Bug#726558: pu: package policykit-1/0.105-3+deb7u1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
As discussed in [1], I'd like to upload a fix for CVE-2013-4288 for
policykit-1 to stable.
The patch itself has been applied to the unstable version as well (in
0.105-3+nmu1).
Please let me know if I can proceed with the stable upload to get this
fix into 7.3.
Full debdiff is attached.
Regards,
Michael
[1] https://lists.debian.org/debian-release/2013/10/msg00604.html
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff --git a/debian/changelog b/debian/changelog
index c3ab45b..1644c95 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+policykit-1 (0.105-3+deb7u1) stable; urgency=low
+
+ * Fix CVE-2013-4288: race condition in pkcheck. (Closes: #723717)
+
+ -- Michael Biebl <biebl@debian.org> Wed, 16 Oct 2013 18:35:01 +0200
+
policykit-1 (0.105-3) unstable; urgency=low
* 07_set-XAUTHORITY-environment-variable-if-unset.patch: Set XAUTHORITY
diff --git a/debian/gbp.conf b/debian/gbp.conf
index c31be83..a475fbf 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,3 +1,3 @@
[DEFAULT]
pristine-tar = True
-debian-branch = master
+debian-branch = wheezy
diff --git a/debian/patches/cve-2013-4288.patch b/debian/patches/cve-2013-4288.patch
new file mode 100644
index 0000000..2aad36c
--- /dev/null
+++ b/debian/patches/cve-2013-4288.patch
@@ -0,0 +1,115 @@
+From 52c927893a2ab135462b616c2e00fec377da9885 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Mon, 19 Aug 2013 12:16:11 -0400
+Subject: [PATCH 2/4] pkcheck: Support --process=pid,start-time,uid syntax too
+
+The uid is a new addition; this allows callers such as libvirt to
+close a race condition in reading the uid of the process talking to
+them. They can read it via getsockopt(SO_PEERCRED) or equivalent,
+rather than having pkcheck look at /proc later after the fact.
+
+Programs which invoke pkcheck but need to know beforehand (i.e. at
+compile time) whether or not it supports passing the uid can
+use:
+
+pkcheck_supports_uid=$($PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1)
+test x$pkcheck_supports_uid = xyes
+---
+ data/polkit-gobject-1.pc.in | 3 +++
+ docs/man/pkcheck.xml | 29 ++++++++++++++++++++---------
+ src/programs/pkcheck.c | 9 +++++++--
+ 3 files changed, 30 insertions(+), 11 deletions(-)
+
+Index: policykit-1-0.105/data/polkit-gobject-1.pc.in
+===================================================================
+--- policykit-1-0.105.orig/data/polkit-gobject-1.pc.in 2013-09-11 09:40:56.604225567 -0400
++++ policykit-1-0.105/data/polkit-gobject-1.pc.in 2013-09-11 09:40:56.596225567 -0400
+@@ -11,3 +11,6 @@
+ Libs: -L${libdir} -lpolkit-gobject-1
+ Cflags: -I${includedir}/polkit-1
+ Requires: gio-2.0 >= 2.18 glib-2.0 >= 2.18
++# Programs using pkcheck can use this to determine
++# whether or not it can be passed a uid.
++pkcheck_supports_uid=true
+Index: policykit-1-0.105/docs/man/pkcheck.xml
+===================================================================
+--- policykit-1-0.105.orig/docs/man/pkcheck.xml 2013-09-11 09:40:56.604225567 -0400
++++ policykit-1-0.105/docs/man/pkcheck.xml 2013-09-11 09:42:28.272223569 -0400
+@@ -55,6 +55,9 @@
+ <arg choice="plain">
+ <replaceable>pid,pid-start-time</replaceable>
+ </arg>
++ <arg choice="plain">
++ <replaceable>pid,pid-start-time,uid</replaceable>
++ </arg>
+ </group>
+ </arg>
+ <arg choice="plain">
+@@ -90,7 +93,7 @@
+ <title>DESCRIPTION</title>
+ <para>
+ <command>pkcheck</command> is used to check whether a process, specified by
+- either <option>--process</option> or <option>--system-bus-name</option>,
++ either <option>--process</option> (see below) or <option>--system-bus-name</option>,
+ is authorized for <replaceable>action</replaceable>. The <option>--detail</option>
+ option can be used zero or more times to pass details about <replaceable>action</replaceable>.
+ If <option>--allow-user-interaction</option> is passed, <command>pkcheck</command> blocks
+@@ -160,17 +163,25 @@
+ <refsect1 id="pkcheck-notes">
+ <title>NOTES</title>
+ <para>
+- Since process identifiers can be recycled, the caller should always use
+- <replaceable>pid,pid-start-time</replaceable> to specify the process
+- to check for authorization when using the <option>--process</option> option.
+- The value of <replaceable>pid-start-time</replaceable>
+- can be determined by consulting e.g. the
++ Do not use either the bare <replaceable>pid</replaceable> or
++ <replaceable>pid,start-time</replaceable> syntax forms for
++ <option>--process</option>. There are race conditions in both.
++ New code should always use
++ <replaceable>pid,pid-start-time,uid</replaceable>. The value of
++ <replaceable>start-time</replaceable> can be determined by
++ consulting e.g. the
+ <citerefentry>
+ <refentrytitle>proc</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>
+- file system depending on the operating system. If only <replaceable>pid</replaceable>
+- is passed to the <option>--process</option> option, then <command>pkcheck</command>
+- will look up the start time itself but note that this may be racy.
++ file system depending on the operating system. If fewer than 3
++ arguments are passed, <command>pkcheck</command> will attempt to
++ look up them up internally, but note that this may be racy.
++ </para>
++ <para>
++ If your program is a daemon with e.g. a custom Unix domain
++ socket, you should determine the <replaceable>uid</replaceable>
++ parameter via operating system mechanisms such as
++ <literal>PEERCRED</literal>.
+ </para>
+ </refsect1>
+
+Index: policykit-1-0.105/src/programs/pkcheck.c
+===================================================================
+--- policykit-1-0.105.orig/src/programs/pkcheck.c 2013-09-11 09:40:56.604225567 -0400
++++ policykit-1-0.105/src/programs/pkcheck.c 2013-09-11 09:40:56.600225567 -0400
+@@ -372,6 +372,7 @@
+ else if (g_strcmp0 (argv[n], "--process") == 0 || g_strcmp0 (argv[n], "-p") == 0)
+ {
+ gint pid;
++ guint uid;
+ guint64 pid_start_time;
+
+ n++;
+@@ -381,7 +382,11 @@
+ goto out;
+ }
+
+- if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2)
++ if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT ",%u", &pid, &pid_start_time, &uid) == 3)
++ {
++ subject = polkit_unix_process_new_for_owner (pid, pid_start_time, uid);
++ }
++ else if (sscanf (argv[n], "%i,%" G_GUINT64_FORMAT, &pid, &pid_start_time) == 2)
+ {
+ subject = polkit_unix_process_new_full (pid, pid_start_time);
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 2d3a3f9..0307b9c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@
05_revert-admin-identities-unix-group-wheel.patch
06_systemd-service.patch
07_set-XAUTHORITY-environment-variable-if-unset.patch
+cve-2013-4288.patch
Reply to: