| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0.106/agenthelper-pam-Fix-newline-trimming-code.patch | agenthelper-pam: Fix newline-trimming code First, we were using == instead of =, as the author probably intended. But after changing that, we're now assigning to const memory. Fix that by writing to a temporary string buffer. |
Colin Walters <walters@verbum.org> | no | upstream, 0.106, commit:14121fda7e4fa9463c66ce419cc32be7e7f3b535 | 2012-06-06 | |
| 0.107/Try-harder-to-look-up-the-right-localization.patch | Try harder to look up the right localization The code for looking up localized strings for action descriptions was manually trying to break locale names into pieces, but didn't get it right for e.g. zh_CN.utf-8. Instead, use the GLib function g_get_locale_variants(), which handles this (and more). This fixes the translation problem reported in https://bugzilla.gnome.org/show_bug.cgi?id=665497 (cherry picked from commit facadfb5c8c52ba45fd20ffe3b6d3ddd4208a427) |
Matthias Clasen <mclasen@redhat.com> | no | 2012-06-27 | ||
| 0.108/build-Fix-.gir-generation-for-parallel-make.patch | build: Fix .gir generation for parallel make As per the intructions in the introspection Makefile, we should have a line declaring a dependency between the .gir and .la files. |
Ryan Lortie <desrt@velocity.(none)> | yes | debian upstream | 2012-11-13 | |
| 0.108/PolkitAgent-Avoid-crashing-if-initializing-the-server-obj.patch | PolkitAgent: Avoid crashing if initializing the server object fails Note that otherwise we return a freed server object. Since later in polkit_agent_listener_register_with_options we check against NULL to determine failure, this makes for sad times later when we call server_free() on it again. |
Adam Jackson <ajax@nwnk.net> | yes | debian upstream | 0.108, commit:59f2d96ce3ac63173669f299a9453a7bf5e70a70 | 2012-10-09 |
| 0.110/07_set-XAUTHORITY-environment-variable-if-unset.patch | Set XAUTHORITY environment variable if is unset The way it works is that if XAUTHORITY is unset, then its default value is $HOME/.Xauthority. But since we're changing user identity this will not work since $HOME will now change. Therefore, if XAUTHORITY is unset, just set its default value before changing identity. This bug only affected login managers using X Window Authorization but not explicitly setting the XAUTHORITY variable. You can argue that XAUTHORITY is broken since it forces uid-changing apps like pkexec(1) to do more work - and get involved in intimate details of how X works and so on - but that doesn't change how things work. Based on a patch from Peter Wu <lekensteyn@gmail.com>. |
David Zeuthen <zeuthen@gmail.com> | yes | upstream | upstream, 0.110, commit:d6acecdd0ebb42e28ff28e04e0207cb01fa20910 | 2012-12-19 |
| 0.110/04_get_cwd.patch | Fix build on GNU Hurd | Emilio Pozuelo Monfort <pochu27@gmail.com> | yes | upstream | 2011-03-26 | |
| 0.111/09_pam_environment.patch | pkexec: Set process environment from pam_getenvlist() Various pam modules provide environment variables that are intended to be set in the environment of the pam session. pkexec needs to process the output of pam_getenvlist() to get these. |
Steve Langasek <steve.langasek@canonical.com> | yes | upstream | 2013-03-08 | |
| 0.111/Add-a-FIXME-to-polkitprivate.h.patch | Add a FIXME to polkitprivate.h See discussion in https://bugs.freedesktop.org/show_bug.cgi?id=63573 . |
=?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@redhat.com> | no | upstream, 0.111, commit:18d97c95c022bb381efab8fb6ac80312bd7fbc11 | 2013-04-18 | |
| 0.111/Fix-a-memory-leak.patch | Fix a memory leak | =?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@redhat.com> | yes | upstream | upstream, 0.111, commit:d7b6ab40b586c255c49aba22f558eb6602c88b1e | 2013-05-07 |
| 0.112/00git_type_registration.patch | Use GOnce for interface type registration Static local variable may not be enough since it doesn't provide locking. Related to these udisksd warnings: GLib-GObject-WARNING **: cannot register existing type `PolkitSubject' Thanks to Hans de Goede for spotting this! |
Tomas Bzatek <tbzatek@redhat.com> | yes | upstream | upstream, 0.112, commit:20ad116a6582e57d20f9d8197758947918753a4c | 2013-05-29 |
