meta-openembedded/meta-oe/recipes-extended/polkit/polkit/0001-pkexec-local-privilege-escalation-CVE-2021-4034.patch - openbmc/openbmc - Gitiles

 From 85c2dd9275cdfb369f613089f22733c0f1ba2aec Mon Sep 17 00:00:00 2001
 From: Jan Rybar <jrybar@redhat.com>
 Date: Tue, 25 Jan 2022 17:21:46 +0000
 Subject: [PATCH 1/3] pkexec: local privilege escalation (CVE-2021-4034)

 Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>

 ---
  src/programs/pkcheck.c |  5 +++++
  src/programs/pkexec.c  | 23 ++++++++++++++++++++---
  2 files changed, 25 insertions(+), 3 deletions(-)

 CVE: CVE-2021-4034
 Upstream-Status: Backport [a2bf5c9c83b6ae46cbd5c779d3055bff81ded683]

 diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
 index f1bb4e1..768525c 100644
 --- a/src/programs/pkcheck.c
 +++ b/src/programs/pkcheck.c
 @@ -363,6 +363,11 @@ main (int argc, char *argv[])
    local_agent_handle = NULL;
    ret = 126;

 +  if (argc < 1)
 +    {
 +      exit(126);
 +    }
 +
    /* Disable remote file access from GIO. */
    setenv ("GIO_USE_VFS", "local", 1);

 diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
 index 7698c5c..84e5ef6 100644
 --- a/src/programs/pkexec.c
 +++ b/src/programs/pkexec.c
 @@ -488,6 +488,15 @@ main (int argc, char *argv[])
    pid_t pid_of_caller;
    gpointer local_agent_handle;

 +
 +  /*
 +   * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
 +   */
 +  if (argc<1)
 +    {
 +      exit(127);
 +    }
 +
    ret = 127;
    authority = NULL;
    subject = NULL;
 @@ -614,10 +623,10 @@ main (int argc, char *argv[])

        path = g_strdup (pwstruct.pw_shell);
        if (!path)
 -	{
 +        {
            g_printerr ("No shell configured or error retrieving pw_shell\n");
            goto out;
 -	}
 +        }
        /* If you change this, be sure to change the if (!command_line)
  	 case below too */
        command_line = g_strdup (path);
 @@ -636,7 +645,15 @@ main (int argc, char *argv[])
            goto out;
          }
        g_free (path);
 -      argv[n] = path = s;
 +      path = s;
 +
 +      /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
 +       * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
 +       */
 +      if (argv[n] != NULL)
 +      {
 +        argv[n] = path;
 +      }
      }
    if (access (path, F_OK) != 0)
      {
 --
 2.20.1
	From 85c2dd9275cdfb369f613089f22733c0f1ba2aec Mon Sep 17 00:00:00 2001
	From: Jan Rybar <jrybar@redhat.com>
	Date: Tue, 25 Jan 2022 17:21:46 +0000
	Subject: [PATCH 1/3] pkexec: local privilege escalation (CVE-2021-4034)

	Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>

	---
	src/programs/pkcheck.c \| 5 +++++
	src/programs/pkexec.c \| 23 ++++++++++++++++++++---
	2 files changed, 25 insertions(+), 3 deletions(-)

	CVE: CVE-2021-4034
	Upstream-Status: Backport [a2bf5c9c83b6ae46cbd5c779d3055bff81ded683]

	diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
	index f1bb4e1..768525c 100644
	--- a/src/programs/pkcheck.c
	+++ b/src/programs/pkcheck.c
	@@ -363,6 +363,11 @@ main (int argc, char *argv[])
	local_agent_handle = NULL;
	ret = 126;

	+ if (argc < 1)
	+ {
	+ exit(126);
	+ }
	+
	/* Disable remote file access from GIO. */
	setenv ("GIO_USE_VFS", "local", 1);

	diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
	index 7698c5c..84e5ef6 100644
	--- a/src/programs/pkexec.c
	+++ b/src/programs/pkexec.c
	@@ -488,6 +488,15 @@ main (int argc, char *argv[])
	pid_t pid_of_caller;
	gpointer local_agent_handle;

	+
	+ /*
	+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
	+ */
	+ if (argc<1)
	+ {
	+ exit(127);
	+ }
	+
	ret = 127;
	authority = NULL;
	subject = NULL;
	@@ -614,10 +623,10 @@ main (int argc, char *argv[])

	path = g_strdup (pwstruct.pw_shell);
	if (!path)
	- {
	+ {
	g_printerr ("No shell configured or error retrieving pw_shell\n");
	goto out;
	- }
	+ }
	/* If you change this, be sure to change the if (!command_line)
	case below too */
	command_line = g_strdup (path);
	@@ -636,7 +645,15 @@ main (int argc, char *argv[])
	goto out;
	}
	g_free (path);
	- argv[n] = path = s;
	+ path = s;
	+
	+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
	+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
	+ */
	+ if (argv[n] != NULL)
	+ {
	+ argv[n] = path;
	+ }
	}
	if (access (path, F_OK) != 0)
	{
	--
	2.20.1