diff -Nru policykit-1-0.105/debian/changelog policykit-1-0.105/debian/changelog --- policykit-1-0.105/debian/changelog 2018-07-13 11:42:06.000000000 +0000 +++ policykit-1-0.105/debian/changelog 2019-01-15 13:18:22.000000000 +0000 @@ -1,3 +1,19 @@ +policykit-1 (0.105-20ubuntu0.18.04.4) bionic-security; urgency=medium + + * SECURITY UPDATE: authorization bypass with large uid + - debian/patches/CVE-2018-19788-1.patch: allow negative uids/gids in + PolkitUnixUser and Group objects in src/polkit/polkitunixgroup.c, + src/polkit/polkitunixprocess.c, src/polkit/polkitunixuser.c. + - debian/patches/CVE-2018-19788-2.patch: add tests to + test/data/etc/group, test/data/etc/passwd, + test/data/etc/polkit-1/localauthority/10-test/com.example.pkla, + test/polkitbackend/polkitbackendlocalauthoritytest.c. + - debian/patches/CVE-2018-19788-3.patch: allow uid of -1 for a + PolkitUnixProcess in src/polkit/polkitunixprocess.c. + - CVE-2018-19788 + + -- Marc Deslauriers Tue, 15 Jan 2019 08:18:22 -0500 + policykit-1 (0.105-20ubuntu0.18.04.1) bionic-security; urgency=medium * SECURITY UPDATE: DoS and information disclosure diff -Nru policykit-1-0.105/debian/patches/CVE-2018-19788-1.patch policykit-1-0.105/debian/patches/CVE-2018-19788-1.patch --- policykit-1-0.105/debian/patches/CVE-2018-19788-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ policykit-1-0.105/debian/patches/CVE-2018-19788-1.patch 2018-12-07 15:56:21.000000000 +0000 @@ -0,0 +1,185 @@ +From 2cb40c4d5feeaa09325522bd7d97910f1b59e379 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 3 Dec 2018 10:28:58 +0100 +Subject: [PATCH] Allow negative uids/gids in PolkitUnixUser and Group objects + +(uid_t) -1 is still used as placeholder to mean "unset". This is OK, since +there should be no users with such number, see +https://systemd.io/UIDS-GIDS#special-linux-uids. + +(uid_t) -1 is used as the default value in class initialization. + +When a user or group above INT32_MAX is created, the numeric uid or +gid wraps around to negative when the value is assigned to gint, and +polkit gets confused. Let's accept such gids, except for -1. + +A nicer fix would be to change the underlying type to e.g. uint32 to +not have negative values. But this cannot be done without breaking the +API, so likely new functions will have to be added (a +polkit_unix_user_new variant that takes a unsigned, and the same for +_group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will +require a bigger patch. + +Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74. +--- + src/polkit/polkitunixgroup.c | 15 +++++++++++---- + src/polkit/polkitunixprocess.c | 12 ++++++++---- + src/polkit/polkitunixuser.c | 13 ++++++++++--- + 3 files changed, 29 insertions(+), 11 deletions(-) + +Index: policykit-1-0.105/src/polkit/polkitunixgroup.c +=================================================================== +--- policykit-1-0.105.orig/src/polkit/polkitunixgroup.c 2018-12-07 07:46:23.491243637 -0500 ++++ policykit-1-0.105/src/polkit/polkitunixgroup.c 2018-12-07 07:46:23.491243637 -0500 +@@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup + static void + polkit_unix_group_init (PolkitUnixGroup *unix_group) + { ++ unix_group->gid = -1; /* (git_t) -1 is not a valid GID under Linux */ + } + + static void +@@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject + GParamSpec *pspec) + { + PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object); ++ gint val; + + switch (prop_id) + { + case PROP_GID: +- unix_group->gid = g_value_get_int (value); ++ val = g_value_get_int (value); ++ g_return_if_fail (val != -1); ++ unix_group->gid = val; + break; + + default: +@@ -131,9 +135,9 @@ polkit_unix_group_class_init (PolkitUnix + g_param_spec_int ("gid", + "Group ID", + "The UNIX group ID", +- 0, ++ G_MININT, + G_MAXINT, +- 0, ++ -1, + G_PARAM_CONSTRUCT | + G_PARAM_READWRITE | + G_PARAM_STATIC_NAME | +@@ -166,9 +170,10 @@ polkit_unix_group_get_gid (PolkitUnixGro + */ + void + polkit_unix_group_set_gid (PolkitUnixGroup *group, +- gint gid) ++ gint gid) + { + g_return_if_fail (POLKIT_IS_UNIX_GROUP (group)); ++ g_return_if_fail (gid != -1); + group->gid = gid; + } + +@@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGro + PolkitIdentity * + polkit_unix_group_new (gint gid) + { ++ g_return_val_if_fail (gid != -1, NULL); ++ + return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP, + "gid", gid, + NULL)); +Index: policykit-1-0.105/src/polkit/polkitunixprocess.c +=================================================================== +--- policykit-1-0.105.orig/src/polkit/polkitunixprocess.c 2018-12-07 07:46:23.491243637 -0500 ++++ policykit-1-0.105/src/polkit/polkitunixprocess.c 2018-12-07 07:46:23.491243637 -0500 +@@ -147,9 +147,14 @@ polkit_unix_process_set_property (GObjec + polkit_unix_process_set_pid (unix_process, g_value_get_int (value)); + break; + +- case PROP_UID: +- polkit_unix_process_set_uid (unix_process, g_value_get_int (value)); ++ case PROP_UID: { ++ gint val; ++ ++ val = g_value_get_int (value); ++ g_return_if_fail (val != -1); ++ polkit_unix_process_set_uid (unix_process, val); + break; ++ } + + case PROP_START_TIME: + polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value)); +@@ -227,7 +232,7 @@ polkit_unix_process_class_init (PolkitUn + g_param_spec_int ("uid", + "User ID", + "The UNIX user ID", +- -1, ++ G_MININT, + G_MAXINT, + -1, + G_PARAM_CONSTRUCT | +@@ -291,7 +296,6 @@ polkit_unix_process_set_uid (PolkitUnixP + gint uid) + { + g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process)); +- g_return_if_fail (uid >= -1); + process->uid = uid; + } + +Index: policykit-1-0.105/src/polkit/polkitunixuser.c +=================================================================== +--- policykit-1-0.105.orig/src/polkit/polkitunixuser.c 2018-12-07 07:46:23.491243637 -0500 ++++ policykit-1-0.105/src/polkit/polkitunixuser.c 2018-12-07 07:46:23.491243637 -0500 +@@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, + static void + polkit_unix_user_init (PolkitUnixUser *unix_user) + { ++ unix_user->uid = -1; /* (uid_t) -1 is not a valid UID under Linux */ + unix_user->name = NULL; + } + +@@ -112,11 +113,14 @@ polkit_unix_user_set_property (GObject + GParamSpec *pspec) + { + PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object); ++ gint val; + + switch (prop_id) + { + case PROP_UID: +- unix_user->uid = g_value_get_int (value); ++ val = g_value_get_int (value); ++ g_return_if_fail (val != -1); ++ unix_user->uid = val; + break; + + default: +@@ -144,9 +148,9 @@ polkit_unix_user_class_init (PolkitUnixU + g_param_spec_int ("uid", + "User ID", + "The UNIX user ID", +- 0, ++ G_MININT, + G_MAXINT, +- 0, ++ -1, + G_PARAM_CONSTRUCT | + G_PARAM_READWRITE | + G_PARAM_STATIC_NAME | +@@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser + gint uid) + { + g_return_if_fail (POLKIT_IS_UNIX_USER (user)); ++ g_return_if_fail (uid != -1); + user->uid = uid; + } + +@@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser + PolkitIdentity * + polkit_unix_user_new (gint uid) + { ++ g_return_val_if_fail (uid != -1, NULL); ++ + return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER, + "uid", uid, + NULL)); diff -Nru policykit-1-0.105/debian/patches/CVE-2018-19788-2.patch policykit-1-0.105/debian/patches/CVE-2018-19788-2.patch --- policykit-1-0.105/debian/patches/CVE-2018-19788-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ policykit-1-0.105/debian/patches/CVE-2018-19788-2.patch 2018-12-07 15:56:24.000000000 +0000 @@ -0,0 +1,106 @@ +Backport of: + +From b534a10727455409acd54018a9c91000e7626126 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 3 Dec 2018 11:20:34 +0100 +Subject: [PATCH] tests: add tests for high