commit a2bf5c9c83b6ae46cbd5c779d3055bff81ded683

Author: Jan Rybar <jrybar@redhat.com>

Date:   Tue Jan 25 17:21:46 2022 +0000

    pkexec: local privilege escalation (CVE-2021-4034)

diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c

index f1bb4e1..768525c 100644

--- a/src/programs/pkcheck.c

+++ b/src/programs/pkcheck.c

@@ -363,6 +363,11 @@ main (int argc, char *argv[])

   local_agent_handle = NULL;

   ret = 126;

+  if (argc < 1)

+    {

+      exit(126);

+    }

+

   /* Disable remote file access from GIO. */

   setenv ("GIO_USE_VFS", "local", 1);

diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c

index 7698c5c..84e5ef6 100644

--- a/src/programs/pkexec.c

+++ b/src/programs/pkexec.c

@@ -488,6 +488,15 @@ main (int argc, char *argv[])

   pid_t pid_of_caller;

   gpointer local_agent_handle;

+

+  /*

+   * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.

+   */

+  if (argc<1)

+    {

+      exit(127);

+    }

+

   ret = 127;

   authority = NULL;

   subject = NULL;

@@ -614,10 +623,10 @@ main (int argc, char *argv[])

       path = g_strdup (pwstruct.pw_shell);

       if (!path)

-	{

+        {

           g_printerr ("No shell configured or error retrieving pw_shell\n");

           goto out;

-	}

+        }

       /* If you change this, be sure to change the if (!command_line)

 	 case below too */

       command_line = g_strdup (path);

@@ -636,7 +645,15 @@ main (int argc, char *argv[])

           goto out;

         }

       g_free (path);

-      argv[n] = path = s;

+      path = s;

+

+      /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.

+       * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination

+       */

+      if (argv[n] != NULL)

+      {

+        argv[n] = path;

+      }

     }

   if (access (path, F_OK) != 0)

     {