diff options
author | 2023-02-01 05:29:53 +0000 | |
---|---|---|
committer | 2023-02-01 07:39:17 +0100 | |
commit | 45d1307faeb72d3fefce6446c314c4b0d0d3a98a (patch) | |
tree | 1b34931315f4be5579bd08f1ff4191ede08cec57 /source/l/polkit | |
parent | 6fa6b077d5cf04e14b46bc2c0520bea74a08986b (diff) | |
download | current-45d1307faeb72d3fefce6446c314c4b0d0d3a98a.tar.gz current-45d1307faeb72d3fefce6446c314c4b0d0d3a98a.tar.xz |
Wed Feb 1 05:29:53 UTC 202320230201052953
d/perl-5.36.0-x86_64-3.txz: Rebuilt.
Upgraded: IO-Socket-SSL-2.081, Moo-2.005005, Path-Tiny-0.144,
Sub-Quote-2.006008, Template-Toolkit-3.101, URI-5.17.
Added: JSON-4.10 (needed to build Samba with --bundled-libraries=heimdal).
kde/kstars-3.6.3-x86_64-1.txz: Upgraded.
l/gjs-1.74.1-x86_64-1.txz: Upgraded.
Compiled against mozjs102-102.7.0esr.
l/mozjs102-102.7.0esr-x86_64-1.txz: Added.
This is required by gjs-1.74.1 and polkit-122.
l/mozjs78-78.15.0esr-x86_64-1.txz: Removed.
l/polkit-122-x86_64-1.txz: Upgraded.
Compiled against mozjs102-102.7.0esr.
Diffstat (limited to 'source/l/polkit')
-rw-r--r-- | source/l/polkit/0001-configure-fix-elogind-support.patch | 29 | ||||
-rw-r--r-- | source/l/polkit/CVE-2021-4115.patch | 71 | ||||
-rw-r--r-- | source/l/polkit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch | 79 | ||||
-rw-r--r-- | source/l/polkit/doinst.sh | 4 | ||||
-rwxr-xr-x | source/l/polkit/polkit.SlackBuild | 89 |
5 files changed, 33 insertions, 239 deletions
diff --git a/source/l/polkit/0001-configure-fix-elogind-support.patch b/source/l/polkit/0001-configure-fix-elogind-support.patch deleted file mode 100644 index 4c40bd9b2..000000000 --- a/source/l/polkit/0001-configure-fix-elogind-support.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 08bb656496cd3d6213bbe9473f63f2d4a110da6e Mon Sep 17 00:00:00 2001 -From: Rasmus Thomsen <cogitri@exherbo.org> -Date: Wed, 11 Apr 2018 13:14:14 +0200 -Subject: [PATCH] configure: fix elogind support - -HAVE_LIBSYSTEMD is used to determine which source files to use. -We have to check if either have_libsystemd or have_libelogind is -true, as both of these need the source files which are used when -HAVE_LIBSYSTEMD is true. ---- - configure.ac | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index 36df239..da47ecb 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -221,7 +221,7 @@ AS_IF([test "x$cross_compiling" != "xyes" ], [ - - AC_SUBST(LIBSYSTEMD_CFLAGS) - AC_SUBST(LIBSYSTEMD_LIBS) --AM_CONDITIONAL(HAVE_LIBSYSTEMD, [test "$have_libsystemd" = "yes"], [Using libsystemd]) -+AM_CONDITIONAL(HAVE_LIBSYSTEMD, [test "$have_libsystemd" = "yes" || test "$have_libelogind" = "yes" ], [Using libsystemd]) - - dnl --------------------------------------------------------------------------- - dnl - systemd unit / service files --- -2.17.0 - diff --git a/source/l/polkit/CVE-2021-4115.patch b/source/l/polkit/CVE-2021-4115.patch deleted file mode 100644 index 3cb55819c..000000000 --- a/source/l/polkit/CVE-2021-4115.patch +++ /dev/null @@ -1,71 +0,0 @@ -diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c -index 8ed1363..2fbf5f1 100644 ---- a/src/polkit/polkitsystembusname.c -+++ b/src/polkit/polkitsystembusname.c -@@ -62,6 +62,10 @@ enum - PROP_NAME, - }; - -+ -+guint8 dbus_call_respond_fails; // has to be global because of callback -+ -+ - static void subject_iface_init (PolkitSubjectIface *subject_iface); - - G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT, -@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src, - if (!v) - { - data->caught_error = TRUE; -+ dbus_call_respond_fails += 1; - } - else - { -@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus - tmp_context = g_main_context_new (); - g_main_context_push_thread_default (tmp_context); - -+ dbus_call_respond_fails = 0; -+ - /* Do two async calls as it's basically as fast as one sync call. - */ - g_dbus_connection_call (connection, -@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus - on_retrieved_unix_uid_pid, - &data); - -- while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error)) -- g_main_context_iteration (tmp_context, TRUE); -+ while (TRUE) -+ { -+ /* If one dbus call returns error, we must wait until the other call -+ * calls _call_finish(), otherwise fd leak is possible. -+ * Resolves: GHSL-2021-077 -+ */ - -- if (data.caught_error) -- goto out; -+ if ( (dbus_call_respond_fails > 1) ) -+ { -+ // we got two faults, we can leave -+ goto out; -+ } -+ -+ if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid))) -+ { -+ // we got one fault and the other call finally finished, we can leave -+ goto out; -+ } -+ -+ if ( !(data.retrieved_uid && data.retrieved_pid) ) -+ { -+ g_main_context_iteration (tmp_context, TRUE); -+ } -+ else -+ { -+ break; -+ } -+ } - - if (out_uid) - *out_uid = data.uid; diff --git a/source/l/polkit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch b/source/l/polkit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch deleted file mode 100644 index a06300a53..000000000 --- a/source/l/polkit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch +++ /dev/null @@ -1,79 +0,0 @@ -From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001 -From: Jan Rybar <jrybar@redhat.com> -Date: Tue, 25 Jan 2022 17:21:46 +0000 -Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034) - ---- - src/programs/pkcheck.c | 5 +++++ - src/programs/pkexec.c | 23 ++++++++++++++++++++--- - 2 files changed, 25 insertions(+), 3 deletions(-) - -diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c -index f1bb4e1..768525c 100644 ---- a/src/programs/pkcheck.c -+++ b/src/programs/pkcheck.c -@@ -363,6 +363,11 @@ main (int argc, char *argv[]) - local_agent_handle = NULL; - ret = 126; - -+ if (argc < 1) -+ { -+ exit(126); -+ } -+ - /* Disable remote file access from GIO. */ - setenv ("GIO_USE_VFS", "local", 1); - -diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c -index 7698c5c..84e5ef6 100644 ---- a/src/programs/pkexec.c -+++ b/src/programs/pkexec.c -@@ -488,6 +488,15 @@ main (int argc, char *argv[]) - pid_t pid_of_caller; - gpointer local_agent_handle; - -+ -+ /* -+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out. -+ */ -+ if (argc<1) -+ { -+ exit(127); -+ } -+ - ret = 127; - authority = NULL; - subject = NULL; -@@ -614,10 +623,10 @@ main (int argc, char *argv[]) - - path = g_strdup (pwstruct.pw_shell); - if (!path) -- { -+ { - g_printerr ("No shell configured or error retrieving pw_shell\n"); - goto out; -- } -+ } - /* If you change this, be sure to change the if (!command_line) - case below too */ - command_line = g_strdup (path); -@@ -636,7 +645,15 @@ main (int argc, char *argv[]) - goto out; - } - g_free (path); -- argv[n] = path = s; -+ path = s; -+ -+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated. -+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination -+ */ -+ if (argv[n] != NULL) -+ { -+ argv[n] = path; -+ } - } - if (access (path, F_OK) != 0) - { --- -GitLab - diff --git a/source/l/polkit/doinst.sh b/source/l/polkit/doinst.sh index 3d81307e8..840abca13 100644 --- a/source/l/polkit/doinst.sh +++ b/source/l/polkit/doinst.sh @@ -10,9 +10,7 @@ config() { # Otherwise, we leave the .new copy for the admin to consider... } -if [ -r etc/pam.d/polkit-1.new ]; then - config etc/pam.d/polkit-1.new -fi +config etc/pam.d/polkit-1.new # Make sure the polkitd user and group exist: if ! grep -q "^polkitd:" etc/passwd ; then diff --git a/source/l/polkit/polkit.SlackBuild b/source/l/polkit/polkit.SlackBuild index 74949650b..47d0238c4 100755 --- a/source/l/polkit/polkit.SlackBuild +++ b/source/l/polkit/polkit.SlackBuild @@ -2,7 +2,7 @@ # Copyright 2009, 2011, 2015 Robby Workman, Northport, Alabama, USA # Copyright 2010 Eric Hameleers, Eindhoven, NL -# Copyright 2009, 2010, 2011, 2012, 2013, 2018, 2020 Patrick J. Volkerding, Sebeka, MN, USA +# Copyright 2009, 2010, 2011, 2012, 2013, 2018, 2020, 2023 Patrick J. Volkerding, Sebeka, MN, USA # All rights reserved. # Redistribution and use of this script, with