| 0.112/08_deprecate_racy_APIs.patch | polkitunixprocess: Deprecate racy APIs It's only safe for processes to be created with their owning uid, (without kernel support, which we don't have). Anything else is subject to clients exec()ing setuid binaries after the fact. |
Colin Walters <walters@verbum.org> | no | upstream, 0.112, commit:08291789a1f99d4ab29c74c39344304bcca43023 | 2013-08-20 | |
| 0.112/cve-2013-4288.patch | pkcheck: Support --process=pid,start-time,uid syntax too The uid is a new addition; this allows callers such as libvirt to close a race condition in reading the uid of the process talking to them. They can read it via getsockopt(SO_PEERCRED) or equivalent, rather than having pkcheck look at /proc later after the fact. Programs which invoke pkcheck but need to know beforehand (i.e. at compile time) whether or not it supports passing the uid can use: pkcheck_supports_uid=$($PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1) test x$pkcheck_supports_uid = xyes |
Colin Walters <walters@verbum.org> | no | upstream, 0.112, commit:3968411b0c7ba193f9b9276ec911692aec248608 | 2013-08-19 | |
| 0.114/polkitpermission-Fix-a-memory-leak-on-authority-changes.patch | polkitpermission: Fix a memory leak on authority changes | Rui Matos <tiagomatos@gmail.com> | yes | upstream | upstream, 0.114, commit:df6488c0a5b2a6c7a2d4f6a55008263635c5571b | 2017-03-02 |
| 0.113/Port-internals-non-deprecated-PolkitProcess-API-wher.patch | Port internals non-deprecated PolkitProcess API where possible We can't port everything, but in PolkitPermission and these test cases, we can use _for_owner() with the right information. [smcv: drop the part that touches test/polkitbackend/test-polkitbackendjsauthority.c which is not in this branch] |
Colin Walters <walters@verbum.org> | no | upstream, 0.113, commit:6d3d0a8ffb0fd8ae59eb35593b305ec87da8858d | 2013-11-09 | |
| 0.113/sessionmonitor-systemd-Use-sd_uid_get_state-to-check.patch | sessionmonitor-systemd: Use sd_uid_get_state() to check session activity Instead of using sd_pid_get_session() then sd_session_is_active() to determine whether the user is active, use sd_uid_get_state() directly. This gets the maximum of the states of all the user’s sessions, rather than the state of the session containing the subject process. Since the user is the security boundary, this is fine. This change is necessary for `systemd --user` sessions, where most user code will be forked off user@.service, rather than running inside the logind session (whether that be a foreground/active or background/online session). Policy-wise, the change is from checking whether the subject process is in an active session; to checking whether the subject process is owned by a user with at least one active session. |
Philip Withnall <philip.withnall@collabora.co.uk> | yes | debian upstream | 2015-06-02 | |
| 0.113/pkexec-Work-around-systemd-injecting-broken-XDG_RUNT.patch | pkexec: Work around systemd injecting broken XDG_RUNTIME_DIR This workaround isn't too much code, and it's often better to fix bugs in two places anyways. For more information: See https://bugzilla.redhat.com/show_bug.cgi?id=753882 See http://lists.freedesktop.org/archives/systemd-devel/2013-November/014370.html |
Colin Walters <walters@verbum.org> | no | upstream, 0.113, commit:8635ffc16aeff6a07d675f861fe0dea03ea81d7e | 2013-11-21 | |
| 0.113/03_PolkitAgentSession-fix-race-between-child-and-io-wat.patch | PolkitAgentSession: fix race between child and io watches The helper flushes and fdatasyncs stdout and stderr before terminating but this doesn't guarantee that our io watch is called before our child watch. This means that we can end up with a successful return from the helper which we still report as a failure. If we add G_IO_HUP and G_IO_ERR to the conditions we look for in the io watch and the child terminates we still run the io watch handler which will complete the session. This means that the child watch is in fact needless and we can remove it. |
Rui Matos <tiagomatos@gmail.com> | yes | upstream | upstream, 0.113, commit:7650ad1e08ab13bdb461783c4995d186d9392840 | 2014-02-06 |
| 0.113/polkitd-Fix-problem-with-removing-non-existent-sourc.patch | polkitd: Fix problem with removing non-existent source | Lukasz Skalski <l.skalski@samsung.com> | yes | upstream | 2014-04-22 | |
