Bug 261482 - sysutils/polkit: Add upstream fix for CVE-2021-4034 "pwnkit" security vulnerability
Summary: sysutils/polkit: Add upstream fix for CVE-2021-4034 "pwnkit" security vulnera...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: freebsd-desktop (Team)
URL: https://seclists.org/oss-sec/2022/q1/80
Keywords: needs-patch, needs-qa, security
Depends on:
Reported: 2022-01-25 23:26 UTC by Val Packett
Modified: 2022-01-27 10:01 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (desktop)
koobs: merge-quarterly?

0001-sysutils-polkit-add-upstream-patch-for-CVE-2021-4034.patch (3.32 KB, patch)
2022-01-25 23:26 UTC, Val Packett
val: maintainer-approval?
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Val Packett 2022-01-25 23:26:49 UTC
Created attachment 231339 [details]

A vulnerability was just published along with the patch:

Let's apply the patch ASAP.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2022-01-25 23:29:52 UTC
^Triage: Pending VuXML entry
Comment 2 Adriaan de Groot freebsd_committer freebsd_triage 2022-01-26 01:52:06 UTC
d2118ff0f1a36bc17eca25041e8a624d7a03e796 in main
b6e934ca1d37b5d2b22fdd3d8f4f0952f5760764 in 2022Q2

Those add the patch, diff to the ports system as provided by Greg V.
Comment 3 Dani I. 2022-01-26 08:25:32 UTC
Please also MFC this as fast as possible.
Comment 4 commit-hook freebsd_committer freebsd_triage 2022-01-26 23:05:56 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7e3378fc941d3710b4d864e3fffa0c78004b0632

commit 7e3378fc941d3710b4d864e3fffa0c78004b0632
Author:     Adriaan de Groot <adridg@FreeBSD.org>
AuthorDate: 2022-01-26 23:02:41 +0000
Commit:     Adriaan de Groot <adridg@FreeBSD.org>
CommitDate: 2022-01-26 23:05:01 +0000

    security/vuxml: notify polkit local-privilege-escalation

    It was unclear if the actual explot would work on FreeBSD,
    since there's no GNU libc which the payload would work on.
    The following changes are / have been applied:
    - fix in polkit from upstream (from Greg V)
    - at kernel level, fixes to disallow argc==0 (from kevans, I think)

    PR:     261482

 security/vuxml/vuln-2022.xml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
Comment 5 Adriaan de Groot freebsd_committer freebsd_triage 2022-01-26 23:13:29 UTC
(In reply to Dani from comment #3)

This was already MFC'ed; I said "2022Q2" but I meant "2022Q1", which is the current quarterly branch. I don't think cherry-picks to further-back-branches are necessarily warranted. I'll check (briefly) if they make sense.
Comment 6 Adriaan de Groot freebsd_committer freebsd_triage 2022-01-27 10:01:38 UTC
Older quarterly branches have older polkit versions (which are all vulnerable), but given that those branches are unsupported, I will not MFH any further.