From 14feaf05bdf130248ffe75a349c5e3506b1b3ba2 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 02 2021 12:13:08 +0000 Subject: import polkit-0.115-12.el8 --- diff --git a/SOURCES/polkit-0.115-CVE-2021-3560.patch b/SOURCES/polkit-0.115-CVE-2021-3560.patch new file mode 100644 index 0000000..e5b2b85 --- /dev/null +++ b/SOURCES/polkit-0.115-CVE-2021-3560.patch @@ -0,0 +1,13 @@ +--- a/src/polkit/polkitsystembusname.c ++++ b/src/polkit/polkitsystembusname.c +@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus + while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error)) + g_main_context_iteration (tmp_context, TRUE); + ++ if (data.caught_error) ++ goto out; ++ + if (out_uid) + *out_uid = data.uid; + if (out_pid) + diff --git a/SPECS/polkit.spec b/SPECS/polkit.spec index 9f22b90..114d917 100644 --- a/SPECS/polkit.spec +++ b/SPECS/polkit.spec @@ -6,7 +6,7 @@ Summary: An authorization framework Name: polkit Version: 0.115 -Release: 11%{?dist} +Release: 12%{?dist} License: LGPLv2+ URL: http://www.freedesktop.org/wiki/Software/polkit Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz @@ -25,6 +25,7 @@ Patch8: polkit-0.115-allow-uid-of-1.patch Patch9: polkit-0.115-move-to-mozjs60.patch Patch10: polkit-0.115-jsauthority-memleak.patch Patch11: polkit-0.115-pkttyagent-tcsaflush-batch-erase.patch +Patch12: polkit-0.115-CVE-2021-3560.patch BuildRequires: gcc-c++ @@ -190,6 +191,10 @@ exit 0 %{_libdir}/girepository-1.0/*.typelib %changelog +* Tue May 25 2021 Jan Rybar - 0.115-12 +- early disconnection from D-Bus results in privilege esc. +- Resolves: CVE-2021-3560 + * Mon Nov 04 2019 Jan Rybar - 0.115-11 - pkttyagent: resetting terminal erases rest of input line - Resolves: rhbz#1757853