| 0.113/PolkitSystemBusName-Add-public-API-to-retrieve-Unix-.patch | PolkitSystemBusName: Add public API to retrieve Unix user And change the duplicated code in the backend session monitors to use it. This just a code cleanup resulting from review after CVE-2013-4288. There's no security impact from this patch, it just removes duplicated code. |
Colin Walters <walters@verbum.org> | yes | upstream | upstream, 0.113, commit:904d8404d93dec45fce3b719eb1a626acc6b8a73 | 2013-08-21 |
| 0.113/Fixed-compilation-problem-in-the-backend.patch | Fixed compilation problem in the backend | Xabier Rodriguez Calvar <calvaris@igalia.com> | no | debian | upstream, 0.113, commit: dbbb7dc60abdd970af0a8fae404484181fa909c9 | 2013-11-10 |
| 0.113/Don-t-discard-error-data-returned-by-polkit_system_b.patch | Don't discard error data returned by polkit_system_bus_name_get_user_sync | =?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@redhat.com> | yes | debian upstream | upstream, 0.113, commit: 145d43b9c891f248ad68ebe597cb151a865bdb3a | 2013-11-11 |
| 0.113/sessionmonitor-systemd-Deduplicate-code-paths.patch | sessionmonitor-systemd: Deduplicate code paths We had the code to go from pid -> session duplicated. If we have a PolkitSystemBusName, convert it to a PolkitUnixProcess. Then we can do PolkitUnixProcess -> pid -> session in one place. This is just a code cleanup. |
Colin Walters <walters@verbum.org> | yes | upstream | upstream, 0.113, commit:26d0c0578211fb96fc8fe75572aa11ad6ecbf9b8 | 2013-11-07 |
| 0.113/PolkitSystemBusName-Retrieve-both-pid-and-uid.patch | PolkitSystemBusName: Retrieve both pid and uid For polkit_system_bus_name_get_process_sync(), as pointed out by Miloslav Trmac, we can securely retrieve the owner uid as well from the system bus, rather than (racily) looking it up internally. This avoids use of a deprecated API. However, this is not a security fix because nothing in the polkit codebase itself actually retrieves the uid from the result of this API call. But, it might be useful in the future. |
Colin Walters <walters@verbum.org> | no | upstream, 0.113, commit:bfa5036bfb93582c5a87c44b847957479d911e38 | 2013-11-09 | |
| 0.113/sessionmonitor-systemd-prepare-for-D-Bus-user-bus-mo.patch | sessionmonitor-systemd: prepare for D-Bus "user bus" model In the D-Bus "user bus" model, all sessions of a user share the same D-Bus instance, a polkit requesting process might live outside the login session which registered the user's polkit agent. In case a polkit requesting process is not part of the user's login session, we ask systemd-logind for the user's "display" session instead. [smcv: backport configure.ac changes; fail with #error if the required API is not found] |
Kay Sievers <kay@vrfy.org> | yes | debian upstream | 2014-05-19 | |
| 0.113/Refuse-duplicate-user-arguments-to-pkexec.patch | Refuse duplicate --user arguments to pkexec This usage is clearly erroneous, so we should tell the users they are making a mistake. Besides, this allows an attacker to cause a high number of heap allocations with attacker-controlled sizes ( http://googleprojectzero.blogspot.cz/2014/08/the-poisoned-nul-byte-2014-edition.html ), making some exploits easier. (To be clear, this is not a pkexec vulnerability, and we will not refuse attacker-affected malloc() usage as a matter of policy; but this commit is both user-friendly and adding some hardening.) |
=?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@redhat.com> | yes | upstream | upstream, 0.113, commit:6c992bc8aefa195a41eaa41c07f46f17de18e25c | 2014-08-26 |
| 0.113/00git_fix_memleak.patch | authority: Fix memory leak in EnumerateActions call results handler Policykit-1 doesn't release reference counters of GVariant data for org.freedesktop.PolicyKit1.Authority.EnumerateActions dbus call. This patch fixed reference counting and following memory leak. |
"Max A. Dednev" <dednev@rambler.ru> | yes | upstream | upstream, 0.113, commit:f4d71e0de885010494b8b0b8d62ca910011d7544 | 2015-01-11 |
| 0.113/00git_invalid_object_paths.patch | CVE-2015-3218: backend: Handle invalid object paths in RegisterAuthenticationAgent Properly propagate the error, otherwise we dereference a `NULL` pointer. This is a local, authenticated DoS. `RegisterAuthenticationAgentWithOptions` and `UnregisterAuthentication` have been validated to not need changes for this. http://lists.freedesktop.org/archives/polkit-devel/2015-May/000420.html |
