Home Explore Help
Sign In
erkanisik
/
core
mirror of https://github.com/pisilinux/core.git
Watch 1
Star 0
Fork 0
Files Issues 0 Wiki
Branch: master
Branches Tags
core
/
system
/
base
/
polkit
/
files
/
CVE-2021-4034.patch

CVE-2021-4034.patch 2.0 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980 
  1. From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Jan Rybar <jrybar@redhat.com>
    3. 

  3. Date: Tue, 25 Jan 2022 17:21:46 +0000
    4. 

  4. Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
    5. 

  5. 

  6. ---
    7. 

  7.  src/programs/pkcheck.c |  5 +++++
    8. 

  8.  src/programs/pkexec.c  | 23 ++++++++++++++++++++---
    9. 

  9.  2 files changed, 25 insertions(+), 3 deletions(-)
    10. 

  10. 

  11. diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
    12. 

  12. index f1bb4e1..768525c 100644
    13. 

  13. --- a/src/programs/pkcheck.c
    14. 

  14. +++ b/src/programs/pkcheck.c
    15. 

  15. @@ -363,6 +363,11 @@ main (int argc, char *argv[])
    16. 

  16.    local_agent_handle = NULL;
    17. 

  17.    ret = 126;
    18. 

  18.  
    19. 

  19. +  if (argc < 1)
    20. 

  20. +    {
    21. 

  21. +      exit(126);
    22. 

  22. +    }
    23. 

  23. +
    24. 

  24.    /* Disable remote file access from GIO. */
    25. 

  25.    setenv ("GIO_USE_VFS", "local", 1);
    26. 

  26.  
    27. 

  27. diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
    28. 

  28. index 7698c5c..84e5ef6 100644
    29. 

  29. --- a/src/programs/pkexec.c
    30. 

  30. +++ b/src/programs/pkexec.c
    31. 

  31. @@ -488,6 +488,15 @@ main (int argc, char *argv[])
    32. 

  32.    pid_t pid_of_caller;
    33. 

  33.    gpointer local_agent_handle;
    34. 

  34.  
    35. 

  35. +
    36. 

  36. +  /*
    37. 

  37. +   * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
    38. 

  38. +   */
    39. 

  39. +  if (argc<1)
    40. 

  40. +    {
    41. 

  41. +      exit(127);
    42. 

  42. +    }
    43. 

  43. +
    44. 

  44.    ret = 127;
    45. 

  45.    authority = NULL;
    46. 

  46.    subject = NULL;
    47. 

  47. @@ -614,10 +623,10 @@ main (int argc, char *argv[])
    48. 

  48.  
    49. 

  49.        path = g_strdup (pwstruct.pw_shell);
    50. 

  50.        if (!path)
    51. 

  51. -	{
    52. 

  52. +        {
    53. 

  53.            g_printerr ("No shell configured or error retrieving pw_shell\n");
    54. 

  54.            goto out;
    55. 

  55. -	}
    56. 

  56. +        }
    57. 

  57.        /* If you change this, be sure to change the if (!command_line)
    58. 

  58.  	 case below too */
    59. 

  59.        command_line = g_strdup (path);
    60. 

  60. @@ -636,7 +645,15 @@ main (int argc, char *argv[])
    61. 

  61.            goto out;
    62. 

  62.          }
    63. 

  63.        g_free (path);
    64. 

  64. -      argv[n] = path = s;
    65. 

  65. +      path = s;
    66. 

  66. +
    67. 

  67. +      /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
    68. 

  68. +       * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
    69. 

  69. +       */
    70. 

  70. +      if (argv[n] != NULL)
    71. 

  71. +      {
    72. 

  72. +        argv[n] = path;
    73. 

  73. +      }
    74. 

  74.      }
    75. 

  75.    if (access (path, F_OK) != 0)
    76. 

  76.      {
    77. 

  77. -- 
    78. 

  78. GitLab
    79. 

  79. 

  80.