From: "Sam James" <sam@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: sys-auth/polkit/, sys-auth/polkit/files/
Date: Wed, 26 Jan 2022 00:51:25 +0000 (UTC) [thread overview]
Message-ID: <1643158260.77e50819c7c7c22dee5ee6b2e7538b3cfff789af.sam@gentoo> (raw)
commit: 77e50819c7c7c22dee5ee6b2e7538b3cfff789af
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Wed Jan 26 00:50:34 2022 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Jan 26 00:51:00 2022 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77e50819
sys-auth/polkit: backport CVE-2021-3560, CVE-2021-4043 patches to 0.117
Needed for non-Rust arches like sparc.
(Most users are on 0.120 and already fixed in previous commits.)
Bug: https://bugs.gentoo.org/794052
Bug: https://bugs.gentoo.org/832057
Signed-off-by: Sam James <sam <AT> gentoo.org>
.../polkit/files/polkit-0.117-CVE-2021-3560.patch | 29 +++++
sys-auth/polkit/polkit-0.117-r3.ebuild | 136 +++++++++++++++++++++
2 files changed, 165 insertions(+)
diff --git a/sys-auth/polkit/files/polkit-0.117-CVE-2021-3560.patch b/sys-auth/polkit/files/polkit-0.117-CVE-2021-3560.patch
new file mode 100644
index 000000000000..9c3ce20cf574
--- /dev/null
+++ b/sys-auth/polkit/files/polkit-0.117-CVE-2021-3560.patch
@@ -0,0 +1,29 @@
+https://bugs.gentoo.org/794052
+
+From a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Wed, 2 Jun 2021 15:43:38 +0200
+Subject: [PATCH] GHSL-2021-074: authentication bypass vulnerability in polkit
+
+initial values returned if error caught
+---
+ src/polkit/polkitsystembusname.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8daa12c..8ed1363 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
+ while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+ g_main_context_iteration (tmp_context, TRUE);
+
++ if (data.caught_error)
++ goto out;
++
+ if (out_uid)
+ *out_uid = data.uid;
+ if (out_pid)
+--
+GitLab
+
diff --git a/sys-auth/polkit/polkit-0.117-r3.ebuild b/sys-auth/polkit/polkit-0.117-r3.ebuild
new file mode 100644
index 000000000000..6dab5cf577c0
--- /dev/null
+++ b/sys-auth/polkit/polkit-0.117-r3.ebuild
@@ -0,0 +1,136 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit autotools pam pax-utils systemd xdg-utils
+
+DESCRIPTION="Policy framework for controlling privileges for system-wide services"
+HOMEPAGE="https://www.freedesktop.org/wiki/Software/polkit https://gitlab.freedesktop.org/polkit/polkit"
+SRC_URI="https://www.freedesktop.org/software/${PN}/releases/${P}.tar.gz"
+
+LICENSE="LGPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86"
+IUSE="elogind examples gtk +introspection kde nls pam selinux systemd test"
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="^^ ( elogind systemd )"
+
+BDEPEND="
+ acct-user/polkitd
+ app-text/docbook-xml-dtd:4.1.2
+ app-text/docbook-xsl-stylesheets
+ dev-libs/glib
+ dev-libs/gobject-introspection-common
+ dev-libs/libxslt
+ dev-util/glib-utils
+ dev-util/gtk-doc-am
+ dev-util/intltool
+ sys-devel/gettext
+ virtual/pkgconfig
+ introspection? ( dev-libs/gobject-introspection )
+"
+DEPEND="
+ dev-lang/spidermonkey:68[-debug]
+ dev-libs/glib:2
+ dev-libs/expat
+ elogind? ( sys-auth/elogind )
+ pam? (
+ sys-auth/pambase
+ sys-libs/pam
+ )
+ !pam? ( virtual/libcrypt:= )
+ systemd? ( sys-apps/systemd:0=[policykit] )
+"