Colin Walters <walters@redhat.com> | yes | debian upstream | upstream, 0.113, commit:48e646918efb2bf0b3b505747655726d7869f31c | 2015-05-30 |
| 0.113/Fix-a-possible-NULL-dereference.patch | Fix a possible NULL dereference. polkit_backend_session_monitor_get_user_for_subject() may return NULL (and because it is using external processes, we can’t really rule it out). The code was already anticipating NULL in the cleanup section, so handle it also when actually using the value. |
=?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@redhat.com> | yes | upstream | upstream, 0.113, commit:6109543303def367b84eaac97d2ff9cefe735efb | 2014-06-11 |
| 0.113/Remove-a-redundant-assignment.patch | Remove a redundant assignment. Instead of a nonsensical (data = data), use the more customary ((void)data) to silence the warning about an unused parameter. |
=?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@redhat.com> | yes | upstream | upstream, 0.113, commit:37143eb06cb0c4dffca67079dd1c10c5b191b6a7 | 2014-06-11 |
| 0.113/Fix-duplicate-GError-use-when-uid-is-missing.patch | Fix duplicate GError use when "uid" is missing Some GLib versions complain loudly about this. To reproduce, call e.g. RegisterAuthenticationAgent with the following parameters: ("unix-process", {"pid": __import__('gi.repository.GLib', globals(), locals(), ['Variant']).Variant("u", 1), "start-time": __import__('gi.repository.GLib', globals(), locals(), ['Variant']).Variant("t", 1)}), "cs", "/" |
=?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@redhat.com> | yes | upstream | upstream, 0.113, commit:2c8738941be18ef05ce724df46547f41dbc02fb5 | 2014-09-15 |
| 0.113/Fix-a-crash-when-two-authentication-requests-are-in-.patch | Fix a crash when two authentication requests are in flight. To reproduce: 1. pkttyagent -p $$ # or another suitable PID 2. pkcheck -p $that_pid -a org.freedesktop.policykit.exec -u 3. pkcheck -p $that_pid -a org.freedesktop.policykit.exec -u 4. Then, in the pkttyagent prompt, press Enter. polkit_agent_text_listener_initiate_authentication was already setting an appropriate error code, so the g_assert was unnecessary. |
=?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@redhat.com> | yes | upstream | upstream, 0.113, commit:e2d2fafd106624ddfea4b17d3f40704b2031c00b | 2015-06-06 |
| 0.113/CVE-2015-4625-Use-unpredictable-cookie-values-keep-t.patch | CVE-2015-4625: Use unpredictable cookie values, keep them secret Tavis noted that it'd be possible with a 32 bit counter for someone to cause the cookie to wrap by creating Authentication requests in a loop. Something important to note here is that wrapping of signed integers is undefined behavior in C, so we definitely want to fix that. All counter integers used in this patch are unsigned. See the comment above `authentication_agent_generate_cookie` for details, but basically we're now using a cookie of the form: ``` <agent serial> - <agent random id> - <session serial> - <session random id> ``` Which has multiple 64 bit counters, plus unpredictable random 128 bit integer ids (effectively UUIDs, but we're not calling them that because we don't need to be globally unique. We further ensure that the cookies are not visible to other processes by changing the setuid helper to accept them over standard input. This means that an attacker would have to guess both ids. In any case, the security hole here is better fixed with the other change to bind user id (uid) of the agent with cookie lookups, making cookie guessing worthless. Nevertheless, I think it's worth doing this change too, for defense in depth. |
Colin Walters <walters@redhat.com> | yes | debian upstream | upstream, 0.113, commit:ea544ffc18405237ccd95d28d7f45afef49aca17 | 2015-06-04 |
| 0.116/Elaborate-message-printed-by-polkit-when-disconnecting-fr.patch | Elaborate message printed by polkit when disconnecting from ssh Polkit raises unnecessarily elaborate warning message when user restarts machine from ssh. This message was moved to debug mode. |
Jan Rybar <jrybar@redhat.com> | no | upstream, 0.116, commit:b1cc525ff5a50e20c9f921f898f0556e07675e58 | 2018-08-15 | |
