Created attachment 225534 [details] Patch to update sysutils/polkit Update to 0.119
Also needs a VuXML entry: https://seclists.org/oss-sec/2021/q2/180
Moin moin This patch additionally converts it to use meson as a build system: https://people.freebsd.org/~tcberner/patches/polkit-119.v1.diff mfg Tobias
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=0958ffc12c9c0bba44f9a1adc0ca5173d7cd8bf9 commit 0958ffc12c9c0bba44f9a1adc0ca5173d7cd8bf9 Author: Tobias C. Berner <tcberner@FreeBSD.org> AuthorDate: 2021-06-04 18:27:49 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2021-06-04 18:29:52 +0000 security/vuxml: document vulnerability in sysutils/polkit Cedric Buissart reports: The function `polkit_system_bus_name_get_creds_sync` is used to get the uid and pid of the process requesting the action. It does this by sending the unique bus name of the requesting process, which is typically something like ":1.96", to `dbus-daemon`. These unique names are assigned and managed by `dbus-daemon` and cannot be forged, so this is a good way to check the privileges of the requesting process. The vulnerability happens when the requesting process disconnects from `dbus-daemon` just before the call to `polkit_system_bus_name_get_creds_sync` starts. In this scenario, the unique bus name is no longer valid, so `dbus-daemon` sends back an error reply. This error case is handled in `polkit_system_bus_name_get_creds_sync` by setting the value of the `error` parameter, but it still returns `TRUE`, rather than `FALSE`. This behavior means that all callers of `polkit_system_bus_name_get_creds_sync` need to carefully check whether an error was set. If the calling function forgets to check for errors then it will think that the uid of the requesting process is 0 (because the `AsyncGetBusNameCredsData` struct is zero initialized). In other words, it will think that the action was requested by a root process, and will therefore allow it. PR: 256405 Security: CVE-2021-3560 polkit security/vuxml/vuln.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+)
A new vulnerability in polkit has been discovered on Linux https://access.redhat.com/security/cve/CVE-2021-3560 This discusses the details of it and steps to repro: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/ I have not tried to repro this with older versions of polkit yet (I have 0.114_2 installed on this system, for example) but it is probably worth investigating before releasing an update of the port. CVE-2021-3560 was apparently recently discovered and reported yesterday
(In reply to Bob Frazier from comment #4) What does this mean in terms of what is left (if anything) to be done to resolve/close this issue, as reported?
I just found this pull request patch related to polkit and CVE-2021-3560 https://github.com/microsoft/CBL-Mariner/pull/1010/commits/3e224606ab982726c118e334736aa51d158b846c I do not know if it is enough to fix everything but it looks like it's the only one related to the CVE report. This patch was apparently committed on 6/3 if I do my date math correctly I checked the source tarball and it appears to have the patch applied, at least for that line of code, and is dated 6/3 (along with the patch). If polkit 0.119 already has this patched, then maybe it's ok now? I did not see a newer version of the code available on the polkit tarball site, nor find any other related patches. (so maybe confirm it with upstream and then good to go?)
(In reply to Bob Frazier from comment #6) Yes, that's what 0.119 fixes. https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 https://gitlab.freedesktop.org/polkit/polkit/-/compare/0.118...0.119?from_project_id=884 https://gitlab.freedesktop.org/polkit/polkit/-/blob/master/NEWS
Using the attached patch. testport: ok. 13amd64.
^Triage: Pending vuxml entry, commit and merge
(In reply to Kubilay Kocak from comment #10) Oops, didnt see that vuxml has been committed (see comment 3) Commit and merge required from here to close issue.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=ba6b6059f6d7f2801e5a46a12464f9a8c7180528 commit ba6b6059f6d7f2801e5a46a12464f9a8c7180528 Author: Tobias C. Berner <tcberner@FreeBSD.org> AuthorDate: 2021-06-26 15:10:39 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2021-06-26 15:17:47 +0000 sysutils/polkit: Update to 0.119 PR: 256405 Reported by: Olivier Duchateau <duchateau.olivier@gmail.com> Security: CVE-2021-3560 sysutils/polkit/Makefile | 48 ++++++++++------------ sysutils/polkit/distinfo | 6 +-- sysutils/polkit/files/patch-data_meson.build (new) | 11 +++++ sysutils/polkit/files/patch-meson.build (new) | 27 ++++++++++++ 4 files changed, 63 insertions(+), 29 deletions(-)
A commit in branch 2021Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=81e7a344559054906f97a5e89c4d70c885604bd8 commit 81e7a344559054906f97a5e89c4d70c885604bd8 Author: Tobias C. Berner <tcberner@FreeBSD.org> AuthorDate: 2021-06-26 15:10:39 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2021-06-26 15:18:19 +0000 sysutils/polkit: Update to 0.119 PR: 256405 Reported by: Olivier Duchateau <duchateau.olivier@gmail.com> Security: CVE-2021-3560 (cherry picked from commit ba6b6059f6d7f2801e5a46a12464f9a8c7180528) sysutils/polkit/Makefile | 48 ++++++++++------------ sysutils/polkit/distinfo | 6 +-- sysutils/polkit/files/patch-data_meson.build (new) | 11 +++++ sysutils/polkit/files/patch-meson.build (new) | 27 ++++++++++++ 4 files changed, 63 insertions(+), 29 deletions(-)
It seems like this has been resolved/fixed?
Indeed. Thanks for the reminder. mfg Tobias