Your message dated Thu, 16 Jul 2020 23:04:10 +0000
with message-id <[email protected]>
and subject line Bug#956223: fixed in policykit-1 0.105-27
has caused the Debian Bug report #956223,
regarding policykit-1: out-of-bounds reads in _localize
([email protected], line 1127)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
956223: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956223
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: policykit-1
Version: 0.105-26
Dear Maintainer,
I noticed that there is an out-of-bounds read at the following source
location:
https://salsa.debian.org/utopia-team/polkit/-/blob/debian/0.105-26/src/polkitbackend/polkitbackendactionpool.c#L1127
There is also a potential out-of-bounds write a few lines below in the same
file (line 1131).
The bug happens when the locale string is longer than 256 characters. It
happens because strncpy does not insert a terminating null byte ('\0') when
the source string is too long. This means that the loop can read off the
end of the string, and potentially write out-of-bounds on line 1131.
The bug can be triggered by an unprivileged user sending an
EnumerateActions D-Bus message to polkitd. (I have attached a PoC.)
Although an out-of-bounds read/write is a potential security issue, in
practice my PoC does not cause polkitd to crash. That's because there are
usually some zero bytes on the stack (in the memory above lang2) which
prevent it from hitting anything important. In other words, this bug is
technically a security issue, but it is very low severity.
Weirdly, this bug only exists on the version of polkit used by Debian. It
was fixed 7 years ago in the main polkit repo:
https://gitlab.freedesktop.org/polkit/polkit/-/commit/facadfb5c8c52ba45fd20ffe3b6d3ddd4208a427
The bug is also fixed in policykit-1 version 0.116-2, which is the version
used by Debian experimental. But versions 0.105-15~deb8u4 to 0.105-26,
which are the versions used by the other Debian releases, contain the bug.
Despite the low severity of the bug, I would recommend cherry-picking
commit facadfb5c8c52ba45fd20ffe3b6d3ddd4208a427 onto all of your releases
to fix it.
Thank you,
Kevin Backhouse
GitHub Security Lab
Polkit_EnumerateActions_PoC.tar.bz2
Description: application/bzip
--- End Message ---
--- Begin Message ---
Source: policykit-1
Source-Version: 0.105-27
Done: Michael Biebl <[email protected]>
We believe that the bug you reported is fixed in the latest version of
policykit-1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Biebl <[email protected]> (supplier of updated policykit-1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 17 Jul 2020 00:50:43 +0200
Source: policykit-1
Architecture: source
Version: 0.105-27
Distribution: unstable
Urgency: medium
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Michael Biebl <[email protected]>
Closes: 956223
Changes:
policykit-1 (0.105-27) unstable; urgency=medium
.
* Switch to /usr/libexec now that it is allowed by debian policy
* Bump debhelper-compat to 13
* Bump Standards-Version to 4.5.0
* Try harder to look up the right localization.
Fixes out-of-bounds read in _localize. (Closes: #956223)
Checksums-Sha1:
ba52fe87510f34c55e91131bbc7712d0db70e659 2781 policykit-1_0.105-27.dsc
f0ef10d4ed2691a9044d39928082b084d7d7b871 74540
policykit-1_0.105-27.debian.tar.xz
35064c6d2f71ab8f9668a81a9d37e70696906a07 8323
policykit-1_0.105-27_source.buildinfo
Checksums-Sha256:
3deb98da9cabf6a282a3fc81b800f5068511c15f341de41663844a609439a1f0 2781
policykit-1_0.105-27.dsc
ec7f8a4c11bd3d9db386c540b456b3c3228b0b9aced9738e98ab6aeeeb840366 74540
policykit-1_0.105-27.debian.tar.xz
4ec4b505be800576d304eaf35bdf180f1b53076391a115b0a1e05a26dbf575a7 8323
policykit-1_0.105-27_source.buildinfo
Files:
26b8bcb6138511f090b0abcb3c0914bd 2781 admin optional policykit-1_0.105-27.dsc
f252120d136e4756e05cf0be869b1f5b 74540 admin optional
policykit-1_0.105-27.debian.tar.xz
2206a4e4d4ac3b9d0bd914a7bc62be2e 8323 admin optional
policykit-1_0.105-27_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAl8Q2g0ACgkQauHfDWCP
ItyiMQ//ZI7dOqWzceF57ttsDrjDxLVjVM1kCW3EeqDxeU3vvdzqKPv4cUaxsoyp
1rWPf9D+/qRqxgKvH9o0fCn8T5+HyBnhcIptkjrmMwWLqSMirG2rr//E9NC7qKbF
EGqn5jsWUOG/okO+CjwThWYy3IIILBQNe6Qm7GK9CJI3nPnSTFuoxFQjEl0pe7ZY
p1TAg+8NTHwTlvFqPw6zBhwT83UFnqKxc54t4zKTq9PRgD42bGklkAtHrxU8pir1
TUnecRbt4Z5pmD/YPWRh9bUQwSTOBnpgFpI4krIfUVSjJ26QPx5QkrvuefPLyFHW
eNFA4+GGF9reo0eQeoI+rHAwtV/frwKKHXs4bZnirQCqG/MvX/2nCGRAabzmejDj
hdowkLfEeM+zfDi4GOLevurR+OyunP0tJFSwQac02aMkGgjDwpwID6li2BpZDU2p
hW3qK7yFSoHpsmNgviIcYu602G98LugXBSaHvii8br0F4gCAAAgxcmPvmmD4FdoD
CUm3TVEHU0M3brccGvYLuB+9CtgeyQ1UfetQGhbwGBEsVJe+f6/3HmGAvYExBQhr
PHqLMCzkj164Qm742PnWG+EunFPJo7VTsDRDE7kPuq48V6/u550246NLifMf9nsR
sX0xVtb6bJhj6s5ld922ktHTbAwV11sUYZ0JuywC/ArB2HHshZE=
=1TD7
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