| 0.113/CVE-2015-4625-Bind-use-of-cookies-to-specific-uids.patch | CVE-2015-4625: Bind use of cookies to specific uids http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html The "cookie" value that Polkit hands out is global to all polkit users. And when `AuthenticationAgentResponse` is invoked, we previously only received the cookie and *target* identity, and attempted to find an agent from that. The problem is that the current cookie is just an integer counter, and if it overflowed, it would be possible for an successful authorization in one session to trigger a response in another session. The overflow and ability to guess the cookie were fixed by the previous patch. This patch is conceptually further hardening on top of that. Polkit currently treats uids as equivalent from a security domain perspective; there is no support for SELinux/AppArmor/etc. differentiation. We can retrieve the uid from `getuid()` in the setuid helper, which allows us to ensure the uid invoking `AuthenticationAgentResponse2` matches that of the agent. Then the authority only looks at authentication sessions matching the cookie that were created by a matching uid, thus removing the ability for different uids to interfere with each other entirely. Several fixes to this patch were contributed by: Miloslav Trmač <mitr@redhat.com> |
Colin Walters <walters@redhat.com> | yes | debian upstream | upstream, 0.113, commit:493aa5dc1d278ab9097110c1262f5229bbaf1766 | 2015-06-17 |
| 0.113/docs-Update-for-changes-to-uid-binding-Authenticatio.patch | docs: Update for changes to uid binding/AuthenticationAgentResponse2 - Refer to PolkitAgentSession in general instead of to _response only - Revert to the original description of authentication cancellation, the agent really needs to return an error to the caller (in addition to dealing with the session if any). - Explicitly document the UID assumption; in the process fixing bug #69980. - Keep documenting that we need a sufficiently privileged caller. - Refer to the ...Response2 API in more places. - Also update docbook documentation. - Drop a paragraph suggesting non-PolkitAgentSession implementations are expected and commonplace. |
=?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@redhat.com> | yes | debian upstream | upstream, 0.113, commit:fb5076b7c05d01a532d593a4079a29cf2d63a228 | 2015-06-17 |
| 0.113/Fix-a-per-authorization-memory-leak.patch | Fix a per-authorization memory leak We were leaking PolkitAuthorizationResult on every request, primarily on the success path, but also on various error paths as well. |
=?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@redhat.com> | yes | upstream | upstream, 0.113, commit:0f5852a4bdabe377ddcdbed09a0c1f95710e17fe | 2014-07-01 |
| 0.113/Fix-a-memory-leak-when-registering-an-authentication.patch | Fix a memory leak when registering an authentication agent | =?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@redhat.com> | yes | upstream | upstream, 0.113, commit:ec039f9d7ede5b839f5511e26d5cd6ae9107cb2e | 2014-07-01 |
| 0.113/CVE-2015-3255-Fix-GHashTable-usage.patch | CVE-2015-3255 Fix GHashTable usage. Don't assume that the hash table with free both the key and the value at the same time, supply proper deallocation functions for the key and value separately. Then drop ParsedAction::action_id which is no longer used for anything. https://bugs.freedesktop.org/show_bug.cgi?id=69501 and https://bugs.freedesktop.org/show_bug.cgi?id=83590 |
=?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@redhat.com> | no | debian | upstream, 0.113, commit:9f5e0c731784003bd4d6fc75ab739ff8b2ea269f | 2015-04-01 |
| 0.113/Fix-use-after-free-in-polkitagentsession.c.patch | Fix use-after-free in polkitagentsession.c PolkitAgentTextListener's "completed" handler drops the last reference to the session; in fact this is explicitly recommended in the signal's documentation. So we must not access any members of session after emitting the signal. Found while dealing with https://bugs.freedesktop.org/show_bug.cgi?id=69501 |
=?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@redhat.com> | no | upstream, 0.113, commit:efb6cd56a423ba15bb1f44ee3c4987aad5a5fd45 | 2015-04-14 | |