+RDEPEND="${DEPEND}
+ acct-user/polkitd
+ selinux? ( sec-policy/selinux-policykit )
+"
+PDEPEND="
+ gtk? ( || (
+ >=gnome-extra/polkit-gnome-0.105
+ >=lxde-base/lxsession-0.5.2
+ ) )
+ kde? ( kde-plasma/polkit-kde-agent )
+"
+
+DOCS=( docs/TODO HACKING NEWS README )
+
+PATCHES=(
+ # bug 660880
+ "${FILESDIR}"/polkit-0.115-elogind.patch
+
+ "${FILESDIR}"/polkit-0.117-CVE-2021-3560.patch
+ "${FILESDIR}"/polkit-0.120-CVE-2021-4043.patch
+)
+
+QA_MULTILIB_PATHS="
+ usr/lib/polkit-1/polkit-agent-helper-1
+ usr/lib/polkit-1/polkitd"
+
+src_prepare() {
+ default
+
+ sed -i -e 's|unix-group:wheel|unix-user:0|' src/polkitbackend/*-default.rules || die #401513
+
+ # Workaround upstream hack around standard gtk-doc behavior, bug #552170
+ sed -i -e 's/@ENABLE_GTK_DOC_TRUE@\(TARGET_DIR\)/\1/' \
+ -e '/install-data-local:/,/uninstall-local:/ s/@ENABLE_GTK_DOC_TRUE@//' \
+ -e 's/@ENABLE_GTK_DOC_FALSE@install-data-local://' \
+ docs/polkit/Makefile.in || die
+
+ # disable broken test - bug #624022
+ sed -i -e "/^SUBDIRS/s/polkitbackend//" test/Makefile.am || die
+
+ # Fix cross-building, bug #590764, elogind patch, bug #598615
+ eautoreconf
+}
+
+src_configure() {
+ xdg_environment_reset
+
+ local myeconfargs=(
+ --localstatedir="${EPREFIX}"/var
+ --disable-static
+ --enable-man-pages
+ --disable-gtk-doc
+ --disable-examples
+ $(use_enable elogind libelogind)
+ $(use_enable introspection)
+ $(use_enable nls)
+ $(usex pam "--with-pam-module-dir=$(getpam_mod_dir)" '')
+ --with-authfw=$(usex pam pam shadow)
+ $(use_enable systemd libsystemd-login)
+ --with-systemdsystemunitdir="$(systemd_get_systemunitdir)"
+ $(use_enable test)
+ --with-os-type=gentoo
+ )
+ econf "${myeconfargs[@]}"
+}
+
+src_compile() {
+ default
+
+ # Required for polkitd on hardened/PaX due to spidermonkey's JIT
+ pax-mark mr src/polkitbackend/.libs/polkitd test/polkitbackend/.libs/polkitbackendjsauthoritytest
+}
+
+src_install() {
+ default
+
+ if use examples; then
+ docinto examples
+ dodoc src/examples/{*.c,*.policy*}
+ fi
+
+ diropts -m 0700 -o polkitd
+ keepdir /usr/share/polkit-1/rules.d
+
+ find "${ED}" -name '*.la' -delete || die
+}
+
+pkg_postinst() {
+ chmod 0700 "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+ chown polkitd "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+}
next reply other threads:[~2022-01-26 0:51 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-26 0:51 Sam James [this message]
-- strict thread matches above, loose matches on Subject: below --
2025-10-05 2:11 [gentoo-commits] repo/gentoo:master commit in: sys-auth/polkit/, sys-auth/polkit/files/ Sam James
2025-06-21 17:35 Sam James
2025-03-25 5:34 Sam James
2024-09-01 9:26 Sam James
2024-05-03 12:16 Sam James
2024-01-19 6:36 Sam James
2024-01-19 5:39 Sam James
2022-10-15 23:51 Sam James
2022-05-15 22:12 Sam James
2022-02-22 6:12 Sam James
2022-02-20 0:43 Sam James
2022-01-27 19:50 Sam James
2022-01-25 17:26 Sam James
2020-10-04 16:07 Andreas Sturmlechner
2019-03-26 8:58 Lars Wendler
2018-08-08 20:45 Andreas Sturmlechner
2017-06-27 12:04 Michael Palimaka
2017-01-14 19:26 Andreas Sturmlechner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1643158260.77e50819c7c7c22dee5ee6b2e7538b3cfff789af.sam@gentoo \
--to=sam@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox