mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-17 18:06:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1588 from flatcar-linux/tormath1/polkit

Browse Source 
sys-auth/polkit: sync with `::gentoo`
This commit is contained in:
Mathieu Tortuyaux 2022-01-27 18:12:17 +01:00 committed by GitHub
commit 2e32298748
10 changed files with 5899 additions and 1674 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sdk_container/src/third_party/coreos-overlay/changelog/security/2022-01-27-polkit.md vendored Normal file
View File

@ -0,0 +1 @@
- polkit ([CVE-2021-4034](https://nvd.nist.gov/vuln/detail/CVE-2021-4034))

1
sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-01-27-polkit.md vendored Normal file
View File

@ -0,0 +1 @@
- polkit ([0.120](https://gitlab.freedesktop.org/polkit/polkit/-/blob/0.120/NEWS))

2
sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/Manifest vendored
View File

@ -1 +1 @@
DIST polkit-0.119.tar.gz 1387409 BLAKE2B aeb605598393d1cab40f7c77954008a0392600584c5fe8cc9acaa0e122418ee48b9cce0b6839189ea415277ff0ae4dbd5b7c71cb910aa349dcaf7e1f3f70ef06 SHA512 0260fb15da1c4c1f429e8223260981e64e297f1be8ced42f6910f09ea6581b8205aca06c9c601eb4a128acba2f468de0223118f96862ba769f95721894cf1578
DIST polkit-0.120.tar.gz 1626659 BLAKE2B 745727445b4946d44b8ea470d21ac131ca7706e83f5dbaf85cf3541ac60a1bbe23b3bf3172a62d9256ebb3dae02d2b2d476e3e0f7fe79a80c47864a120e62ed9 SHA512 db072769439d5e17d0eed681e7b94251b77828c1474b40fe40b94293903a64333e7fa17515a3270648691f04a1374d8b404405ead6abf292a8eb8483164adc46

1596
sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/35_WIP_Add_duktape_as_javascript_engine.patch vendored
View File

File diff suppressed because it is too large Load Diff

5744
sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/97_Add_duktape_as_javascript_engine.patch vendored Normal file
View File

File diff suppressed because it is too large Load Diff

28
sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit-0.115-elogind.patch vendored
View File

@ -1,28 +0,0 @@
From 08bb656496cd3d6213bbe9473f63f2d4a110da6e Mon Sep 17 00:00:00 2001
From: Rasmus Thomsen <cogitri@exherbo.org>
Date: Wed, 11 Apr 2018 13:14:14 +0200
Subject: [PATCH] configure: fix elogind support
HAVE_LIBSYSTEMD is used to determine which source files to use.
We have to check if either have_libsystemd or have_libelogind is
true, as both of these need the source files which are used when
HAVE_LIBSYSTEMD is true.
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 36df239..da47ecb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -221,7 +221,7 @@ AS_IF([test "x$cross_compiling" != "xyes" ], [
AC_SUBST(LIBSYSTEMD_CFLAGS)
AC_SUBST(LIBSYSTEMD_LIBS)
-AM_CONDITIONAL(HAVE_LIBSYSTEMD, [test "$have_libsystemd" = "yes"], [Using libsystemd])
+AM_CONDITIONAL(HAVE_LIBSYSTEMD, [test "$have_libsystemd" = "yes" || test "$have_libelogind" = "yes" ], [Using libsystemd])
dnl ---------------------------------------------------------------------------
dnl - systemd unit / service files
--
2.17.0

72
sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit-0.120-CVE-2021-4034.patch vendored Normal file
View File

@ -0,0 +1,72 @@
https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
https://bugs.gentoo.org/832057
https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch
From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
From: Jan Rybar <jrybar@redhat.com>
Date: Tue, 25 Jan 2022 17:21:46 +0000
Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
--- a/src/programs/pkcheck.c
+++ b/src/programs/pkcheck.c
@@ -363,6 +363,11 @@ main (int argc, char *argv[])
local_agent_handle = NULL;
ret = 126;
+ if (argc < 1)
+ {
+ exit(126);
+ }
+
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
@@ -488,6 +488,15 @@ main (int argc, char *argv[])
pid_t pid_of_caller;
gpointer local_agent_handle;
+
+ /*
+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
+ */
+ if (argc<1)
+ {
+ exit(127);
+ }
+
ret = 127;
authority = NULL;
subject = NULL;
@@ -614,10 +623,10 @@ main (int argc, char *argv[])
path = g_strdup (pwstruct.pw_shell);
if (!path)
- {
+ {
g_printerr ("No shell configured or error retrieving pw_shell\n");
goto out;
- }
+ }
/* If you change this, be sure to change the if (!command_line)
case below too */
command_line = g_strdup (path);
@@ -636,7 +645,15 @@ main (int argc, char *argv[])
goto out;
}
g_free (path);
- argv[n] = path = s;
+ path = s;
+
+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
+ */
+ if (argv[n] != NULL)
+ {
+ argv[n] = path;
+ }
}
if (access (path, F_OK) != 0)
{
GitLab