| 0.113/README-Note-to-send-security-reports-via-DBus-s-mech.patch | README: Note to send security reports via DBus's mechanism This avoids duplicating effort. |
Colin Walters <walters@verbum.org> | no | upstream, 0.113, commit:ccec766c509d16dab417582e94f43d906cefd4ae | 2015-06-04 | |
| 0.114/Fix-multi-line-pam-text-info.patch | Fix multi-line pam text info. There are pam modules (e.g. pam_vas) that may attempt to display multi-line PAM_TEXT_INFO messages. Polkit was interpreting the lines after the first one as a separate message that was not recognized causing the authorization to fail. Escaping these strings and unescaping them fixes the issue. |
Dariusz Gadomski <dariusz.gadomski@canonical.com> | yes | upstream | upstream, 0.114, commit:10597322eccc320f9053821750ae9af51e918d74 | 2015-11-10 |
| 0.114/Refactor-send_to_helper-usage.patch | Refactor send_to_helper usage There were duplicated pieces of code detecting EOLs and escaping the code. Those actions has been delegated to already-existing send_to_helper function. |
Dariusz Gadomski <dariusz.gadomski@canonical.com> | yes | upstream | upstream, 0.114, commit:2690cd0312b310946c86674c8dd1f55c63f7dd6a | 2015-11-12 |
| 0.114/Add-gettext-support-for-.policy-files.patch | Add gettext support for .policy files gettext can extract strings from and merge them back into xml file formats, with the help of .its files. |
Matthias Clasen <mclasen@redhat.com> | yes | upstream | upstream, 0.114, commit:c78819245ff8a270f97c9f800773e727918be838 | 2016-07-15 |
| 0.114/gettext-switch-to-default-translate-no.patch | gettext: switch to default-translate "no" The default appears to be to translate all entries. This rule never takes effect, the path to /action/message and /action/description is wrong (/action is not a root node). Since we wanted them to be translated, it doesn't matter. But it also translates all other tags (vendor, allow_any, etc.) and that causes polkit to be unhappy, it can't handle the various language versions of "no" ** (polkitd:27434): WARNING **: Unknown PolkitImplicitAuthorization string 'tidak' Switch to a default of "no" and explicitly include the message and description strings to be translated. The patch was modified for PolicyKit by Ondrej Holy <oholy@redhat.com>. |
Peter Hutterer <peter.hutterer@who-t.net> | yes | upstream | upstream, 0.114, commit:32e9a69c335324a53a2c0ba4e0b513fb044be0fd | 2016-10-20 |
| 0.114/Support-polkit-session-agent-running-outside-user-session.patch | Support polkit session agent running outside user session commit a68f5dfd7662767b7b9822090b70bc5bd145c50c made session applications that are running from a user bus work with polkitd, by falling back to using the currently active session. This commit is similar, but for the polkit agent. It allows, a polkit agent to be run from a systemd --user service that's not running directly in the users session. |
Sebastien Bacher <seb128@ubuntu.com> | yes | upstream | 2018-04-02 | |
| 0.115/Fix-CVE-2018-1116-Trusting-client-supplied-UID.patch | Fix CVE-2018-1116: Trusting client-supplied UID As part of CVE-2013-4288, the D-Bus clients were allowed (and encouraged) to submit the UID of the subject of authorization checks to avoid races against UID changes (notably using executables set-UID to root). However, that also allowed any client to submit an arbitrary UID, and that could be used to bypass "can only ask about / affect the same UID" checks in CheckAuthorization / RegisterAuthenticationAgent / UnregisterAuthenticationAgent. This allowed an attacker: - With CheckAuthorization, to cause the registered authentication agent in victim's session to pop up a dialog, or to determine whether the victim currently has a temporary authorization to perform an operation. (In principle, the attacker can also determine whether JavaScript rules allow the victim process to perform an operation; however, usually rules base their decisions on information determined from the supplied UID, so the attacker usually won't learn anything new.) - With RegisterAuthenticationAgent, to prevent the victim's authentication agent to work (for a specific victim process), or to learn about which operations requiring authorization the victim is attempting. To fix this, expose internal _polkit_unix_process_get_owner() / obsolete polkit_unix_process_get_owner() as a private polkit_unix_process_get_racy_uid__() (being more explicit about the dangers on relying on it), and use it in polkit_backend_session_monitor_get_user_for_subject() to return a boolean indicating whether the subject UID may be caller-chosen. Then, in the permission checks that require the subject to be equal to the caller, fail on caller-chosen UIDs (and continue through the pre-existing code paths which allow root, or root-designated server processes, to ask about arbitrary subjects.) |
