Bug 256405

Summary: sysutils/polkit: Update to 0.119
Product: Ports & Packages Reporter: Olivier Duchateau <duchateau.olivier>
Component: Individual Port(s)Assignee: freebsd-desktop (Team) <desktop>
Status: Closed FIXED    
Severity: Affects Many People CC: bobf, dereks, evgeniy, jcfyecrayz, ports-secteam, tcberner
Priority: Normal Keywords: security
Version: LatestFlags: tcberner: maintainer-feedback+
koobs: merge-quarterly?
Hardware: Any   
OS: Any   
URL: https://seclists.org/oss-sec/2021/q2/180
Attachments:
Description Flags
Patch to update sysutils/polkit none

Description Olivier Duchateau 2021-06-03 18:48:50 UTC
Created attachment 225534 [details]
Patch to update sysutils/polkit

Update to 0.119
Comment 1 Evgeniy Khramtsov 2021-06-04 15:06:43 UTC
Also needs a VuXML entry: https://seclists.org/oss-sec/2021/q2/180
Comment 2 Tobias C. Berner freebsd_committer 2021-06-04 18:10:01 UTC
Moin moin

This patch additionally converts it to use meson as a build system:
https://people.freebsd.org/~tcberner/patches/polkit-119.v1.diff


mfg Tobias
Comment 3 commit-hook freebsd_committer 2021-06-04 18:30:28 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=0958ffc12c9c0bba44f9a1adc0ca5173d7cd8bf9

commit 0958ffc12c9c0bba44f9a1adc0ca5173d7cd8bf9
Author:     Tobias C. Berner <tcberner@FreeBSD.org>
AuthorDate: 2021-06-04 18:27:49 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2021-06-04 18:29:52 +0000

    security/vuxml: document vulnerability in sysutils/polkit

    Cedric Buissart reports:

            The function `polkit_system_bus_name_get_creds_sync` is used to get the
            uid and pid of the process requesting the action. It does this by
            sending the unique bus name of the requesting process, which is
            typically something like ":1.96", to `dbus-daemon`. These unique names
            are assigned and managed by `dbus-daemon` and cannot be forged, so this
            is a good way to check the privileges of the requesting process.

            The vulnerability happens when the requesting process disconnects from
            `dbus-daemon` just before the call to
            `polkit_system_bus_name_get_creds_sync` starts. In this scenario, the
            unique bus name is no longer valid, so `dbus-daemon` sends back an error
            reply. This error case is handled in
            `polkit_system_bus_name_get_creds_sync` by setting the value of the
            `error` parameter, but it still returns `TRUE`, rather than `FALSE`.
            This behavior means that all callers of
            `polkit_system_bus_name_get_creds_sync` need to carefully check whether
            an error was set. If the calling function forgets to check for errors
            then it will think that the uid of the requesting process is 0 (because
            the `AsyncGetBusNameCredsData` struct is zero initialized). In other
            words, it will think that the action was requested by a root process,
            and will therefore allow it.

    PR:             256405
    Security:       CVE-2021-3560 polkit

 security/vuxml/vuln.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
Comment 4 Bob Frazier 2021-06-11 20:05:48 UTC
A new vulnerability in polkit has been discovered on Linux

https://access.redhat.com/security/cve/CVE-2021-3560

This discusses the details of it and steps to repro:

https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/


I have not tried to repro this with older versions of polkit yet (I have 0.114_2 installed on this system, for example) but it is probably worth investigating before releasing an update of the port.

CVE-2021-3560 was apparently recently discovered and reported yesterday
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-19 02:00:00 UTC
(In reply to Bob Frazier from comment #4)

What does this mean in terms of what is left (if anything) to be done to resolve/close this issue, as reported?
Comment 6 Bob Frazier 2021-06-19 16:14:42 UTC
I just found this pull request patch related to polkit and CVE-2021-3560

https://github.com/microsoft/CBL-Mariner/pull/1010/commits/3e224606ab982726c118e334736aa51d158b846c

I do not know if it is enough to fix everything but it looks like it's the only one related to the CVE report.

This patch was apparently committed on 6/3 if I do my date math correctly

I checked the source tarball and it appears to have the patch applied, at least for that line of code, and is dated 6/3 (along with the patch).

If polkit 0.119 already has this patched, then maybe it's ok now?  I did not see a newer version of the code available on the polkit tarball site, nor find any other related patches.

(so maybe confirm it with upstream and then good to go?)
Comment 8 Derek Schrock 2021-06-22 05:26:39 UTC
Using the attached patch.

testport: ok. 13amd64.
Comment 9 Derek Schrock 2021-06-22 05:26:51 UTC
Using the attached patch.

testport: ok. 13amd64.
Comment 10 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-26 03:27:42 UTC
^Triage: Pending vuxml entry, commit and merge
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2021-06-26 04:25:31 UTC
(In reply to Kubilay Kocak from comment #10)

Oops, didnt see that vuxml has been committed (see comment 3)

Commit and merge required from here to close issue.
Comment 12 commit-hook freebsd_committer 2021-06-26 15:18:08 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ba6b6059f6d7f2801e5a46a12464f9a8c7180528

commit ba6b6059f6d7f2801e5a46a12464f9a8c7180528
Author:     Tobias C. Berner <tcberner@FreeBSD.org>
AuthorDate: 2021-06-26 15:10:39 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2021-06-26 15:17:47 +0000

    sysutils/polkit: Update to 0.119

    PR:             256405
    Reported by:    Olivier Duchateau <duchateau.olivier@gmail.com>
    Security:       CVE-2021-3560

 sysutils/polkit/Makefile                           | 48 ++++++++++------------
 sysutils/polkit/distinfo                           |  6 +--
 sysutils/polkit/files/patch-data_meson.build (new) | 11 +++++
 sysutils/polkit/files/patch-meson.build (new)      | 27 ++++++++++++
 4 files changed, 63 insertions(+), 29 deletions(-)
Comment 13 commit-hook freebsd_committer 2021-06-26 15:19:10 UTC
A commit in branch 2021Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=81e7a344559054906f97a5e89c4d70c885604bd8

commit 81e7a344559054906f97a5e89c4d70c885604bd8
Author:     Tobias C. Berner <tcberner@FreeBSD.org>
AuthorDate: 2021-06-26 15:10:39 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2021-06-26 15:18:19 +0000

    sysutils/polkit: Update to 0.119

    PR:             256405
    Reported by:    Olivier Duchateau <duchateau.olivier@gmail.com>
    Security:       CVE-2021-3560

    (cherry picked from commit ba6b6059f6d7f2801e5a46a12464f9a8c7180528)

 sysutils/polkit/Makefile                           | 48 ++++++++++------------
 sysutils/polkit/distinfo                           |  6 +--
 sysutils/polkit/files/patch-data_meson.build (new) | 11 +++++
 sysutils/polkit/files/patch-meson.build (new)      | 27 ++++++++++++
 4 files changed, 63 insertions(+), 29 deletions(-)
Comment 14 John Hein 2021-08-01 17:31:13 UTC
It seems like this has been resolved/fixed?
Comment 15 Tobias C. Berner freebsd_committer 2021-08-01 17:33:31 UTC
Indeed. Thanks for the reminder.


mfg Tobias