uids + +--- + test/data/etc/group | 1 + + test/data/etc/passwd | 2 + + .../etc/polkit-1/rules.d/10-testing.rules | 21 ++++++ + .../test-polkitbackendjsauthority.c | 72 +++++++++++++++++++ + 4 files changed, 96 insertions(+) + +Index: policykit-1-0.105/test/data/etc/group +=================================================================== +--- policykit-1-0.105.orig/test/data/etc/group 2018-12-07 08:21:34.402387757 -0500 ++++ policykit-1-0.105/test/data/etc/group 2018-12-07 08:21:34.398387743 -0500 +@@ -5,3 +5,4 @@ john:x:500: + jane:x:501: + sally:x:502: + henry:x:503: ++highuid2:x:4000000000: +Index: policykit-1-0.105/test/data/etc/passwd +=================================================================== +--- policykit-1-0.105.orig/test/data/etc/passwd 2018-12-07 08:21:34.402387757 -0500 ++++ policykit-1-0.105/test/data/etc/passwd 2018-12-07 08:21:34.398387743 -0500 +@@ -3,3 +3,5 @@ john:x:500:500:John Done:/home/john:/bin + jane:x:501:501:Jane Smith:/home/jane:/bin/bash + sally:x:502:502:Sally Derp:/home/sally:/bin/bash + henry:x:503:503:Henry Herp:/home/henry:/bin/bash ++highuid1:x:2147483648:2147483648:The first high uid:/home/highuid1:/sbin/nologin ++highuid2:x:4000000000:4000000000:An example high uid:/home/example:/sbin/nologin +Index: policykit-1-0.105/test/data/etc/polkit-1/localauthority/10-test/com.example.pkla +=================================================================== +--- policykit-1-0.105.orig/test/data/etc/polkit-1/localauthority/10-test/com.example.pkla 2018-12-07 08:21:34.402387757 -0500 ++++ policykit-1-0.105/test/data/etc/polkit-1/localauthority/10-test/com.example.pkla 2018-12-07 08:21:34.398387743 -0500 +@@ -12,3 +12,16 @@ ResultAny=no + ResultInactive=auth_self + ResultActive=yes + ++[User john can do this] ++Identity=unix-user:john ++Action=net.company.john_action ++ResultAny=no ++ResultInactive=auth_self ++ResultActive=yes ++ ++[User highuid2 can do this] ++Identity=unix-user:highuid2 ++Action=net.company.highuid2_action ++ResultAny=no ++ResultInactive=auth_self ++ResultActive=yes +Index: policykit-1-0.105/test/polkitbackend/polkitbackendlocalauthoritytest.c +=================================================================== +--- policykit-1-0.105.orig/test/polkitbackend/polkitbackendlocalauthoritytest.c 2018-12-07 08:21:34.402387757 -0500 ++++ policykit-1-0.105/test/polkitbackend/polkitbackendlocalauthoritytest.c 2018-12-07 10:23:33.528742547 -0500 +@@ -226,7 +226,46 @@ struct auth_context check_authorization_ + {"unix-user:jane", TRUE, TRUE, "com.example.awesomeproduct.bar", + POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN, + POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED}, +- ++ /* highuid1 is not a member of group 'users', see test/data/etc/group ++ * group_membership_with_non_member(highuid22) */ ++ {"unix-user:highuid2", TRUE, TRUE, "com.example.awesomeproduct.foo", ++ POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN, ++ POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN}, ++ /* highuid2 is not a member of group 'users', see test/data/etc/group ++ * group_membership_with_non_member(highuid21) */ ++ {"unix-user:highuid2", TRUE, TRUE, "com.example.awesomeproduct.foo", ++ POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN, ++ POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN}, ++ /* highuid1 is not a member of group 'users', see test/data/etc/group ++ * group_membership_with_non_member(highuid24) */ ++ {"unix-user:2147483648", TRUE, TRUE, "com.example.awesomeproduct.foo", ++ POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN, ++ POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN}, ++ /* highuid2 is not a member of group 'users', see test/data/etc/group ++ * group_membership_with_non_member(highuid23) */ ++ {"unix-user:4000000000", TRUE, TRUE, "com.example.awesomeproduct.foo", ++ POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN, ++ POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN}, ++ /* john is authorized to do this, see com.example.pkla ++ * john_action */ ++ {"unix-user:john", TRUE, TRUE, "net.company.john_action", ++ POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN, ++ POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED}, ++ /* only john is authorized to do this, see com.example.pkla ++ * jane_action */ ++ {"unix-user:jane", TRUE, TRUE, "net.company.john_action", ++ POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN, ++ POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN}, ++ /* highuid2 is authorized to do this, see com.example.pkla ++ * highuid2_action */ ++ {"unix-user:highuid2", TRUE, TRUE, "net.company.highuid2_action", ++ POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN, ++ POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED}, ++ /* only highuid2 is authorized to do this, see com.example.pkla ++ * highuid1_action */ ++ {"unix-user:highuid1", TRUE, TRUE, "net.company.highuid2_action", ++ POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN, ++ POLKIT_IMPLICIT_AUTHORIZATION_UNKNOWN}, + {NULL}, + }; + diff -Nru policykit-1-0.105/debian/patches/CVE-2018-19788-3.patch policykit-1-0.105/debian/patches/CVE-2018-19788-3.patch --- policykit-1-0.105/debian/patches/CVE-2018-19788-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ policykit-1-0.105/debian/patches/CVE-2018-19788-3.patch 2019-01-15 13:18:20.000000000 +0000 @@ -0,0 +1,44 @@ +From bd4b563afe3f13e865805d731a3e6af09bd3649a Mon Sep 17 00:00:00 2001 +From: Matthew Leeds +Date: Tue, 11 Dec 2018 12:04:26 -0800 +Subject: [PATCH] Allow uid of -1 for a PolkitUnixProcess + +Commit 2cb40c4d5 changed PolkitUnixUser, PolkitUnixGroup, and +PolkitUnixProcess to allow negative values for their uid/gid properties, +since these are values above INT_MAX which wrap around but are still +valid, with the exception of -1 which is not valid. However, +PolkitUnixProcess allows a uid of -1 to be passed to +polkit_unix_process_new_for_owner() which means polkit is expected to +figure out the uid on its own (this happens in the _constructed +function). So this commit removes the check in +polkit_unix_process_set_property() so that new_for_owner() can be used +as documented without producing a critical error message. + +This does not affect the protection against CVE-2018-19788 which is +based on creating a user with a UID up to but not including 4294967295 +(-1). +--- + src/polkit/polkitunixprocess.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +Index: policykit-1-0.105/src/polkit/polkitunixprocess.c +=================================================================== +--- policykit-1-0.105.orig/src/polkit/polkitunixprocess.c 2019-01-15 08:18:18.880747818 -0500 ++++ policykit-1-0.105/src/polkit/polkitunixprocess.c 2019-01-15 08:18:18.876747807 -0500 +@@ -147,14 +147,9 @@ polkit_unix_process_set_property (GObjec + polkit_unix_process_set_pid (unix_process, g_value_get_int (value)); + break; + +- case PROP_UID: { +- gint val; +- +- val = g_value_get_int (value); +- g_return_if_fail (val != -1); +- polkit_unix_process_set_uid (unix_process, val); ++ case PROP_UID: ++ polkit_unix_process_set_uid (unix_process, g_value_get_int (value)); + break; +- } + + case PROP_START_TIME: + polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value)); diff -Nru policykit-1-0.105/debian/patches/series policykit-1-0.105/debian/patches/series --- policykit-1-0.105/debian/patches/series 2018-07-13 11:42:02.000000000 +0000 +++ policykit-1-0.105/debian/patches/series 2019-01-15 13:18:17.000000000 +0000 @@ -38,3 +38,6 @@ 06_systemd-service.patch 10_build-against-libsystemd.patch CVE-2018-1116.patch +CVE-2018-19788-1.patch +CVE-2018-19788-2.patch +CVE-2018-19788-3.patch