=?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@redhat.com> | no | upstream, 0.115, commit:bc7ffad53643a9c80231fc41f5582d6a8931c32c | 2018-06-25 | |
| 0.116/Possible-resource-leak-found-by-static-analyzer.patch | Possible resource leak found by static analyzer | Jan Rybar <jrybar@redhat.com> | no | upstream, 0.116, commit:542c6ec832919df6a74e16aba574adaeebe35e08 | 2018-08-09 | |
| 0.116/Error-message-raised-on-every-systemctl-start-in-emergenc.patch | Error message raised on every 'systemctl start' in emergency.target Superuser should know that polkit is not running in emergency.target. If not, basic info with debug sources is offered instead of error message. Other usecases taken into account. |
Jan Rybar <jrybar@redhat.com> | no | upstream, 0.116, commit:8c1bc8ab182f33a55503d30aa7a4ee96f822d903 | 2018-08-15 | |
| 0.116/Fix-a-critical-warning-on-calling-polkit_permission_new_s.patch | Fix a critical warning on calling polkit_permission_new_sync with no system bus | Richard Hughes <richard@hughsie.com> | no | upstream, 0.116, commit:984d16e6d21c6d6b0fc28d4fe7fe82575a43c95b | 2017-10-19 | |
| 0.116/Allow-negative-uids-gids-in-PolkitUnixUser-and-Group-obje.patch | Allow negative uids/gids in PolkitUnixUser and Group objects (uid_t) -1 is still used as placeholder to mean "unset". This is OK, since there should be no users with such number, see https://systemd.io/UIDS-GIDS#special-linux-uids. (uid_t) -1 is used as the default value in class initialization. When a user or group above INT32_MAX is created, the numeric uid or gid wraps around to negative when the value is assigned to gint, and polkit gets confused. Let's accept such gids, except for -1. A nicer fix would be to change the underlying type to e.g. uint32 to not have negative values. But this cannot be done without breaking the API, so likely new functions will have to be added (a polkit_unix_user_new variant that takes a unsigned, and the same for _group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will require a bigger patch. Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74. (cherry picked from commit 2cb40c4d5feeaa09325522bd7d97910f1b59e379) |
=?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> | no | 2018-12-03 | ||
| 0.116/tests-add-tests-for-high-uids.patch | tests: add tests for high uids Modified by Marc Deslauriers for polkit 105 (cherry picked from commit b534a10727455409acd54018a9c91000e7626126) |
=?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> | no | 2018-12-03 | ||
| 0.116/backend-Compare-PolkitUnixProcess-uids-for-temporary-auth.patch | backend: Compare PolkitUnixProcess uids for temporary authorizations It turns out that the combination of `(pid, start time)` is not enough to be unique. For temporary authorizations, we can avoid separate users racing on pid reuse by simply comparing the uid. https://bugs.chromium.org/p/project-zero/issues/detail?id=1692 And the above original email report is included in full in a new comment. |
Colin Walters <walters@verbum.org> | yes | upstream | upstream, 0.116, commit:6cc6aafee135ba44ea748250d7d29b562ca190e3 | 2019-01-04 |
| 0.116/Allow-uid-of-1-for-a-PolkitUnixProcess.patch | Allow uid of -1 for a PolkitUnixProcess Commit 2cb40c4d5 changed PolkitUnixUser, PolkitUnixGroup, and PolkitUnixProcess to allow negative values for their uid/gid properties, since these are values above INT_MAX which wrap around but are still valid, with the exception of -1 which is not valid. However, PolkitUnixProcess allows a uid of -1 to be passed to polkit_unix_process_new_for_owner() which means polkit is expected to figure out the uid on its own (this happens in the _constructed function). So this commit removes the check in polkit_unix_process_set_property() so that new_for_owner() can be used as documented without producing a critical error message. This does not affect the protection against CVE-2018-19788 which is based on creating a user with a UID up to but not including 4294967295 (-1). |
