Created attachment 231339 [details] 0001-sysutils-polkit-add-upstream-patch-for-CVE-2021-4034.patch A vulnerability was just published along with the patch: https://seclists.org/oss-sec/2022/q1/80 https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/104 Let's apply the patch ASAP.
^Triage: Pending VuXML entry
d2118ff0f1a36bc17eca25041e8a624d7a03e796 in main b6e934ca1d37b5d2b22fdd3d8f4f0952f5760764 in 2022Q2 Those add the patch, diff to the ports system as provided by Greg V.
Please also MFC this as fast as possible.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=7e3378fc941d3710b4d864e3fffa0c78004b0632 commit 7e3378fc941d3710b4d864e3fffa0c78004b0632 Author: Adriaan de Groot <adridg@FreeBSD.org> AuthorDate: 2022-01-26 23:02:41 +0000 Commit: Adriaan de Groot <adridg@FreeBSD.org> CommitDate: 2022-01-26 23:05:01 +0000 security/vuxml: notify polkit local-privilege-escalation It was unclear if the actual explot would work on FreeBSD, since there's no GNU libc which the payload would work on. The following changes are / have been applied: - fix in polkit from upstream (from Greg V) - at kernel level, fixes to disallow argc==0 (from kevans, I think) PR: 261482 security/vuxml/vuln-2022.xml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+)
(In reply to Dani from comment #3) This was already MFC'ed; I said "2022Q2" but I meant "2022Q1", which is the current quarterly branch. I don't think cherry-picks to further-back-branches are necessarily warranted. I'll check (briefly) if they make sense.
Older quarterly branches have older polkit versions (which are all vulnerable), but given that those branches are unsupported, I will not MFH any further.