diff -Nru policykit-1-0.104/debian/changelog policykit-1-0.104/debian/changelog
--- policykit-1-0.104/debian/changelog	2012-01-06 11:28:58.000000000 +0000
+++ policykit-1-0.104/debian/changelog	2013-09-11 13:48:50.000000000 +0000
@@ -1,3 +1,22 @@
+policykit-1 (0.104-1ubuntu1.1) precise-security; urgency=low
+
+  * SECURITY UPDATE: use of pkcheck without specifying uid is racy,
+    possibly leading to privilege escalation
+    - debian/patches/CVE-2013-4288.patch: implement pid,start-time,uid
+      syntax so callers have a non-racy way of using pkcheck.
+    - CVE-2013-4288
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 11 Sep 2013 09:48:41 -0400
+
+policykit-1 (0.104-1ubuntu1) precise-proposed; urgency=low
+
+  * debian/patches/07_pam_environment.patch: set process environment
+    from pam_getenvlist().  Closes LP: #982684.
+  * debian/patches/01_pam_polkit.patch: adjust patch to invoke pam_env, so
+    our global settings from /etc/environment are applied correctly.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 15 May 2012 15:15:52 -0700
+
 policykit-1 (0.104-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru policykit-1-0.104/debian/control policykit-1-0.104/debian/control
--- policykit-1-0.104/debian/control	2012-01-06 11:28:58.000000000 +0000
+++ policykit-1-0.104/debian/control	2012-05-15 22:48:48.000000000 +0000
@@ -1,7 +1,8 @@
 Source: policykit-1
 Section: admin
 Priority: optional
-Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
 Uploaders: Michael Biebl <biebl@debian.org>, Martin Pitt <mpitt@debian.org>
 Build-Depends: debhelper (>= 8.1.3),
  autotools-dev,
diff -Nru policykit-1-0.104/debian/patches/01_pam_polkit.patch policykit-1-0.104/debian/patches/01_pam_polkit.patch
--- policykit-1-0.104/debian/patches/01_pam_polkit.patch	2012-01-06 11:28:58.000000000 +0000
+++ policykit-1-0.104/debian/patches/01_pam_polkit.patch	2012-05-15 22:48:48.000000000 +0000
@@ -1,6 +1,8 @@
---- a/data/polkit-1.in
-+++ b/data/polkit-1.in
-@@ -1,6 +1,6 @@
+Index: trunk/data/polkit-1.in
+===================================================================
+--- trunk.orig/data/polkit-1.in
++++ trunk/data/polkit-1.in
+@@ -1,6 +1,8 @@
  #%PAM-1.0
  
 -auth       include      @PAM_FILE_INCLUDE_AUTH@
@@ -10,4 +12,6 @@
 +@include common-auth
 +@include common-account
 +@include common-password
++session       required   pam_env.so readenv=1 user_readenv=0
++session       required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
 +@include common-session
diff -Nru policykit-1-0.104/debian/patches/07_pam_environment.patch policykit-1-0.104/debian/patches/07_pam_environment.patch
--- policykit-1-0.104/debian/patches/07_pam_environment.patch	1970-01-01 00:00:00.000000000 +0000
+++ policykit-1-0.104/debian/patches/07_pam_environment.patch	2012-05-15 22:48:48.000000000 +0000
@@ -0,0 +1,33 @@
+Author: Steve Langasek <steve.langasek@canonical.com>
+Description: set process environment from pam_getenvlist()
+ Various pam modules provide environment variables that are intended to be
+ set in the environment of the pam session.  pkexec needs to process the
+ output of pam_getenvlist() to get these.
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/982684
+Index: trunk/src/programs/pkexec.c
+===================================================================
+--- trunk.orig/src/programs/pkexec.c
++++ trunk/src/programs/pkexec.c
+@@ -145,6 +145,7 @@
+   gboolean ret;
+   gint rc;
+   pam_handle_t *pam_h;
++  char **envlist;
+   struct pam_conv conversation;
+ 
+   ret = FALSE;
+@@ -176,6 +177,14 @@
+ 
+   ret = TRUE;
+ 
++  envlist = pam_getenvlist (pam_h);
++  if (envlist != NULL) {
++    int i;
++    for (i = 0; envlist[i]; i++)
++      putenv(envlist[i]);
++    free (envlist);
++  }
++
+ out:
+   if (pam_h != NULL)
+     pam_end (pam_h, rc);
diff -Nru policykit-1-0.104/debian/patches/CVE-2013-4288.patch policykit-1-0.104/debian/patches/CVE-2013-4288.patch
--- policykit-1-0.104/debian/patches/CVE-2013-4288.patch	1970-01-01 00:00:00.000000000 +0000
+++ policykit-1-0.104/debian/patches/CVE-2013-4288.patch	2013-09-11 13:48:36.000000000 +0000
@@ -0,0 +1,117 @@
+Backport of:
+
+From 52c927893a2ab135462b616c2e00fec377da9885 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Mon, 19 Aug 2013 12:16:11 -0400
+Subject: [PATCH 2/4] pkcheck: Support --process=pid,start-time,uid syntax too
+
+The uid is a new addition; this allows callers such as libvirt to
+close a race condition in reading the uid of the process talking to
+them.  They can read it via getsockopt(SO_PEERCRED) or equivalent,
+rather than having pkcheck look at /proc later after the fact.
+
+Programs which invoke pkcheck but need to know beforehand (i.e.  at
+compile time) whether or not it supports passing the uid can
+use:
+
+pkcheck_supports_uid=$($PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1)
+test x$pkcheck_supports_uid = xyes
+---
+ data/polkit-gobject-1.pc.in |    3 +++
+ docs/man/pkcheck.xml        |   29 ++++++++++++++++++++---------
+ src/programs/pkcheck.c      |    9 +++++++--
+ 3 files changed, 30 insertions(+), 11 deletions(-)
+
+Index: policykit-1-0.105/data/polkit-gobject-1.pc.in
+===================================================================
+--- policykit-1-0.105.orig/data/polkit-gobject-1.pc.in	2013-09-11 09:40:56.604225567 -0400
++++ policykit-1-0.105/data/polkit-gobject-1.pc.in	2013-09-11 09:40:56.596225567 -0400
+@@ -11,3 +11,6 @@
+ Libs: -L${libdir} -lpolkit-gobject-1
+ Cflags: -I${includedir}/polkit-1
+ Requires: gio-2.0 >= 2.18 glib-2.0 >= 2.18
++# Programs using pkcheck can use this to determine
++# whether or not it can be passed a uid.
++pkcheck_supports_uid=true
+Index: policykit-1-0.105/docs/man/pkcheck.xml
+===================================================================
+--- policykit-1-0.105.orig/docs/man/pkcheck.xml	2013-09-11 09:40:56.604225567 -0400
++++ policykit-1-0.105/docs/man/pkcheck.xml	2013-09-11 09:42:28.272223569 -0400
+@@ -55,6 +55,9 @@
+             <arg choice="plain">
+               <replaceable>pid,pid-start-time</replaceable>
+             </arg>
++            <arg choice="plain">
++              <replaceable>pid,pid-start-time,uid</replaceable>
++            </arg>
+           </group>
+         </arg>
+         <arg choice="plain">
+@@ -90,7 +93,7 @@
+     <title>DESCRIPTION</title>
+     <para>
+       <command>pkcheck</command> is used to check whether a process, specified by
+-      either <option>--process</option> or <option>--system-bus-name</option>,
++      either <option>--process</option> (see below) or <option>--system-bus-name</option>,
+       is authorized for <replaceable>action</replaceable>. The <option>--detail</option>
+       option can be used zero or more times to pass details about <replaceable>action</replaceable>.
+       If <option>--allow-user-interaction</option> is passed, <command>pkcheck</command> blocks
+@@ -160,17 +163,25 @@
+   <refsect1 id="pkcheck-notes">
+     <title>NOTES</title>
+     <para>
+-      Since process identifiers can be recycled, the caller should always use
+-      <replaceable>pid,pid-start-time</replaceable> to specify the process
+-      to check for authorization when using the <option>--process</option> option.
+-      The value of <replaceable>pid-start-time</replaceable>
+-      can be determined by consulting e.g. the
++      Do not use either the bare <replaceable>pid</replaceable> or
++      <replaceable>pid,start-time</replaceable> syntax forms for
++      <option>--process</option>.  There are race conditions in both.
++      New code should always use
++      <replaceable>pid,pid-start-time,uid</replaceable>.  The value of
++      <replaceable>start-time</replaceable> can be determined by
++      consulting e.g. the
+       <citerefentry>
+         <refentrytitle>proc</refentrytitle><manvolnum>5</manvolnum>
+       </citerefentry>
+-      file system depending on the operating system. If only <replaceable>pid</replaceable>
+-      is passed to the <option>--process</option> option, then <command>pkcheck</command>
+-      will look up the start time itself but note that this may be racy.
++      file system depending on the operating system.  If fewer than 3
++      arguments are passed, <command>pkcheck</command> will attempt to
++      look up them up internally, but note that this may be racy.
++    </para>
++    <para>
++      If your program is a daemon with e.g. a custom Unix domain
++      socket, you should determine the <replaceable>uid</replaceable>
++      parameter via operating system mechanisms such as
++      <literal>PEERCRED</literal>.
+     </para>
+   </refsect1>
+ 
+Index: policykit-1-0.105/src/programs/pkcheck.c
+===================================================================
+--- policykit-1-0.105.orig/src/programs/pkcheck.c	2013-09-11 09:40:56.604225567 -0400
++++ policykit-1-0.105/src/programs/pkcheck.c	2013-09-11 09:40:56.600225567 -0400
+@@ -372,6 +372,7 @@
+       else if (g_strcmp0 (argv[n], "--process") == 0 || g_strcmp0 (argv[n], "-p") == 0)
+         {
+           gint pid;
++	  guint uid;
+           guint64 pid_start_time;
+ 
+           n++;
+@@ -381,7 +382,11 @@
+               goto out;
+             }
+ 
+-          if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2)
++          if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT ",%u", &pid, &pid_start_time, &uid) == 3)
++            {
++              subject = polkit_unix_process_new_for_owner (pid, pid_start_time, uid);
++            }
++          else if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2)
+             {
+               subject = polkit_unix_process_new_full (pid, pid_start_time);
+             }
diff -Nru policykit-1-0.104/debian/patches/series policykit-1-0.104/debian/patches/series
--- policykit-1-0.104/debian/patches/series	2012-01-06 11:28:58.000000000 +0000
+++ policykit-1-0.104/debian/patches/series	2013-09-11 13:48:36.000000000 +0000
@@ -3,3 +3,5 @@
 03_complete_session.patch
 04_get_cwd.patch
 05_revert-admin-identities-unix-group-wheel.patch
+07_pam_environment.patch
+CVE-2013-4288.patch