (limited to 'sys-auth')
| -rw-r--r-- | sys-auth/polkit/ChangeLog | 8 | ||||
| -rw-r--r-- | sys-auth/polkit/Manifest | 20 | ||||
| -rw-r--r-- | sys-auth/polkit/files/polkit-0.110-CVE-2013-4288.patch | 113 | ||||
| -rw-r--r-- | sys-auth/polkit/polkit-0.110-r1.ebuild | 108 |
4 files changed, 239 insertions, 10 deletions
diff --git a/sys-auth/polkit/ChangeLog b/sys-auth/polkit/ChangeLog index 7afab09007f8..91ec967436e5 100644 --- a/sys-auth/polkit/ChangeLog +++ b/sys-auth/polkit/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for sys-auth/polkit # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-auth/polkit/ChangeLog,v 1.147 2013/09/19 15:47:54 cardoe Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-auth/polkit/ChangeLog,v 1.148 2013/09/19 16:07:41 cardoe Exp $ + +*polkit-0.110-r1 (19 Sep 2013) + + 19 Sep 2013; Doug Goldstein <cardoe@gentoo.org> + +files/polkit-0.110-CVE-2013-4288.patch, +polkit-0.110-r1.ebuild: + Bump for CVE-2013-4288 *polkit-0.112 (19 Sep 2013) diff --git a/sys-auth/polkit/Manifest b/sys-auth/polkit/Manifest index ecd95bfa6244..33110a0520fa 100644 --- a/sys-auth/polkit/Manifest +++ b/sys-auth/polkit/Manifest @@ -1,25 +1,27 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 +AUX polkit-0.110-CVE-2013-4288.patch 5078 SHA256 a8c9ba12ff5b2bc330ac40b069b9648a073238688895282d1841fb1f0eb896d5 SHA512 d36b519b97697649cb253736c0ca7d7d526069afffa1592c280207c91b57fa6e942ce610808f28f29f37981a3459c6937d7679da0778c7c49ba8438fc1d03396 WHIRLPOOL 9bed36bdc4131a20afaca20a3de7bfed4faeba750444a77309dd0c4ab33264513fc0b5637b4eca199408512531eda06480f2c5f2ff5202a750781224d27fc478 AUX polkit-0.110-W_define.patch 810 SHA256 75a47bbf04e328a8622996d40128752c6951ce434c404cca87ad3838b848874b SHA512 e17cb4867c0d16c04e4d68dfb95eb58f27cf64e1b8c6b36fa24c876c78bee990bb07a08bb7c335e333797075911639b8c6049909e7948bc86fd07e1abce2be88 WHIRLPOOL 74610ba53eb185f3963fe6dfdddcb2eb4aaa4bf23057939dcfde0d4ada296c7f904a2d45e470a0f0cdae9919c6f51512ee45ea7cb623eb3367439abeac2cb538 DIST polkit-0.110.tar.gz 1390215 SHA256 8e5c5044bb968643b7fa379f287fb10582615df760ad2f1cb84be6e19fafe6e8 SHA512 f2630a84c21216edfc69f56092ba1b127b7765dcf4fe29a7f2f81d7163c11c643a931b215847a3fc6434c482cf12a48fef2f0e2c007d587c8bbb2fbca74eda67 WHIRLPOOL 1a4928733cdab6c9dfa186643959f15d395f6d6cba0a3790a9716282d331ceed3e962e58dc39ed2c40474238fc4d4c9e54662b20d0055059c512d42eed85631b DIST polkit-0.111.tar.gz 1396389 SHA256 02ae544547211b687818c97bcbf19bf6b8b5be7fda93000525a8765c7bed1ea1 SHA512 88eb1dfad25244020632f964219a382f7b7f7efc00cf563c66f9c6e6ef72af3c7198602be751aa8f0845b5b4f928d003e8041e1c92533beb9d00c38a7688b2d0 WHIRLPOOL dc3941e3de2767b766e4b984475485c743de113fe7b6fe1e6d89acff1a113bdb825366bc214a02aa07fdd148337ff11614a37ca450743910c4953979f99f4604 DIST polkit-0.112.tar.gz 1429240 SHA256 d695f43cba4748a822fbe864dd32c4887c5da1c71694a47693ace5e88fcf6af6 SHA512 e4ad1bd287b38e5650cb94b1897a959b2ceaa6c19b4478ba872eacb13b58758fd42f6ab1718976162d823d850cd5c99b3ccadf1b57d75dea7790101422029d5f