Matthew Leeds <matthew.leeds@endlessm.com> | no | 2018-12-11 | ||
| Remove-example-null-backend.patch | Remove example null backend There's no point in this now that we've removed the ability to extend polkit. |
Simon McVittie <smcv@debian.org> | no | 2019-07-04 | ||
| 0.116/pkttyagent-PolkitAgentTextListener-leaves-echo-tty-disabl.patch | pkttyagent: PolkitAgentTextListener leaves echo tty disabled if SIGINT/SIGTERM If no password is typed into terminal during authentication raised by PolkitAgentTextListener, pkttyagent sends kill (it receives from systemctl/hostnamectl e.g.) without chance to restore echoing back on. This cannot be done in on_request() since it's run in a thread without guarantee the signal is distributed there. |
Jan Rybar <jrybar@redhat.com> | no | upstream, 0.116, commit:bfb722bbe5a503095cc7e860f282b142f5aa75f1 | 2019-03-15 | |
| 01_pam_polkit.patch | Use Debian's common-* PAM infrastructure, plus pam_env | Michael Biebl <biebl@debian.org> | invalid | 2007-10-02 | ||
| 02_gettext.patch | Use gettext for translations in .policy files | Robert Ancell <robert.ancell@canonical.com> | yes | upstream | 2010-08-18 | |
| 05_revert-admin-identities-unix-group-wheel.patch | Revert "Default to AdminIdentities=unix-group:wheel for local authority" This reverts commit 763faf434b445c20ae9529100d3ef5290976d0c9. On Red Hat derivatives, every member of group 'wheel' is necessarily privileged. On Debian derivatives, there is no wheel group, and gid 0 (root) is not used in this way. Change the default rule to consider uid 0 to be privileged, instead. On Red Hat derivatives, 50-default.rules is not preserved by upgrades; on dpkg-based systems, it is a proper conffile and may be edited (at the sysadmin's own risk), so the comment about not editing it is misleading. [smcv: added longer explanation of why we make this change; remove unrelated cosmetic change to a man page] |
Michael Biebl <biebl@debian.org> | invalid | 2011-12-09 | ||
| 06_systemd-service.patch | Install systemd service file for polkitd. | Michael Biebl <biebl@debian.org> | invalid | 2012-02-11 | ||
| 10_build-against-libsystemd.patch | Build against libsystemd | Michael Biebl <biebl@debian.org> | invalid | debian | 2015-07-08 | |
| Move-D-Bus-policy-file-to-usr-share-dbus-1-system.d.patch | Move D-Bus policy file to /usr/share/dbus-1/system.d/ To better support stateless systems with an empty /etc, the old location in /etc/dbus-1/system.d/ should only be used for local admin changes. Package provided D-Bus policy files are supposed to be installed in /usr/share/dbus-1/system.d/. This is supported since dbus 1.9.18. https://lists.freedesktop.org/archives/dbus/2015-July/016746.html https://gitlab.freedesktop.org/polkit/polkit/merge_requests/11 |
Michael Biebl <biebl@debian.org> | no | 2018-11-27 | ||
| Statically-link-libpolkit-backend1-into-polkitd.patch | Statically link libpolkit-backend1 into polkitd Nothing else in Debian depends on that library: in principle it was meant to be used for pluggable polkit backends, but those never actually happened, and the library's API was never declared stable. Similar to part of 0f830c76 "Nuke polkitbackend library, localauthority backend and extension system" upstream. |
Simon McVittie <smcv@debian.org> | no | 2019-07-04 | ||
| CVE-2021-3560.patch | local privilege escalation using polkit_system_bus_name_get_creds_sync() | Salvatore Bonaccorso <carnil@debian.org> | not-needed | debian upstream | upstream | 2021-06-03 |
| Local-Privilege-Escalation-in-polkit-s-pkexec-CVE-20.patch | [PATCH] Local Privilege Escalation in polkit's pkexec (CVE-2021-4034) [Salvatore Bonaccorso: Backport to 0.105: - Refresh for context changes - Drop help() printout in pkcheck, for versions before e8e18d180888 ("Don't spawn man for --help") in 0.111. Instead call usage(). It spawns a manpage, but pkcheck is not setuid root. ] |
Salvatore Bonaccorso <carnil@debian.org> | no | 2022-01-11 |