-
Notifications
You must be signed in to change notification settings - Fork 714
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
ab9fca4
commit d5dafbd
Showing
2 changed files
with
81 additions
and
0 deletions.
There are no files selected for viewing
80 changes: 80 additions & 0 deletions
80
.../recipes-extended/polkit/files/0001-pkexec-local-privilege-escalation-CVE-2021-4034.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| From e3b240b89aa40d6b49e27a5137e7df534e7a9ec2 Mon Sep 17 00:00:00 2001 | ||
| From: Jan Rybar <[email protected]> | ||
| Date: Tue, 25 Jan 2022 17:21:46 +0000 | ||
| Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034) | ||
|
|
||
| (cherry picked from commit a2bf5c9c83b6ae46cbd5c779d3055bff81ded683) | ||
| --- | ||
| src/programs/pkcheck.c | 5 +++++ | ||
| src/programs/pkexec.c | 23 ++++++++++++++++++++--- | ||
| 2 files changed, 25 insertions(+), 3 deletions(-) | ||
|
|
||
| diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c | ||
| index f1bb4e1..768525c 100644 | ||
| --- a/src/programs/pkcheck.c | ||
| +++ b/src/programs/pkcheck.c | ||
| @@ -363,6 +363,11 @@ main (int argc, char *argv[]) | ||
| local_agent_handle = NULL; | ||
| ret = 126; | ||
|
|
||
| + if (argc < 1) | ||
| + { | ||
| + exit(126); | ||
| + } | ||
| + | ||
| /* Disable remote file access from GIO. */ | ||
| setenv ("GIO_USE_VFS", "local", 1); | ||
|
|
||
| diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c | ||
| index 7698c5c..84e5ef6 100644 | ||
| --- a/src/programs/pkexec.c | ||
| +++ b/src/programs/pkexec.c | ||
| @@ -488,6 +488,15 @@ main (int argc, char *argv[]) | ||
| pid_t pid_of_caller; | ||
| gpointer local_agent_handle; | ||
|
|
||
| + | ||
| + /* | ||
| + * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out. | ||
| + */ | ||
| + if (argc<1) | ||
| + { | ||
| + exit(127); | ||
| + } | ||
| + | ||
| ret = 127; | ||
| authority = NULL; | ||
| subject = NULL; | ||
| @@ -614,10 +623,10 @@ main (int argc, char *argv[]) | ||
|
|
||
| path = g_strdup (pwstruct.pw_shell); | ||
| if (!path) | ||
| - { | ||
| + { | ||
| g_printerr ("No shell configured or error retrieving pw_shell\n"); | ||
| goto out; | ||
| - } | ||
| + } | ||
| /* If you change this, be sure to change the if (!command_line) | ||
| case below too */ | ||
| command_line = g_strdup (path); | ||
| @@ -636,7 +645,15 @@ main (int argc, char *argv[]) | ||
| goto out; | ||
| } | ||
| g_free (path); | ||
| - argv[n] = path = s; | ||
| + path = s; | ||
| + | ||
| + /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated. | ||
| + * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination | ||
| + */ | ||
| + if (argv[n] != NULL) | ||
| + { | ||
| + argv[n] = path; | ||
| + } | ||
| } | ||
| if (access (path, F_OK) != 0) | ||
| { | ||
| -- | ||
| 2.34.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters