diff -u policykit-1-0.96/debian/changelog policykit-1-0.96/debian/changelog --- policykit-1-0.96/debian/changelog +++ policykit-1-0.96/debian/changelog @@ -1,3 +1,14 @@ +policykit-1 (0.96-2) unstable; urgency=medium + + * Urgency medium, just two small, but important bug fixes. + * Add 00git-pkexec-information-disclosure.patch: Fix information disclosure + vulnerability that allows an attacker to verify whether or not arbitrary + files exist, violating directory permissions. + * 00git-fix-error-freeing.patch: Fix crash when calling CheckAuthorization() + with an invalid PID. (LP: #540464) + + -- Martin Pitt Fri, 09 Apr 2010 12:09:53 +0200 + policykit-1 (0.96-1) unstable; urgency=low * New upstream release. diff -u policykit-1-0.96/debian/patches/series policykit-1-0.96/debian/patches/series --- policykit-1-0.96/debian/patches/series +++ policykit-1-0.96/debian/patches/series @@ -1 +1,3 @@ +00git-pkexec-information-disclosure.patch +00git-fix-error-freeing.patch 01_pam_polkit.patch only in patch2: unchanged: --- policykit-1-0.96.orig/debian/patches/00git-fix-error-freeing.patch +++ policykit-1-0.96/debian/patches/00git-fix-error-freeing.patch @@ -0,0 +1,32 @@ +From 4c5763334e546615a8f03a80c340b288e1975e91 Mon Sep 17 00:00:00 2001 +From: Martin Pitt +Date: Fri, 9 Apr 2010 11:48:45 +0200 +Subject: [PATCH 2/2] =?UTF-8?q?Bug=2027159=20=E2=80=94=20polkitd=20crashes=20when=20calling=20pkcheck=20on=20a=20wrong=20PID?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Do not free an error which we are passing to our caller. This fixes a NULL +pointer crash when doing CheckAuthorization() on an invalid PID. + +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=27159 +Bug-Ubuntu: https://launchpad.net/bugs/540464 +--- + src/polkitbackend/polkitbackendsessionmonitor.c | 1 - + 1 files changed, 0 insertions(+), 1 deletions(-) + +diff --git a/src/polkitbackend/polkitbackendsessionmonitor.c b/src/polkitbackend/polkitbackendsessionmonitor.c +index 2028250..2a72435 100644 +--- a/src/polkitbackend/polkitbackendsessionmonitor.c ++++ b/src/polkitbackend/polkitbackendsessionmonitor.c +@@ -425,7 +425,6 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor + if (local_error != NULL) + { + g_propagate_error (error, local_error); +- g_error_free (local_error); + goto out; + } + user = polkit_unix_user_new (uid); +-- +1.7.0 + only in patch2: unchanged: --- policykit-1-0.96.orig/debian/patches/00git-pkexec-information-disclosure.patch +++ policykit-1-0.96/debian/patches/00git-pkexec-information-disclosure.patch @@ -0,0 +1,68 @@ +From 14bdfd816512a82b1ad258fa143ae5faa945df8a Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg +Date: Wed, 10 Mar 2010 12:46:19 -0500 +Subject: [PATCH 1/2] =?UTF-8?q?Bug=2026982=20=E2=80=93=20pkexec=20information=20disclosure=20vulnerability?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +pkexec is vulnerable to a minor information disclosure vulnerability +that allows an attacker to verify whether or not arbitrary files +exist, violating directory permissions. I reproduced the issue on my +Karmic installation as follows: + + $ mkdir secret + $ sudo chown root:root secret + $ sudo chmod 400 secret + $ sudo touch secret/hidden + $ pkexec /home/drosenbe/secret/hidden + (password prompt) + $ pkexec /home/drosenbe/secret/doesnotexist + Error getting information about /home/drosenbe/secret/doesnotexist: No such + file or directory + +I've attached my patch for the issue. I replaced the stat() call +entirely with access() using F_OK, so rather than check that the +target exists, pkexec now checks if the user has permission to verify +the existence of the program. There might be another way of doing +this, such as chdir()'ing to the parent directory of the target and +calling lstat(), but this seemed like more code than necessary to +prevent such a minor problem. I see no reason to allow pkexec to +execute targets that are not accessible to the executing user because +of directory permissions. This is such a limited use case anyway that +this doesn't really affect functionality. + +http://bugs.freedesktop.org/show_bug.cgi?id=26982 + +Signed-off-by: David Zeuthen +--- + src/programs/pkexec.c | 5 ++--- + 1 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c +index 860e665..17c191e 100644 +--- a/src/programs/pkexec.c ++++ b/src/programs/pkexec.c +@@ -411,7 +411,6 @@ main (int argc, char *argv[]) + gchar *opt_user; + pid_t pid_of_caller; + uid_t uid_of_caller; +- struct stat statbuf; + + ret = 127; + authority = NULL; +@@ -520,9 +519,9 @@ main (int argc, char *argv[]) + g_free (path); + argv[n] = path = s; + } +- if (stat (path, &statbuf) != 0) ++ if (access (path, F_OK) != 0) + { +- g_printerr ("Error getting information about %s: %s\n", path, g_strerror (errno)); ++ g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno)); + goto out; + } + command_line = g_strjoinv (" ", argv + n); +-- +1.7.0 +