Package: release.debian.org Severity: normal User: [email protected] Usertags: pu
As discussed in [1], I'd like to upload a fix for CVE-2013-4288 for policykit-1 to stable. The patch itself has been applied to the unstable version as well (in 0.105-3+nmu1). Please let me know if I can proceed with the stable upload to get this fix into 7.3. Full debdiff is attached. Regards, Michael [1] https://lists.debian.org/debian-release/2013/10/msg00604.html -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff --git a/debian/changelog b/debian/changelog index c3ab45b..1644c95 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +policykit-1 (0.105-3+deb7u1) stable; urgency=low + + * Fix CVE-2013-4288: race condition in pkcheck. (Closes: #723717) + + -- Michael Biebl <[email protected]> Wed, 16 Oct 2013 18:35:01 +0200 + policykit-1 (0.105-3) unstable; urgency=low * 07_set-XAUTHORITY-environment-variable-if-unset.patch: Set XAUTHORITY diff --git a/debian/gbp.conf b/debian/gbp.conf index c31be83..a475fbf 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,3 +1,3 @@ [DEFAULT] pristine-tar = True -debian-branch = master +debian-branch = wheezy diff --git a/debian/patches/cve-2013-4288.patch b/debian/patches/cve-2013-4288.patch new file mode 100644 index 0000000..2aad36c --- /dev/null +++ b/debian/patches/cve-2013-4288.patch @@ -0,0 +1,115 @@ +From 52c927893a2ab135462b616c2e00fec377da9885 Mon Sep 17 00:00:00 2001 +From: Colin Walters <[email protected]> +Date: Mon, 19 Aug 2013 12:16:11 -0400 +Subject: [PATCH 2/4] pkcheck: Support --process=pid,start-time,uid syntax too + +The uid is a new addition; this allows callers such as libvirt to +close a race condition in reading the uid of the process talking to +them. They can read it via getsockopt(SO_PEERCRED) or equivalent, +rather than having pkcheck look at /proc later after the fact. + +Programs which invoke pkcheck but need to know beforehand (i.e. at +compile time) whether or not it supports passing the uid can +use: + +pkcheck_supports_uid=$($PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1) +test x$pkcheck_supports_uid = xyes +--- + data/polkit-gobject-1.pc.in | 3 +++ + docs/man/pkcheck.xml | 29 ++++++++++++++++++++--------- + src/programs/pkcheck.c | 9 +++++++-- + 3 files changed, 30 insertions(+), 11 deletions(-) + +Index: policykit-1-0.105/data/polkit-gobject-1.pc.in +=================================================================== +--- policykit-1-0.105.orig/data/polkit-gobject-1.pc.in 2013-09-11 09:40:56.604225567 -0400 ++++ policykit-1-0.105/data/polkit-gobject-1.pc.in 2013-09-11 09:40:56.596225567 -0400 +@@ -11,3 +11,6 @@ + Libs: -L${libdir} -lpolkit-gobject-1 + Cflags: -I${includedir}/polkit-1 + Requires: gio-2.0 >= 2.18 glib-2.0 >= 2.18 ++# Programs using pkcheck can use this to determine ++# whether or not it can be passed a uid. ++pkcheck_supports_uid=true +Index: policykit-1-0.105/docs/man/pkcheck.xml +=================================================================== +--- policykit-1-0.105.orig/docs/man/pkcheck.xml 2013-09-11 09:40:56.604225567 -0400 ++++ policykit-1-0.105/docs/man/pkcheck.xml 2013-09-11 09:42:28.272223569 -0400 +@@ -55,6 +55,9 @@ + <arg choice="plain"> + <replaceable>pid,pid-start-time</replaceable> + </arg> ++ <arg choice="plain"> ++ <replaceable>pid,pid-start-time,uid</replaceable> ++ </arg> + </group> + </arg> + <arg choice="plain"> +@@ -90,7 +93,7 @@ + <title>DESCRIPTION</title> + <para> + <command>pkcheck</command> is used to check whether a process, specified by +- either <option>--process</option> or <option>--system-bus-name</option>, ++ either <option>--process</option> (see below) or <option>--system-bus-name</option>, + is authorized for <replaceable>action</replaceable>. The <option>--detail</option> + option can be used zero or more times to pass details about <replaceable>action</replaceable>. + If <option>--allow-user-interaction</option> is passed, <command>pkcheck</command> blocks +@@ -160,17 +163,25 @@ + <refsect1 id="pkcheck-notes"> + <title>NOTES</title> + <para> +- Since process identifiers can be recycled, the caller should always use +- <replaceable>pid,pid-start-time</replaceable> to specify the process +- to check for authorization when using the <option>--process</option> option. +- The value of <replaceable>pid-start-time</replaceable> +- can be determined by consulting e.g. the ++ Do not use either the bare <replaceable>pid</replaceable> or ++ <replaceable>pid,start-time</replaceable> syntax forms for ++ <option>--process</option>. There are race conditions in both. ++ New code should always use ++ <replaceable>pid,pid-start-time,uid</replaceable>. The value of ++ <replaceable>start-time</replaceable> can be determined by ++ consulting e.g. the + <citerefentry> + <refentrytitle>proc</refentrytitle><manvolnum>5</manvolnum> + </citerefentry> +- file system depending on the operating system. If only <replaceable>pid</replaceable> +- is passed to the <option>--process</option> option, then <command>pkcheck</command> +- will look up the start time itself but note that this may be racy. ++ file system depending on the operating system. If fewer than 3 ++ arguments are passed, <command>pkcheck</command> will attempt to ++ look up them up internally, but note that this may be racy. ++ </para> ++ <para> ++ If your program is a daemon with e.g. a custom Unix domain ++ socket, you should determine the <replaceable>uid</replaceable> ++ parameter via operating system mechanisms such as ++ <literal>PEERCRED</literal>. + </para> + </refsect1> + +Index: policykit-1-0.105/src/programs/pkcheck.c +=================================================================== +--- policykit-1-0.105.orig/src/programs/pkcheck.c 2013-09-11 09:40:56.604225567 -0400 ++++ policykit-1-0.105/src/programs/pkcheck.c 2013-09-11 09:40:56.600225567 -0400 +@@ -372,6 +372,7 @@ + else if (g_strcmp0 (argv[n], "--process") == 0 || g_strcmp0 (argv[n], "-p") == 0) + { + gint pid; ++ guint uid; + guint64 pid_start_time; + + n++; +@@ -381,7 +382,11 @@ + goto out; + } + +- if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2) ++ if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT ",%u", &pid, &pid_start_time, &uid) == 3) ++ { ++ subject = polkit_unix_process_new_for_owner (pid, pid_start_time, uid); ++ } ++ else if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2) + { + subject = polkit_unix_process_new_full (pid, pid_start_time); + } diff --git a/debian/patches/series b/debian/patches/series index 2d3a3f9..0307b9c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,3 +5,4 @@ 05_revert-admin-identities-unix-group-wheel.patch 06_systemd-service.patch 07_set-XAUTHORITY-environment-variable-if-unset.patch +cve-2013-4288.patch
