[SCM] rtkit/master: Fix CVE-2013-4326

Thu Sep 19 09:47:18 UTC 2013

The following commit has been merged in the master branch:
commit 456712e761f322bb8411736ce26d629e60c0c085
Author: Alessio Treglia <alessio at debian.org>
Date:   Thu Sep 19 09:29:17 2013 +0100

    Fix CVE-2013-4326
    
    - pass uid of caller to polkit, otherwise we force polkit to look up the uid
      itself in /proc, which is racy if they execve() a setuid binary
    
    Closes: #723714

diff --git a/debian/patches/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch b/debian/patches/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch
new file mode 100644
index 0000000..c7210db
--- /dev/null
+++ b/debian/patches/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch
@@ -0,0 +1,41 @@
+Author: Colin Walters <walters at verbum.org>
+From: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4326
+Description: Pass uid of caller to polkit
+ Otherwise, we force polkit to look up the uid itself in /proc, which
+ is racy if they execve() a setuid binary.
+---
+ rtkit-daemon.c |   11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- rtkit.orig/rtkit-daemon.c
++++ rtkit/rtkit-daemon.c
+@@ -1170,12 +1170,14 @@ static int verify_polkit(DBusConnection
+         DBusMessage *m = NULL, *r = NULL;
+         const char *unix_process = "unix-process";
+         const char *pid = "pid";
++        const char *uid = "uid";
+         const char *start_time = "start-time";
+         const char *cancel_id = "";
+         uint32_t flags = 0;
+         uint32_t pid_u32 = p->pid;
+-        uint64_t start_time_u64 = p->starttime;
++        uint32_t uid_u32 = (uint32_t)u->uid;
+         DBusMessageIter iter_msg, iter_struct, iter_array, iter_dict, iter_variant;
++        uint64_t start_time_u64 = p->starttime;
+         int ret;
+         dbus_bool_t authorized = FALSE;
+ 
+@@ -1206,6 +1208,13 @@ static int verify_polkit(DBusConnection
+         assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant));
+         assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict));
+ 
++        assert_se(dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict));
++        assert_se(dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &uid));
++        assert_se(dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "u", &iter_variant));
++        assert_se(dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT32, &uid_u32));
++        assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant));
++        assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict));
++
+         assert_se(dbus_message_iter_close_container(&iter_struct, &iter_array));
+         assert_se(dbus_message_iter_close_container(&iter_msg, &iter_struct));
+ 
diff --git a/debian/patches/series b/debian/patches/series
index c7b9765..498db83 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 02-fix-undropped-supp-groups.patch
+0001-SECURITY-Pass-uid-of-caller-to-polkit.patch
diff --git a/debian/patches/ubuntu.series b/debian/patches/ubuntu.series
index d9cf0e8..7331b0b 100644
--- a/debian/patches/ubuntu.series
+++ b/debian/patches/ubuntu.series
@@ -1,2 +1,3 @@
 01-no_ptrace_cap.patch
 02-fix-undropped-supp-groups.patch
+0001-SECURITY-Pass-uid-of-caller-to-polkit.patch

-- 
rtkit packaging

