Bugzilla Automation <***@FreeBSD.org> has asked freebsd-desktop (Team)
<***@FreeBSD.org> for maintainer-feedback:
Bug 256405: sysutils/polkit: Update to 0.119
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256405



--- Description ---
Update to 0.119

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256405

Tobias C. Berner <***@freebsd.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@freebsd.org
Status|New |In Progress

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256405

Evgeniy Khramtsov <***@khramtsov.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@khramtsov.org

--- Comment #1 from Evgeniy Khramtsov <***@khramtsov.org> ---
Also needs a VuXML entry: https://seclists.org/oss-sec/2021/q2/180

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256405

--- Comment #2 from Tobias C. Berner <***@freebsd.org> ---
Moin moin

This patch additionally converts it to use meson as a build system:
https://people.freebsd.org/~tcberner/patches/polkit-119.v1.diff


mfg Tobias

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256405

Tobias C. Berner <***@freebsd.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Flags|maintainer-feedback?(deskto |maintainer-feedback+
|***@FreeBSD.org) |

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256405

--- Comment #3 from commit-***@FreeBSD.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/ports/commit/?id=0958ffc12c9c0bba44f9a1adc0ca5173d7cd8bf9

commit 0958ffc12c9c0bba44f9a1adc0ca5173d7cd8bf9
Author: Tobias C. Berner <***@FreeBSD.org>
AuthorDate: 2021-06-04 18:27:49 +0000
Commit: Tobias C. Berner <***@FreeBSD.org>
CommitDate: 2021-06-04 18:29:52 +0000

security/vuxml: document vulnerability in sysutils/polkit

Cedric Buissart reports:

The function `polkit_system_bus_name_get_creds_sync` is used to get
the
uid and pid of the process requesting the action. It does this by
sending the unique bus name of the requesting process, which is
typically something like ":1.96", to `dbus-daemon`. These unique
names
are assigned and managed by `dbus-daemon` and cannot be forged, so
this
is a good way to check the privileges of the requesting process.

The vulnerability happens when the requesting process disconnects
from
`dbus-daemon` just before the call to
`polkit_system_bus_name_get_creds_sync` starts. In this scenario,
the
unique bus name is no longer valid, so `dbus-daemon` sends back an
error
reply. This error case is handled in
`polkit_system_bus_name_get_creds_sync` by setting the value of the
`error` parameter, but it still returns `TRUE`, rather than
`FALSE`.
This behavior means that all callers of
`polkit_system_bus_name_get_creds_sync` need to carefully check
whether
an error was set. If the calling function forgets to check for
errors
then it will think that the uid of the requesting process is 0
(because
the `AsyncGetBusNameCredsData` struct is zero initialized). In
other
words, it will think that the action was requested by a root
process,
and will therefore allow it.

PR: 256405
Security: CVE-2021-3560 polkit

security/vuxml/vuln.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 47 insertions(+)