WHIRLPOOL af5dd0a17b7356302b0319e80565d6ac916128dfc85b6e2711147f3de86651f11fe8d08f3d6067d7abd24e263be92403f9d8f46935ba93db571e386a603a038a +EBUILD polkit-0.110-r1.ebuild 2787 SHA256 570da29ce8c19b7138af17454cbb791d96cf172febc1974e621dcd42b8561675 SHA512 d7b6bb260b2cc9199f1cc030ef8fbd12c434ca5564344b8d9dcb6796568fdc619134fba9a726acda5e74e5761d3ce8f0dfb2d04911c6c236d5fc5e6ca5b9c7cd WHIRLPOOL 1975dd5da95940f0dd62fe3c98f72f29dd17e898095f510f55cfcef5a8ff8b3c395cc90f7b8129e59956a9778aee4f05bb75ae2c415bc2313b7c799d73071e1a EBUILD polkit-0.110.ebuild 3042 SHA256 77f25cf950072a856731546f040c41fdb6b4e5bf4a9da2aacfdeee8b85d68860 SHA512 8c1555692406becc97eae07b2feb55c63915fcbc91688b6d80527c64b44e58624c806ada9c06efddb96acefc5ce5ac8ecef220594716a942ad651a018aefc8fa WHIRLPOOL ad47215ffcee4ecdddf1d1a5a6a24941462e927f673202ef055c72afd3f5165e2011b853dbbec19e40546143ce23177ec139ed9fb796353fb9935a731b89da3a EBUILD polkit-0.111-r1.ebuild 2917 SHA256 b29aea770e9b3f2850c9b70a831cc32ce1f950d54a7f265faa3e05f62efabbba SHA512 bcb0410bb9c486a09bdfb2632144a19c4cf45ebc7ac5670f98d8707d1d007bff04c19448d7fa68b46b2eee436c8855d0dfb1b667dd8bff52d05d4e7c05902c2c WHIRLPOOL fc94c62614151ae5e06cc2326e97e47f6b01fb9c54e9b013c5d73db7f2cadaf978eb3bffd2ecde083c72fb3aadbcaa23e48f19aec9b986df7eadf82ed7a84f46 EBUILD polkit-0.112.ebuild 2911 SHA256 bf2208fd70501e509f2e16cec5fcc1dc6f09fdc3b07aa2f56b025e7daa83d2b6 SHA512 05ad14409df776b81d0c7b7244cf4338116c03a1a79df8489e344ad333f469f46043d1bacbf0b23207dfcb018731626ee693b7b626b3bac0450a554e6fcb5e65 WHIRLPOOL 91dd308cb05c8f8da5d8b7b2d0d81ad8ec4509b0b0e8ad4d55fe29199f5345e146cc06d1cc83dd60d73aa22a9a6083b440cb3866955b7ea3109f5129c8d3ca76 -MISC ChangeLog 20624 SHA256 13cb3a3c9433eef3bcc6bb0fbb252d6286ea6933c3773eb4c98466a7364f161f SHA512 95bb99de15036af6a7bfd4e0b8305d330aeeb2b702f098425e3ffc730bbd72d899a47f66468dc328849d338ea594456e29f530f15b9a02b92928c37098a5e26f WHIRLPOOL af42f50fa2ca1a77e7124b149c71a9d1429f607c35f3949ecf04180e0b8d50044340a6701050f82374cf291d1c7a1b8d467d2913c9fdae9be9601a1f7dbcadf1 +MISC ChangeLog 20800 SHA256 f8c1cafb1c6ce7eb8d34fc6145c9cdafa31ea039fe271e2a5d99b308f250f781 SHA512 6138a7500bf25a8ae5dced90d17cedd33a136464fb3ed3bb66d2f9fd66b9e07841dc361b841fd9e8725044c2ee1f33ea5aee6b33e27cad265b2a0a25d74c0b5f WHIRLPOOL d892c81fc16554d142c7651559493da8e5df37d378a5ac33ef90b0e9370f790dc73690646139464482c7c5b87dcfbfbda94a5b3efe9aeb05df3447dc52c27817 MISC metadata.xml 516 SHA256 be8c8239fecd14fd1a9c1dee11ccb98b1188aceacf6ea58233a0f958ab648aba SHA512 293585c3b4c95b76af687f398645982d84d583e3cbf039a181c67c9710a899dad34cba9ff43f7be03a00d7552f42f0ac0a2a997c3ce7c9b80097a43f501001d4 WHIRLPOOL 4caf1316226570bec927b20957e420217a490c91013154b84f56fddf50cd5b525ccd0fd736a305ef5bc772cca734aadd8fec757238021b3e05046b503468e1a5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) -iQF8BAEBCABmBQJSOxytXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w +iQF8BAEBCABmBQJSOyFXXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRDMDRGNEJFMDZEQTJGRUY3NkI4MEM3NTlE -N0RGQThEMzE4RkE5QUVGAAoJENffqNMY+prv2koIAJbvfdP3z5+iCC2CSnDMmvpT -NP3x+9AeciQd5e76IXz2RyJf31cUShfdpvIXvg1zpKUwvx7BB/0/8HSICkXmkq8u -AyZg1X/ddvuLX7pRml1xFAeA+38FIN7OuR5Yex98xlGE0EEbclVLTuzAK3VUOXb7 -K0wHmHTwEYKVYZqLyyH1TccW7HPWyGyxPWGyA1oDVM1fWSwXVCrCaoeqkZNHzFuv -bGh2TF1WCrAHsA0bjlT39Ec0WG6O27sDabrRgC7/VcRIG+pwm4ang/Z/5YhPjzvN -9HRx5dHa4wgfRw2JkhJSjOlbJm7BA38uQfO0UjKrOQBeY+ioIcN130qjUMRaNrc= -=zEB/ +N0RGQThEMzE4RkE5QUVGAAoJENffqNMY+prvwloH/3ktsKWkTVHRq9PG67zTVjNQ +QzVWL7i09xluXNGyfzUU+ztw9GcuRlWrdt7EW2UYukjS2el3rTdwCuJeREtuuPRo +2OVlOLg3s5c8/xAvT6nxRgrlHGKxuThCnxuGlGE17OPBrCYTry2sdAuATtXmP+nC +9jgVOdxFeNPRqpBmM4YlOFbejbvQKV2nPWt5A7k/8wmmzm55SHY4ilfdbkyWLLd4 +YerNmY2gbHKKT3AQ6bYoTy5+qvLc8cGJVgDf3im17II2pxkp7n12YXzhFQW4nyOT +NkgdmKnNl9bNXkZxy/8aEPKevB2DK61e/upIwVz4rOwLYnwjWZRmwUKo4kTEQC0= +=i+LT -----END PGP SIGNATURE----- diff --git a/sys-auth/polkit/files/polkit-0.110-CVE-2013-4288.patch b/sys-auth/polkit/files/polkit-0.110-CVE-2013-4288.patch new file mode 100644 index 000000000000..af2d7f276046 --- /dev/null +++ b/sys-auth/polkit/files/polkit-0.110-CVE-2013-4288.patch @@ -0,0 +1,113 @@ +commit c3502abf72c0c098adb40d7e362e94f93844a6b1 +Author: Colin Walters <walters@verbum.org> +Date: Mon Aug 19 12:16:11 2013 -0400 + + pkcheck: Support --process=pid,start-time,uid syntax too + + The uid is a new addition; this allows callers such as libvirt to + close a race condition in reading the uid of the process talking to + them. They can read it via getsockopt(SO_PEERCRED) or equivalent, + rather than having pkcheck look at /proc later after the fact. + + Programs which invoke pkcheck but need to know beforehand (i.e. at + compile time) whether or not it supports passing the uid can + use: + + pkcheck_supports_uid=$($PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1) + test x$pkcheck_supports_uid = xyes + (cherry picked from commit 3968411b0c7ba193f9b9276ec911692aec248608) + + Conflicts: + src/programs/pkcheck.c + +diff --git a/data/polkit-gobject-1.pc.in b/data/polkit-gobject-1.pc.in +index c39677d..5c4c620 100644 +--- a/data/polkit-gobject-1.pc.in ++++ b/data/polkit-gobject-1.pc.in +@@ -11,3 +11,6 @@ Version: @VERSION@ + Libs: -L${libdir} -lpolkit-gobject-1 + Cflags: -I${includedir}/polkit-1 + Requires: gio-2.0 >= 2.18 glib-2.0 >= 2.18 ++# Programs using pkcheck can use this to determine ++# whether or not it can be passed a uid. ++pkcheck_supports_uid=true +diff --git a/docs/man/pkcheck.xml b/docs/man/pkcheck.xml +index fc54054..c856ca4 100644 +--- a/docs/man/pkcheck.xml ++++ b/docs/man/pkcheck.xml +@@ -55,6 +55,9 @@ + <arg choice="plain"> + <replaceable>pid,pid-start-time</replaceable> + </arg> ++ <arg choice="plain"> ++ <replaceable>pid,pid-start-time,uid</replaceable> ++ </arg> + </group> + </arg> + <arg choice="plain"> +@@ -90,7 +93,7 @@ + <title>DESCRIPTION</title> + <para> + <command>pkcheck</command> is used to check whether a process, specified by +- either <option>--process</option> or <option>--system-bus-name</option>, ++ either <option>--process</option> (see below) or <option>--system-bus-name</option>, + is authorized for <replaceable>action</replaceable>. The <option>--detail</option> + option can be used zero or more times to pass details about <replaceable>action</replaceable>. + If <option>--allow-user-interaction</option> is passed, <command>pkcheck</command> blocks +@@ -160,15 +163,23 @@ KEY3=VALUE3 + <refsect1 id="pkcheck-notes"> + <title>NOTES</title> + <para> +- Since process identifiers can be recycled, the caller should always use +- <replaceable>pid,pid-start-time</replaceable> to specify the process +- to check for authorization when using the <option>--process</option> option. +- The value of <replaceable>pid-start-time</replaceable> +- can be determined by consulting e.g. the ++ Do not use either the bare <replaceable>pid</replaceable> or ++ <replaceable>pid,start-time</replaceable> syntax forms for ++ <option>--process</option>. There are race conditions in both. ++ New code should always use ++ <replaceable>pid,pid-start-time,uid</replaceable>. The value of ++ <replaceable>start-time</replaceable> can be determined by ++ consulting e.g. the + <citerefentry><refentrytitle>proc</refentrytitle><manvolnum>5</manvolnum></citerefentry> +- file system depending on the operating system. If only <replaceable>pid</replaceable> +- is passed to the <option>--process</option> option, then <command>pkcheck</command> +- will look up the start time itself but note that this may be racy. ++ file system depending on the operating system. If fewer than 3 ++ arguments are passed, <command>pkcheck</command> will attempt to ++ look up them up internally, but note that this may be racy. ++ </para> ++ <para> ++ If your program is a daemon with e.g. a custom Unix domain ++ socket, you should determine the <replaceable>uid</replaceable> ++ parameter via operating system mechanisms such as ++ <literal>PEERCRED</literal>. + </para> + </refsect1> + +diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c +index 719a36c..057e926 100644 +--- a/src/programs/pkcheck.c ++++ b/src/programs/pkcheck.c +@@ -372,6 +372,7 @@ main (int argc, char *argv[]) + else if (g_strcmp0 (argv[n], "--process") == 0 || g_strcmp0 (argv[n], "-p") == 0) + { + gint pid; ++ guint uid; + guint64 pid_start_time; + + n++; +@@ -381,7 +382,11 @@ main (int argc, char *argv[]) + goto out; + } + +- if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2) ++ if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT ",%u", &pid, &pid_start_time, &uid) == 3) ++ { ++ subject = polkit_unix_process_new_for_owner (pid, pid_start_time, uid); ++ } ++ else if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2) + { + subject = polkit_unix_process_new_full (pid, pid_start_time); + } diff --git