Bug 256405 - sysutils/polkit: Update to 0.119
Summary: sysutils/polkit: Update to 0.119
Status: In Progress
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-desktop (Team)
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2021-06-03 18:48 UTC by Olivier Duchateau
Modified: 2021-06-11 20:05 UTC (History)
3 users (show)

See Also:
tcberner: maintainer-feedback+


Attachments
Patch to update sysutils/polkit (1.59 KB, patch)
2021-06-03 18:48 UTC, Olivier Duchateau
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Olivier Duchateau 2021-06-03 18:48:50 UTC
Created attachment 225534 [details]
Patch to update sysutils/polkit

Update to 0.119
Comment 1 Evgeniy Khramtsov 2021-06-04 15:06:43 UTC
Also needs a VuXML entry: https://seclists.org/oss-sec/2021/q2/180
Comment 2 Tobias C. Berner freebsd_committer 2021-06-04 18:10:01 UTC
Moin moin

This patch additionally converts it to use meson as a build system:
https://people.freebsd.org/~tcberner/patches/polkit-119.v1.diff


mfg Tobias
Comment 3 commit-hook freebsd_committer 2021-06-04 18:30:28 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=0958ffc12c9c0bba44f9a1adc0ca5173d7cd8bf9

commit 0958ffc12c9c0bba44f9a1adc0ca5173d7cd8bf9
Author:     Tobias C. Berner <tcberner@FreeBSD.org>
AuthorDate: 2021-06-04 18:27:49 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2021-06-04 18:29:52 +0000

    security/vuxml: document vulnerability in sysutils/polkit

    Cedric Buissart reports:

            The function `polkit_system_bus_name_get_creds_sync` is used to get the
            uid and pid of the process requesting the action. It does this by
            sending the unique bus name of the requesting process, which is
            typically something like ":1.96", to `dbus-daemon`. These unique names
            are assigned and managed by `dbus-daemon` and cannot be forged, so this
            is a good way to check the privileges of the requesting process.

            The vulnerability happens when the requesting process disconnects from
            `dbus-daemon` just before the call to
            `polkit_system_bus_name_get_creds_sync` starts. In this scenario, the
            unique bus name is no longer valid, so `dbus-daemon` sends back an error
            reply. This error case is handled in
            `polkit_system_bus_name_get_creds_sync` by setting the value of the
            `error` parameter, but it still returns `TRUE`, rather than `FALSE`.
            This behavior means that all callers of
            `polkit_system_bus_name_get_creds_sync` need to carefully check whether
            an error was set. If the calling function forgets to check for errors
            then it will think that the uid of the requesting process is 0 (because
            the `AsyncGetBusNameCredsData` struct is zero initialized). In other
            words, it will think that the action was requested by a root process,
            and will therefore allow it.

    PR:             256405
    Security:       CVE-2021-3560 polkit

 security/vuxml/vuln.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
Comment 4 Bob Frazier 2021-06-11 20:05:48 UTC
A new vulnerability in polkit has been discovered on Linux

https://access.redhat.com/security/cve/CVE-2021-3560

This discusses the details of it and steps to repro:

https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/


I have not tried to repro this with older versions of polkit yet (I have 0.114_2 installed on this system, for example) but it is probably worth investigating before releasing an update of the port.

CVE-2021-3560 was apparently recently discovered and reported yesterday