diff --git a/SOURCES/polkit-0.112-CVE-2019-6133.patch b/SOURCES/polkit-0.112-CVE-2019-6133.patch new file mode 100644 index 0000000..19bed5a --- /dev/null +++ b/SOURCES/polkit-0.112-CVE-2019-6133.patch @@ -0,0 +1,155 @@ +diff -up ./src/polkitbackend/polkitbackendinteractiveauthority.c.ori ./src/polkitbackend/polkitbackendinteractiveauthority.c +--- ./src/polkitbackend/polkitbackendinteractiveauthority.c.ori 2019-01-21 17:30:43.468115782 +0100 ++++ ./src/polkitbackend/polkitbackendinteractiveauthority.c 2019-01-21 17:31:03.220029178 +0100 +@@ -2904,6 +2904,43 @@ temporary_authorization_store_free (Temp + g_free (store); + } + ++/* See the comment at the top of polkitunixprocess.c */ ++static gboolean ++subject_equal_for_authz (PolkitSubject *a, ++ PolkitSubject *b) ++{ ++ if (!polkit_subject_equal (a, b)) ++ return FALSE; ++ ++ /* Now special case unix processes, as we want to protect against ++ * pid reuse by including the UID. ++ */ ++ if (POLKIT_IS_UNIX_PROCESS (a) && POLKIT_IS_UNIX_PROCESS (b)) { ++ PolkitUnixProcess *ap = (PolkitUnixProcess*)a; ++ int uid_a = polkit_unix_process_get_uid ((PolkitUnixProcess*)a); ++ PolkitUnixProcess *bp = (PolkitUnixProcess*)b; ++ int uid_b = polkit_unix_process_get_uid ((PolkitUnixProcess*)b); ++ ++ if (uid_a != -1 && uid_b != -1) ++ { ++ if (uid_a == uid_b) ++ { ++ return TRUE; ++ } ++ else ++ { ++ g_printerr ("denying slowfork; pid %d uid %d != %d!\n", ++ polkit_unix_process_get_pid (ap), ++ uid_a, uid_b); ++ return FALSE; ++ } ++ } ++ /* Fall through; one of the uids is unset so we can't reliably compare */ ++ } ++ ++ return TRUE; ++} ++ + static gboolean + temporary_authorization_store_has_authorization (TemporaryAuthorizationStore *store, + PolkitSubject *subject, +@@ -2946,7 +2983,7 @@ temporary_authorization_store_has_author + TemporaryAuthorization *authorization = l->data; + + if (strcmp (action_id, authorization->action_id) == 0 && +- polkit_subject_equal (subject_to_use, authorization->subject)) ++ subject_equal_for_authz (subject_to_use, authorization->subject)) + { + ret = TRUE; + if (out_tmp_authz_id != NULL) +diff -up ./src/polkit/polkitsubject.c.ori ./src/polkit/polkitsubject.c +--- ./src/polkit/polkitsubject.c.ori 2013-05-29 16:51:37.000000000 +0200 ++++ ./src/polkit/polkitsubject.c 2019-01-21 17:31:03.218029187 +0100 +@@ -99,6 +99,8 @@ polkit_subject_hash (PolkitSubject *subj + * @b: A #PolkitSubject. + * + * Checks if @a and @b are equal, ie. represent the same subject. ++ * However, avoid calling polkit_subject_equal() to compare two processes; ++ * for more information see the `PolkitUnixProcess` documentation. + * + * This function can be used in e.g. g_hash_table_new(). + * +diff -up ./src/polkit/polkitunixprocess.c.ori ./src/polkit/polkitunixprocess.c +--- ./src/polkit/polkitunixprocess.c.ori 2019-01-21 17:30:43.477115743 +0100 ++++ ./src/polkit/polkitunixprocess.c 2019-01-21 17:31:03.219029182 +0100 +@@ -44,13 +44,82 @@ + * @title: PolkitUnixProcess + * @short_description: Unix processs + * +- * An object for representing a UNIX process. ++ * An object for representing a UNIX process. NOTE: This object as ++ * designed is now known broken; a mechanism to exploit a delay in ++ * start time in the Linux kernel was identified. Avoid ++ * calling polkit_subject_equal() to compare two processes. + * + * To uniquely identify processes, both the process id and the start + * time of the process (a monotonic increasing value representing the + * time since the kernel was started) is used. + */ + ++/* See https://gitlab.freedesktop.org/polkit/polkit/issues/75 ++ ++ But quoting the original email in full here to ensure it's preserved: ++ ++ From: Jann Horn ++ Subject: [SECURITY] polkit: temporary auth hijacking via PID reuse and non-atomic fork ++ Date: Wednesday, October 10, 2018 5:34 PM ++ ++When a (non-root) user attempts to e.g. control systemd units in the system ++instance from an active session over DBus, the access is gated by a polkit ++policy that requires "auth_admin_keep" auth. This results in an auth prompt ++being shown to the user, asking the user to confirm the action by entering the ++password of an administrator account. ++ ++After the action has been confirmed, the auth decision for "auth_admin_keep" is ++cached for up to five minutes. Subject to some restrictions, similar actions can ++then be performed in this timespan without requiring re-auth: ++ ++ - The PID of the DBus client requesting the new action must match the PID of ++ the DBus client requesting the old action (based on SO_PEERCRED information ++ forwarded by the DBus daemon). ++ - The "start time" of the client's PID (as seen in /proc/$pid/stat, field 22) ++ must not have changed. The granularity of this timestamp is in the ++ millisecond range. ++ - polkit polls every two seconds whether a process with the expected start time ++ still exists. If not, the temporary auth entry is purged. ++ ++Without the start time check, this would obviously be buggy because an attacker ++could simply wait for the legitimate client to disappear, then create a new ++client with the same PID. ++ ++Unfortunately, the start time check is bypassable because fork() is not atomic. ++Looking at the source code of copy_process() in the kernel: ++ ++ p->start_time = ktime_get_ns(); ++ p->real_start_time = ktime_get_boot_ns(); ++ [...] ++ retval = copy_thread_tls(clone_flags, stack_start, stack_size, p, tls); ++ if (retval) ++ goto bad_fork_cleanup_io; ++ ++ if (pid != &init_struct_pid) { ++ pid = alloc_pid(p->nsproxy->pid_ns_for_children); ++ if (IS_ERR(pid)) { ++ retval = PTR_ERR(pid); ++ goto bad_fork_cleanup_thread; ++ } ++ } ++ ++The ktime_get_boot_ns() call is where the "start time" of the process is ++recorded. The alloc_pid() call is where a free PID is allocated. In between ++these, some time passes; and because the copy_thread_tls() call between them can ++access userspace memory when sys_clone() is invoked through the 32-bit syscall ++entry point, an attacker can even stall the kernel arbitrarily long at this ++point (by supplying a pointer into userspace memory that is associated with a ++userfaultfd or is backed by a custom FUSE filesystem). ++ ++This means that an attacker can immediately call sys_clone() when the victim ++process is created, often resulting in a process that has the exact same start ++time reported in procfs; and then the attacker can delay the alloc_pid() call ++until after the victim process has died and the PID assignment has cycled ++around. This results in an attacker process that polkit can't distinguish from ++the victim process. ++*/ ++ ++ + /** + * PolkitUnixProcess: + * diff --git a/SPECS/polkit.spec b/SPECS/polkit.spec index 7ed7075..79afcaa 100644 --- a/SPECS/polkit.spec +++ b/SPECS/polkit.spec @@ -6,7 +6,7 @@ Summary: An authorization framework Name: polkit Version: 0.112 -Release: 18%{?dist} +Release: 18%{?dist}.1 License: LGPLv2+ URL: http://www.freedesktop.org/wiki/Software/polkit Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz @@ -29,6 +29,7 @@ Patch7: polkit-0.112-add-its-files.patch Patch8: polkit-0.112-spawning-zombie-processes.patch Patch9: polkit-0.112-bus-conn-msg-ssh.patch Patch10: polkit-0.112-pkttyagent-auth-errmsg-debug.patch +Patch11: polkit-0.112-CVE-2019-6133.patch Group: System Environment/Libraries BuildRequires: glib2-devel >= 2.30.0 @@ -107,6 +108,7 @@ Development documentation for polkit. %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 %build %if 0%{?enable_autoreconf} @@ -197,6 +199,10 @@ fi %{_datadir}/gtk-doc %changelog +* Tue Jan 22 2019 Jan Rybar - 0.112-18.el7_6.1 +- Fix of CVE-2019-6133, PID reuse via slow fork +- Resolves: rhbz#1667311 + * Wed Aug 01 2018 Jan Rybar - 0.112-18 - Error message about getting authority is too elaborate - Resolves: rhbz#1342855