or without modification, is @@ -26,7 +26,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=polkit VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-3} +BUILD=${BUILD:-1} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -81,11 +81,6 @@ find . \ -exec chmod 644 {} \+ zcat $CWD/dont-set-wheel-group-as-admin.diff.gz | patch -p1 --verbose || exit 1 -zcat $CWD/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch.gz | patch -p1 --verbose || exit 1 -zcat $CWD/CVE-2021-4115.patch.gz | patch -p1 --verbose || exit 1 - -# https://gitlab.freedesktop.org/polkit/polkit/-/issues/29 -zcat $CWD/0001-configure-fix-elogind-support.patch.gz | patch -p1 || exit 1 # If we get here and don't have a polkitd user/group, add one. # Otherwise a few directories in the package will have wrong permissions. @@ -94,53 +89,36 @@ if ! grep -q "^polkitd:" /etc/passwd ; then useradd -c "PolicyKit daemon owner" -d /var/lib/polkit -u 87 -g polkitd -s /bin/false polkitd fi -# Choose correct options depending on whether PAM is installed: -if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then - PAM_OPTIONS="--with-authfw=pam --with-pam-module-dir=/lib${LIBDIRSUFFIX}/security" - unset SHADOW_OPTIONS -else - unset PAM_OPTIONS - SHADOW_OPTIONS="--with-authfw=shadow" -fi - -if [ ! -r configure ]; then - if [ -x ./autogen.sh ]; then - NOCONFIGURE=1 ./autogen.sh - else - autoreconf -vif - fi -fi - -LIBELOGIND_CFLAGS="$(pkg-config --cflags libelogind)" \ -LIBELOGIND_LIBS="$(pkg-config --libs libelogind)" \ -CFLAGS="$SLKCFLAGS" \ -CXXFLAGS="$SLKCFLAGS" \ -./configure \ +# Configure, build, and install: +export CFLAGS="$SLKCFLAGS" +export CXXFLAGS="$SLKCFLAGS" +mkdir meson-build +cd meson-build +meson setup \ --prefix=/usr \ - --libdir=/usr/lib${LIBDIRSUFFIX} \ + --libdir=lib${LIBDIRSUFFIX} \ + --libexecdir=/usr/libexec \ + --bindir=/usr/bin \ + --sbindir=/usr/sbin \ + --includedir=/usr/include \ + --datadir=/usr/share \ + --mandir=/usr/man \ --sysconfdir=/etc \ --localstatedir=/var \ - --docdir=/usr/doc/$PKGNAM-$VERSION \ - --enable-man-pages \ - --enable-gtk-doc \ - --mandir=/usr/man \ - --disable-static \ - --disable-examples \ - --enable-introspection \ - --enable-libsystemd-login=no \ - --enable-libelogind=yes \ - $PAM_OPTIONS \ - $SHADOW_OPTIONS \ - --enable-verbose-mode \ - --with-os-type=Slackware \ - --build=$ARCH-slackware-linux || exit 1 - -# Build and install: -make $NUMJOBS || make || exit 1 -make install DESTDIR=$PKG || exit 1 - -# Don't ship .la files: -rm -f $PKG/{,usr/}lib${LIBDIRSUFFIX}/*.la + --buildtype=release \ + -Dintrospection=true \ + -Dsession_tracking=libelogind \ + -Dsystemdsystemunitdir=/usr/lib/systemd/user \ + -Dauthfw=pam \ + -Dpam_module_dir=/lib${LIBDIRSUFFIX}/security \ + -Dman=true \ + -Djs_engine=mozjs \ + .. || exit 1 + "${NINJA:=ninja}" $NUMJOBS || exit 1 + DESTDIR=$PKG $NINJA install || exit 1 +cd .. + + #-Dos_type=slackware \ # Create homedir for polkit. This is mentioned in /etc/passwd, but isn't # actually used for anything later. Perms don't matter. @@ -154,10 +132,8 @@ rmdir --parents $PKG/etc/dbus-1/system.d/ # Leave the /etc/polkit-1/rules.d/ dir in place, but move the config(s) mv $PKG/etc/polkit-1/rules.d/* $PKG/usr/share/polkit-1/rules.d/ -if [ ! -z "$PAM_OPTIONS" ]; then - # Make the PAM file .new: - mv $PKG/etc/pam.d/polkit-1 $PKG/etc/pam.d/polkit-1.new -fi +# Make the PAM file .new: +mv $PKG/etc/pam.d/polkit-1 $PKG/etc/pam.d/polkit-1.new # Strip binaries: find $PKG | xargs file | grep -e "executable" -e "shared object" \ @@ -181,9 +157,8 @@ fi # Add a documentation directory: mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION cp -a \ - AUTHORS COPYING HACKING INSTALL NEWS README \ + AUTHORS* COPYING* HACKING* INSTALL* NEWS* README* \ $PKG/usr/doc/$PKGNAM-$VERSION -( cd $PKG/usr/doc/$PKGNAM-$VERSION; ln -s ../../share/gtk-doc/html/polkit-1 html ) # If there's a ChangeLog, installing at least part of the recent history # is useful, but don't let it get totally out of control: |