42
sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/files/polkit-0.120-meson.patch vendored Normal file
View File

@ -0,0 +1,42 @@
From e7f3d9e8341df64e2abc3910dafb1113a84bff07 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Mon, 25 Oct 2021 20:21:27 +0100
Subject: [PATCH] Don't pass positional parameters to i18n.merge_file
These were always ignored, and Meson 0.60.0 disallowed them.
Resolves: https://gitlab.freedesktop.org/polkit/polkit/-/issues/160
Reference: https://github.com/mesonbuild/meson/pull/9445
Signed-off-by: Simon McVittie <smcv@debian.org>
---
actions/meson.build | 1 -
src/examples/meson.build | 1 -
2 files changed, 2 deletions(-)
diff --git a/actions/meson.build b/actions/meson.build
index 2abaaf3..1e3f370 100644
--- a/actions/meson.build
+++ b/actions/meson.build
@@ -1,7 +1,6 @@
policy = 'org.freedesktop.policykit.policy'
i18n.merge_file(
- policy,
input: policy + '.in',
output: '@BASENAME@',
po_dir: po_dir,
diff --git a/src/examples/meson.build b/src/examples/meson.build
index c6305ab..8c18de5 100644
--- a/src/examples/meson.build
+++ b/src/examples/meson.build
@@ -1,7 +1,6 @@
policy = 'org.freedesktop.policykit.examples.pkexec.policy'
i18n.merge_file(
- policy,
input: policy + '.in',
output: '@BASENAME@',
po_dir: po_dir,
--
GitLab

2
sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/metadata.xml vendored
View File

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>freedesktop-bugs@gentoo.org</email>

85
sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/polkit-0.119-r2.ebuild → sdk_container/src/third_party/coreos-overlay/sys-auth/polkit/polkit-0.120-r2.ebuild vendored
View File