a/sys-auth/polkit/polkit-0.110-r1.ebuild b/sys-auth/polkit/polkit-0.110-r1.ebuild new file mode 100644 index 000000000000..22cc715317de --- /dev/null +++ b/sys-auth/polkit/polkit-0.110-r1.ebuild @@ -0,0 +1,108 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-auth/polkit/polkit-0.110-r1.ebuild,v 1.1 2013/09/19 16:07:41 cardoe Exp $ + +EAPI=5 +inherit eutils multilib pam pax-utils systemd user + +DESCRIPTION="Policy framework for controlling privileges for system-wide services" +HOMEPAGE="http://www.freedesktop.org/wiki/Software/polkit" +SRC_URI="http://www.freedesktop.org/software/${PN}/releases/${P}.tar.gz" + +LICENSE="LGPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" +IUSE="examples gtk +introspection kde nls pam selinux systemd" + +RDEPEND="=dev-lang/spidermonkey-1.8.5*[-debug] + >=dev-libs/glib-2.32 + >=dev-libs/expat-2:= + introspection? ( >=dev-libs/gobject-introspection-1 ) + pam? ( + sys-auth/pambase + virtual/pam + ) + selinux? ( sec-policy/selinux-policykit ) + systemd? ( sys-apps/systemd )" +DEPEND="${RDEPEND} + app-text/docbook-xml-dtd:4.1.2 + app-text/docbook-xsl-stylesheets + dev-libs/libxslt + dev-util/intltool + virtual/pkgconfig" +PDEPEND=" + gtk? ( || ( + >=gnome-extra/polkit-gnome-0.105 + lxde-base/lxpolkit + ) ) + kde? ( sys-auth/polkit-kde-agent ) + !systemd? ( sys-auth/consolekit[policykit] )" + +QA_MULTILIB_PATHS=" + usr/lib/polkit-1/polkit-agent-helper-1 + usr/lib/polkit-1/polkitd" + +pkg_setup() { + local u=polkitd + local g=polkitd + local h=/var/lib/polkit-1 + + enewgroup ${g} + enewuser ${u} -1 -1 ${h} ${g} + esethome ${u} ${h} +} + +src_prepare() { + sed -i -e 's|unix-group:wheel|unix-user:0|' src/polkitbackend/*-default.rules || die #401513 + + epatch "${FILESDIR}"/polkit-0.110-CVE-2013-4288.patch +} + +src_configure() { + econf \ + --localstatedir="${EPREFIX}"/var \ + --disable-static \ + --enable-man-pages \ + --disable-gtk-doc \ + $(use_enable systemd libsystemd-login) \ + $(use_enable introspection) \ + --disable-examples \ + $(use_enable nls) \ + --with-mozjs=mozjs185 \ + "$(systemd_with_unitdir)" \ + --with-authfw=$(usex pam pam shadow) \ + $(use pam && echo --with-pam-module-dir="$(getpam_mod_dir)") \ + --with-os-type=gentoo +} + +src_compile() { + default + + # Required for polkitd on hardened/PaX due to spidermonkey's JIT + local f='src/polkitbackend/.libs/polkitd test/polkitbackend/.libs/polkitbackendjsauthoritytest' + local m='mr' + pax-mark ${m} ${f} +} + +src_install() { + emake DESTDIR="${D}" install + + dodoc docs/TODO HACKING NEWS README + + fowners -R polkitd:root /{etc,usr/share}/polkit-1/rules.d + + diropts -m0700 -o polkitd -g polkitd + keepdir /var/lib/polkit-1 + + if use examples; then + insinto /usr/share/doc/${PF}/examples + doins src/examples/{*.c,*.policy*} + fi + + prune_libtool_files +} + +pkg_postinst() { + chown -R polkitd:root "${EROOT}"/{etc,usr/share}/polkit-1/rules.d + chown -R polkitd:polkitd "${EROOT}"/var/lib/polkit-1 +} |