diff options
author | V3n3RiX <venerix@koprulu.sector> | 2022-03-20 00:40:44 +0000 |
---|---|---|
committer | V3n3RiX <venerix@koprulu.sector> | 2022-03-20 00:40:44 +0000 |
commit | 4cbcc855382a06088e2f016f62cafdbcb7e40665 (patch) | |
tree | 356496503d52354aa6d9f2d36126302fed5f3a73 /sys-auth/polkit/files | |
parent | fcc5224904648a8e6eb528d7603154160a20022f (diff) |
gentoo resync : 20.03.2022
Diffstat (limited to 'sys-auth/polkit/files')
-rw-r--r-- | sys-auth/polkit/files/polkit-0.118-make-netgroup-support-optional.patch | 228 | ||||
-rw-r--r-- | sys-auth/polkit/files/polkit-0.120-CVE-2021-4115.patch | 78 |
2 files changed, 306 insertions, 0 deletions
diff --git a/sys-auth/polkit/files/polkit-0.118-make-netgroup-support-optional.patch b/sys-auth/polkit/files/polkit-0.118-make-netgroup-support-optional.patch new file mode 100644 index 000000000000..b11250fd3992 --- /dev/null +++ b/sys-auth/polkit/files/polkit-0.118-make-netgroup-support-optional.patch @@ -0,0 +1,228 @@ +Pulled in from https://github.com/gentoo/musl/blob/master/sys-auth/polkit/files/polkit-0.118-make-netgroup-support-optional.patch. + +https://bugs.gentoo.org/833753 +https://bugs.gentoo.org/561672 +https://bugs.freedesktop.org/show_bug.cgi?id=50145 +https://gitlab.freedesktop.org/polkit/polkit/-/issues/14 + +Patch has been rebased a bit since but keeping original headers. + +From c7ad7cb3ca8fca32b9b64b0fc33867b98935b76b Mon Sep 17 00:00:00 2001 +From: "A. Wilcox" <AWilcox@Wilcox-Tech.com> +Date: Wed, 11 Jul 2018 04:54:26 -0500 +Subject: [PATCH] make netgroup support optional + +On at least Linux/musl and Linux/uclibc, netgroup support is not +available. PolKit fails to compile on these systems for that reason. + +This change makes netgroup support conditional on the presence of the +setnetgrent(3) function which is required for the support to work. If +that function is not available on the system, an error will be returned +to the administrator if unix-netgroup: is specified in configuration. + +Fixes bug 50145. + +Signed-off-by: A. Wilcox <AWilcox@Wilcox-Tech.com> +--- a/configure.ac ++++ b/configure.ac +@@ -100,7 +100,7 @@ AC_CHECK_LIB(expat,XML_ParserCreate,[EXPAT_LIBS="-lexpat"], + [AC_MSG_ERROR([Can't find expat library. Please install expat.])]) + AC_SUBST(EXPAT_LIBS) + +-AC_CHECK_FUNCS(clearenv fdatasync) ++AC_CHECK_FUNCS(clearenv fdatasync setnetgrent) + + if test "x$GCC" = "xyes"; then + LDFLAGS="-Wl,--as-needed $LDFLAGS" +--- a/src/polkit/polkitidentity.c ++++ b/src/polkit/polkitidentity.c +@@ -182,7 +182,15 @@ polkit_identity_from_string (const gchar *str, + } + else if (g_str_has_prefix (str, "unix-netgroup:")) + { ++#ifndef HAVE_SETNETGRENT ++ g_set_error (error, ++ POLKIT_ERROR, ++ POLKIT_ERROR_FAILED, ++ "Netgroups are not available on this machine ('%s')", ++ str); ++#else + identity = polkit_unix_netgroup_new (str + sizeof "unix-netgroup:" - 1); ++#endif + } + + if (identity == NULL && (error != NULL && *error == NULL)) +@@ -344,6 +352,14 @@ polkit_identity_new_for_gvariant (GVariant *variant, + GVariant *v; + const char *name; + ++#ifndef HAVE_SETNETGRENT ++ g_set_error (error, ++ POLKIT_ERROR, ++ POLKIT_ERROR_FAILED, ++ "Netgroups are not available on this machine"); ++ goto out; ++#else ++ + v = lookup_asv (details_gvariant, "name", G_VARIANT_TYPE_STRING, error); + if (v == NULL) + { +@@ -353,6 +369,7 @@ polkit_identity_new_for_gvariant (GVariant *variant, + name = g_variant_get_string (v, NULL); + ret = polkit_unix_netgroup_new (name); + g_variant_unref (v); ++#endif + } + else + { +--- a/src/polkit/polkitunixnetgroup.c ++++ b/src/polkit/polkitunixnetgroup.c +@@ -194,6 +194,9 @@ polkit_unix_netgroup_set_name (PolkitUnixNetgroup *group, + PolkitIdentity * + polkit_unix_netgroup_new (const gchar *name) + { ++#ifndef HAVE_SETNETGRENT ++ g_assert_not_reached(); ++#endif + g_return_val_if_fail (name != NULL, NULL); + return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_NETGROUP, + "name", name, +--- a/src/polkitbackend/polkitbackendinteractiveauthority.c ++++ b/src/polkitbackend/polkitbackendinteractiveauthority.c +@@ -2233,25 +2233,26 @@ get_users_in_net_group (PolkitIdentity *group, + GList *ret; + + ret = NULL; ++#ifdef HAVE_SETNETGRENT + name = polkit_unix_netgroup_get_name (POLKIT_UNIX_NETGROUP (group)); + +-#ifdef HAVE_SETNETGRENT_RETURN ++# ifdef HAVE_SETNETGRENT_RETURN + if (setnetgrent (name) == 0) + { + g_warning ("Error looking up net group with name %s: %s", name, g_strerror (errno)); + goto out; + } +-#else ++# else + setnetgrent (name); +-#endif ++# endif /* HAVE_SETNETGRENT_RETURN */ + + for (;;) + { +-#if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) ++# if defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) + const char *hostname, *username, *domainname; +-#else ++# else + char *hostname, *username, *domainname; +-#endif ++# endif /* defined(HAVE_NETBSD) || defined(HAVE_OPENBSD) */ + PolkitIdentity *user; + GError *error = NULL; + +@@ -2282,6 +2283,7 @@ get_users_in_net_group (PolkitIdentity *group, + + out: + endnetgrent (); ++#endif /* HAVE_SETNETGRENT */ + return ret; + } + +--- a/src/polkitbackend/polkitbackendjsauthority.cpp ++++ b/src/polkitbackend/polkitbackendjsauthority.cpp +@@ -1519,6 +1519,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx, + + JS::CallArgs args = JS::CallArgsFromVp (argc, vp); + ++#ifdef HAVE_SETNETGRENT + JS::RootedString usrstr (authority->priv->cx); + usrstr = args[0].toString(); + user = JS_EncodeStringToUTF8 (cx, usrstr); +@@ -1533,6 +1534,7 @@ js_polkit_user_is_in_netgroup (JSContext *cx, + { + is_in_netgroup = true; + } ++#endif + + ret = true; + +--- a/test/polkit/polkitidentitytest.c ++++ b/test/polkit/polkitidentitytest.c +@@ -19,6 +19,7 @@ + * Author: Nikki VonHollen <vonhollen@google.com> + */ + ++#include "config.h" + #include "glib.h" + #include <polkit/polkit.h> + #include <polkit/polkitprivate.h> +@@ -145,11 +146,15 @@ struct ComparisonTestData comparison_test_data [] = { + {"unix-group:root", "unix-group:jane", FALSE}, + {"unix-group:jane", "unix-group:jane", TRUE}, + ++#ifdef HAVE_SETNETGRENT + {"unix-netgroup:foo", "unix-netgroup:foo", TRUE}, + {"unix-netgroup:foo", "unix-netgroup:bar", FALSE}, ++#endif + + {"unix-user:root", "unix-group:root", FALSE}, ++#ifdef HAVE_SETNETGRENT + {"unix-user:jane", "unix-netgroup:foo", FALSE}, ++#endif + + {NULL}, + }; +@@ -181,11 +186,13 @@ main (int argc, char *argv[]) + g_test_add_data_func ("/PolkitIdentity/group_string_2", "unix-group:jane", test_string); + g_test_add_data_func ("/PolkitIdentity/group_string_3", "unix-group:users", test_string); + ++#ifdef HAVE_SETNETGRENT + g_test_add_data_func ("/PolkitIdentity/netgroup_string", "unix-netgroup:foo", test_string); ++ g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant); ++#endif + + g_test_add_data_func ("/PolkitIdentity/user_gvariant", "unix-user:root", test_gvariant); + g_test_add_data_func ("/PolkitIdentity/group_gvariant", "unix-group:root", test_gvariant); +- g_test_add_data_func ("/PolkitIdentity/netgroup_gvariant", "unix-netgroup:foo", test_gvariant); + + add_comparison_tests (); + +--- a/test/polkit/polkitunixnetgrouptest.c ++++ b/test/polkit/polkitunixnetgrouptest.c +@@ -19,6 +19,7 @@ + * Author: Nikki VonHollen <vonhollen@google.com> + */ + ++#include "config.h" + #include "glib.h" + #include <polkit/polkit.h> + #include <string.h> +@@ -69,7 +70,9 @@ int + main (int argc, char *argv[]) + { + g_test_init (&argc, &argv, NULL); ++#ifdef HAVE_SETNETGRENT + g_test_add_func ("/PolkitUnixNetgroup/new", test_new); + g_test_add_func ("/PolkitUnixNetgroup/set_name", test_set_name); ++#endif + return g_test_run (); + } +--- a/test/polkitbackend/test-polkitbackendjsauthority.c ++++ b/test/polkitbackend/test-polkitbackendjsauthority.c +@@ -137,12 +137,14 @@ test_get_admin_identities (void) + "unix-group:users" + } + }, ++#ifdef HAVE_SETNETGRENT + { + "net.company.action3", + { + "unix-netgroup:foo" + } + }, ++#endif + }; + guint n; + diff --git a/sys-auth/polkit/files/polkit-0.120-CVE-2021-4115.patch b/sys-auth/polkit/files/polkit-0.120-CVE-2021-4115.patch new file mode 100644 index 000000000000..a82ce25cae03 --- /dev/null +++ b/sys-auth/polkit/files/polkit-0.120-CVE-2021-4115.patch @@ -0,0 +1,78 @@ +https://gitlab.freedesktop.org/polkit/polkit/-/commit/41cb093f554da8772362654a128a84dd8a5542a7 +https://gitlab.freedesktop.org/polkit/polkit/-/issues/141 +https://bugs.gentoo.org/833574 + +From: Jan Rybar <jrybar@redhat.com> +Date: Mon, 21 Feb 2022 08:29:05 +0000 +Subject: [PATCH] CVE-2021-4115 (GHSL-2021-077) fix + +--- a/src/polkit/polkitsystembusname.c ++++ b/src/polkit/polkitsystembusname.c +@@ -62,6 +62,10 @@ enum + PROP_NAME, + }; + ++ ++guint8 dbus_call_respond_fails; // has to be global because of callback ++ ++ + static void subject_iface_init (PolkitSubjectIface *subject_iface); + + G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT, +@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src, + if (!v) + { + data->caught_error = TRUE; ++ dbus_call_respond_fails += 1; + } + else + { +@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus + tmp_context = g_main_context_new (); + g_main_context_push_thread_default (tmp_context); + ++ dbus_call_respond_fails = 0; ++ + /* Do two async calls as it's basically as fast as one sync call. + */ + g_dbus_connection_call (connection, +@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus + on_retrieved_unix_uid_pid, + &data); + +- while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error)) +- g_main_context_iteration (tmp_context, TRUE); ++ while (TRUE) ++ { ++ /* If one dbus call returns error, we must wait until the other call ++ * calls _call_finish(), otherwise fd leak is possible. ++ * Resolves: GHSL-2021-077 ++ */ + +- if (data.caught_error) +- goto out; ++ if ( (dbus_call_respond_fails > 1) ) ++ { ++ // we got two faults, we can leave ++ goto out; ++ } ++ ++ if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid))) ++ { ++ // we got one fault and the other call finally finished, we can leave ++ goto out; ++ } ++ ++ if ( !(data.retrieved_uid && data.retrieved_pid) ) ++ { ++ g_main_context_iteration (tmp_context, TRUE); ++ } ++ else ++ { ++ break; ++ } ++ } + + if (out_uid) + *out_uid = data.uid; +GitLab |