fix bug 551316 CVE-2015-3218: crash authentication_agent_new with invalid object path in RegisterAuthenticationAgent

(Portage version: 2.2.18/cvs/Linux x86_64, signed Manifest commit with key 0x7EF137EC935B0EAF)
author: Jason Zaman <perfinion@gentoo.org> 2015-06-06 08:52:19 +0000
committer: Jason Zaman <perfinion@gentoo.org> 2015-06-06 08:52:19 +0000
commit: e26a5bce8747ccf6b09666bfc42ba727b5b609fc (patch)
tree: a874d646bbbe08479e839a4e4678ab6426e3afcd /sys-auth/polkit/files
parent: amd64 stable wrt bug #551350 (diff)
download: gentoo-2-e26a5bce8747ccf6b09666bfc42ba727b5b609fc.tar.gz
gentoo-2-e26a5bce8747ccf6b09666bfc42ba727b5b609fc.tar.bz2
gentoo-2-e26a5bce8747ccf6b09666bfc42ba727b5b609fc.zip
1 files changed, 106 insertions, 0 deletions
diff --git a/sys-auth/polkit/files/polkit-0.112-0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch b/sys-auth/polkit/files/polkit-0.112-0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch
new file mode 100644
index 000000000000..5ceb2de5f9ed
--- /dev/null
+++ b/sys-auth/polkit/files/polkit-0.112-0001-backend-Handle-invalid-object-paths-in-RegisterAuthe.patch
@@ -0,0 +1,106 @@
+From 9e074421d5623b6962dc66994d519012b40334b9 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Sat, 30 May 2015 09:06:23 -0400
+Subject: [PATCH] backend: Handle invalid object paths in
+ RegisterAuthenticationAgent
+
+Properly propagate the error, otherwise we dereference a `NULL`
+pointer.  This is a local, authenticated DoS.
+
+Reported-by: Tavis Ormandy <taviso@google.com>
+Signed-off-by: Colin Walters <walters@verbum.org>
+---
+ .../polkitbackendinteractiveauthority.c            | 53 ++++++++++++----------
+ 1 file changed, 30 insertions(+), 23 deletions(-)
+
+diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
+index 59028d5..f45fdf1 100644
+--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
++++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
+@@ -1551,36 +1551,42 @@ authentication_agent_new (PolkitSubject *scope,
+                           const gchar *unique_system_bus_name,
+                           const gchar *locale,
+                           const gchar *object_path,
+-                          GVariant    *registration_options)
++                          GVariant    *registration_options,
++			  GError     **error)
+ {
+   AuthenticationAgent *agent;
+-  GError *error;
++  GDBusProxy *proxy;
+ 
+-  agent = g_new0 (AuthenticationAgent, 1);
++  if (!g_variant_is_object_path (object_path))
++    {
++      g_set_error (error, POLKIT_ERROR, POLKIT_ERROR_FAILED,
++		   "Invalid object path '%s'", object_path);
++      return NULL;
++    }
++
++  proxy = g_dbus_proxy_new_for_bus_sync (G_BUS_TYPE_SYSTEM,
++					 G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES |
++					 G_DBUS_PROXY_FLAGS_DO_NOT_CONNECT_SIGNALS,
++					 NULL, /* GDBusInterfaceInfo* */
++					 unique_system_bus_name,
++					 object_path,
++					 "org.freedesktop.PolicyKit1.AuthenticationAgent",
++					 NULL, /* GCancellable* */
++					 error);
++  if (proxy == NULL)
++    {
++      g_prefix_error (error, "Failed to construct proxy for agent: " );
++      return NULL;
++    }
+ 
++  agent = g_new0 (AuthenticationAgent, 1);
+   agent->ref_count = 1;
+   agent->scope = g_object_ref (scope);
+   agent->object_path = g_strdup (object_path);
+   agent->unique_system_bus_name = g_strdup (unique_system_bus_name);
+   agent->locale = g_strdup (locale);
+   agent->registration_options = registration_options != NULL ? g_variant_ref (registration_options) : NULL;
+-
+-  error = NULL;
+-  agent->proxy = g_dbus_proxy_new_for_bus_sync (G_BUS_TYPE_SYSTEM,
+-                                                G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES |
+-                                                G_DBUS_PROXY_FLAGS_DO_NOT_CONNECT_SIGNALS,
+-                                                NULL, /* GDBusInterfaceInfo* */
+-                                                agent->unique_system_bus_name,
+-                                                agent->object_path,
+-                                                "org.freedesktop.PolicyKit1.AuthenticationAgent",
+-                                                NULL, /* GCancellable* */
+-                                                &error);
+-  if (agent->proxy == NULL)
+-    {
+-      g_warning ("Error constructing proxy for agent: %s", error->message);
+-      g_error_free (error);
+-      /* TODO: Make authentication_agent_new() return NULL and set a GError */
+-    }
++  agent->proxy = proxy;
+ 
+   return agent;
+ }
+@@ -2383,8 +2389,6 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken
+   caller_cmdline = NULL;
+   agent = NULL;
+ 
+-  /* TODO: validate that object path is well-formed */
+-
+   interactive_authority = POLKIT_BACKEND_INTERACTIVE_AUTHORITY (authority);
+   priv = POLKIT_BACKEND_INTERACTIVE_AUTHORITY_GET_PRIVATE (interactive_authority);
+ 
+@@ -2471,7 +2475,10 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken
+                                     polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (caller)),
+                                     locale,
+                                     object_path,
+-                                    options);
++                                    options,
++				    error);
++  if (!agent)
++    goto out;
+ 
+   g_hash_table_insert (priv->hash_scope_to_authentication_agent,
+                        g_object_ref (subject),
+-- 
+1.8.3.1
+
author	Jason Zaman <perfinion@gentoo.org>	2015-06-06 08:52:19 +0000
committer	Jason Zaman <perfinion@gentoo.org>	2015-06-06 08:52:19 +0000
commit	e26a5bce8747ccf6b09666bfc42ba727b5b609fc (patch)
tree	a874d646bbbe08479e839a4e4678ab6426e3afcd /sys-auth/polkit/files
parent	amd64 stable wrt bug #551350 (diff)
download	gentoo-2-e26a5bce8747ccf6b09666bfc42ba727b5b609fc.tar.gz gentoo-2-e26a5bce8747ccf6b09666bfc42ba727b5b609fc.tar.bz2 gentoo-2-e26a5bce8747ccf6b09666bfc42ba727b5b609fc.zip