@ -1,10 +1,10 @@
# Copyright 1999-2021 Gentoo Authors
# Copyright 1999-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
TMPFILES_OPTIONAL=1
inherit autotools pam pax-utils systemd xdg-utils tmpfiles
inherit meson pam pax-utils systemd xdg-utils tmpfiles
DESCRIPTION="Policy framework for controlling privileges for system-wide services"
HOMEPAGE="https://www.freedesktop.org/wiki/Software/polkit https://gitlab.freedesktop.org/polkit/polkit"
@ -13,10 +13,11 @@ SRC_URI="https://www.freedesktop.org/software/${PN}/releases/${P}.tar.gz"
LICENSE="LGPL-2"
SLOT="0"
KEYWORDS="amd64 arm arm64 ~mips ppc64 ~riscv ~s390 x86"
IUSE="elogind examples gtk +introspection kde nls pam selinux systemd test"
RESTRICT="!test? ( test )"
REQUIRED_USE="^^ ( elogind systemd )"
IUSE="examples gtk +introspection kde pam selinux systemd test"
#RESTRICT="!test? ( test )"
# Tests currently don't work with meson. See
# https://gitlab.freedesktop.org/polkit/polkit/-/issues/144
RESTRICT="test"
BDEPEND="
acct-user/polkitd
@ -26,8 +27,6 @@ BDEPEND="
dev-libs/gobject-introspection-common
dev-libs/libxslt
dev-util/glib-utils
dev-util/gtk-doc-am
dev-util/intltool
sys-devel/gettext
virtual/pkgconfig
introspection? ( dev-libs/gobject-introspection )
@ -36,13 +35,13 @@ DEPEND="
dev-lang/duktape
dev-libs/glib:2
dev-libs/expat
elogind? ( sys-auth/elogind )
pam? (
sys-auth/pambase
sys-libs/pam
)
!pam? ( virtual/libcrypt:= )
systemd? ( sys-apps/systemd:0=[policykit] )
!systemd? ( sys-auth/elogind )
"
RDEPEND="${DEPEND}
acct-user/polkitd
@ -58,67 +57,52 @@ PDEPEND="
DOCS=( docs/TODO HACKING NEWS README )
PATCHES=(
"${FILESDIR}"/${PN}-0.115-elogind.patch # bug 660880
# from https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/35
"${FILESDIR}"/35_WIP_Add_duktape_as_javascript_engine.patch
)
QA_MULTILIB_PATHS="
usr/lib/polkit-1/polkit-agent-helper-1
usr/lib/polkit-1/polkitd"
src_prepare() {
local PATCHES=(
"${FILESDIR}/polkit-0.120-meson.patch"
"${FILESDIR}/polkit-0.120-CVE-2021-4034.patch"
# from https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/97
"${FILESDIR}/97_Add_duktape_as_javascript_engine.patch"
)
default
sed -i -e 's|unix-group:wheel|unix-user:0|' src/polkitbackend/*-default.rules || die #401513
# Workaround upstream hack around standard gtk-doc behavior, bug #552170
sed -i -e 's/@ENABLE_GTK_DOC_TRUE@\(TARGET_DIR\)/\1/' \
-e '/install-data-local:/,/uninstall-local:/ s/@ENABLE_GTK_DOC_TRUE@//' \
-e 's/@ENABLE_GTK_DOC_FALSE@install-data-local://' \
docs/polkit/Makefile.in || die
# disable broken test - bug #624022
sed -i -e "/^SUBDIRS/s/polkitbackend//" test/Makefile.am || die
# Fix cross-building, bug #590764, elogind patch, bug #598615
eautoreconf
}
src_configure() {
xdg_environment_reset
local myeconfargs=(
local emesonargs=(
--localstatedir="${EPREFIX}"/var
--disable-static
--enable-man-pages
--disable-gtk-doc
--disable-examples
--with-duktape
$(use_enable elogind libelogind)
$(use_enable introspection)
$(use_enable nls)
$(usex pam "--with-pam-module-dir=$(getpam_mod_dir)" '')
--with-authfw=$(usex pam pam shadow)
$(use_enable systemd libsystemd-login)
--with-systemdsystemunitdir="$(systemd_get_systemunitdir)"
$(use_enable test)
--with-os-type=gentoo
-Dauthfw="$(usex pam pam shadow)"
-Dexamples=false
-Dgtk_doc=false
-Dman=true
-Dos_type=gentoo
-Dsession_tracking="$(usex systemd libsystemd-login libelogind)"
-Dsystemdsystemunitdir="$(systemd_get_systemunitdir)"
-Dwith-duktape=yes
$(meson_use introspection)
$(meson_use test tests)
$(usex pam "-Dpam_module_dir=$(getpam_mod_dir)" '')
)
econf "${myeconfargs[@]}"
meson_src_configure
}
src_compile() {
default
meson_src_compile
# Required for polkitd on hardened/PaX due to spidermonkey's JIT
pax-mark mr src/polkitbackend/.libs/polkitd test/polkitbackend/.libs/polkitbackendjsauthoritytest
}
src_install() {
default
meson_src_install
dodir /usr/share/polkit-1/rules.d
dodir /usr/lib/pam.d
@ -130,7 +114,7 @@ src_install() {
dotmpfiles "${FILESDIR}/polkit.conf"
if use examples; then
if use examples ; then
docinto examples
dodoc src/examples/{*.c,*.policy*}
fi
@ -138,5 +122,10 @@ src_install() {
diropts -m 0700 -o polkitd
keepdir /usr/share/polkit-1/rules.d
find "${ED}" -name '*.la' -delete || die
# meson does not install required files with SUID bit. See
# https://bugs.gentoo.org/816393
# Remove the following lines once this has been fixed by upstream
# (should be fixed in next release: https://gitlab.freedesktop.org/polkit/polkit/-/commit/4ff1abe4a4c1f8c8378b9eaddb0346ac6448abd8)
fperms u+s /usr/bin/pkexec
fperms u+s /usr/lib/polkit-1/polkit-agent-helper-1
}