Date: Thursday, October 3, 2013 @ 00:41:24 Author: heftig Revision: 195869
FS#37169 - [rtkit] security patch for CVE-2013-4326 Added: rtkit/trunk/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch Modified: rtkit/trunk/PKGBUILD --------------------------------------------------+ 0001-SECURITY-Pass-uid-of-caller-to-polkit.patch | 48 +++++++++++++++++++++ PKGBUILD | 9 ++- 2 files changed, 54 insertions(+), 3 deletions(-) Added: 0001-SECURITY-Pass-uid-of-caller-to-polkit.patch =================================================================== --- 0001-SECURITY-Pass-uid-of-caller-to-polkit.patch (rev 0) +++ 0001-SECURITY-Pass-uid-of-caller-to-polkit.patch 2013-10-02 22:41:24 UTC (rev 195869) @@ -0,0 +1,48 @@ +From f44c5776b25ca2abd7569fb8532c6aede9b0c6b0 Mon Sep 17 00:00:00 2001 +From: Colin Walters <[email protected]> +Date: Thu, 22 Aug 2013 16:05:22 -0400 +Subject: [PATCH] [SECURITY] Pass uid of caller to polkit + +Otherwise, we force polkit to look up the uid itself in /proc, which +is racy if they execve() a setuid binary. +--- + rtkit-daemon.c | 11 ++++++++++- + 1 files changed, 10 insertions(+), 1 deletions(-) + +diff --git a/rtkit-daemon.c b/rtkit-daemon.c +index 2ebe673..3ecc1f7 100644 +--- a/rtkit-daemon.c ++++ b/rtkit-daemon.c +@@ -1170,12 +1170,14 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process + DBusMessage *m = NULL, *r = NULL; + const char *unix_process = "unix-process"; + const char *pid = "pid"; ++ const char *uid = "uid"; + const char *start_time = "start-time"; + const char *cancel_id = ""; + uint32_t flags = 0; + uint32_t pid_u32 = p->pid; +- uint64_t start_time_u64 = p->starttime; ++ uint32_t uid_u32 = (uint32_t)u->uid; + DBusMessageIter iter_msg, iter_struct, iter_array, iter_dict, iter_variant; ++ uint64_t start_time_u64 = p->starttime; + int ret; + dbus_bool_t authorized = FALSE; + +@@ -1206,6 +1208,13 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process + assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant)); + assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict)); + ++ assert_se(dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict)); ++ assert_se(dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &uid)); ++ assert_se(dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "u", &iter_variant)); ++ assert_se(dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT32, &uid_u32)); ++ assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant)); ++ assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict)); ++ + assert_se(dbus_message_iter_close_container(&iter_struct, &iter_array)); + assert_se(dbus_message_iter_close_container(&iter_msg, &iter_struct)); + +-- +1.7.1 + Modified: PKGBUILD =================================================================== --- PKGBUILD 2013-10-02 21:50:10 UTC (rev 195868) +++ PKGBUILD 2013-10-02 22:41:24 UTC (rev 195869) @@ -4,7 +4,7 @@ pkgname=rtkit pkgver=0.11 -pkgrel=3 +pkgrel=4 pkgdesc="Realtime Policy and Watchdog Daemon" arch=(i686 x86_64) url="http://git.0pointer.de/?p=rtkit.git"; @@ -12,15 +12,18 @@ depends=(dbus polkit systemd) install=rtkit.install source=(http://0pointer.de/public/$pkgname-$pkgver.tar.xz - libsystemd.patch systemd205.patch) + libsystemd.patch systemd205.patch + 0001-SECURITY-Pass-uid-of-caller-to-polkit.patch) md5sums=('a96c33b9827de66033d2311f82d79a5d' '35089c0a284005f4abcf45168415857e' - '95195a70551057aca833da6bdbf2e35b') + '95195a70551057aca833da6bdbf2e35b' + '70df212cba2a6366ff960b60d55858d3') prepare() { cd $pkgname-$pkgver patch -Np1 -i ../libsystemd.patch patch -Np1 -i ../systemd205.patch + patch -Np1 -i ../0001-SECURITY-Pass-uid-of-caller-to-polkit.patch autoreconf -fi }
