sys-auth/polkit: fix CVE-2021-4043

Bug: https://bugs.gentoo.org/832057
Signed-off-by: Sam James <sam@gentoo.org>

2 files changed, 192 insertions, 0 deletions

diff --git a/sys-auth/polkit/files/polkit-0.120-CVE-2021-4043.patch b/sys-auth/polkit/files/polkit-0.120-CVE-2021-4043.patch
new file mode 100644
index 000000000000..22bb71d14204
--- /dev/null
+++ b/sys-auth/polkit/files/polkit-0.120-CVE-2021-4043.patch
@@ -0,0 +1,72 @@
+https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
+https://bugs.gentoo.org/832057
+https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch
+
+From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Tue, 25 Jan 2022 17:21:46 +0000
+Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
+
+--- a/src/programs/pkcheck.c
++++ b/src/programs/pkcheck.c
+@@ -363,6 +363,11 @@ main (int argc, char *argv[])
+   local_agent_handle = NULL;
+   ret = 126;
+ 
++  if (argc < 1)
++    {
++      exit(126);
++    }
++
+   /* Disable remote file access from GIO. */
+   setenv ("GIO_USE_VFS", "local", 1);
+ 
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -488,6 +488,15 @@ main (int argc, char *argv[])
+   pid_t pid_of_caller;
+   gpointer local_agent_handle;
+ 
++
++  /*
++   * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
++   */
++  if (argc<1)
++    {
++      exit(127);
++    }
++
+   ret = 127;
+   authority = NULL;
+   subject = NULL;
+@@ -614,10 +623,10 @@ main (int argc, char *argv[])
+ 
+       path = g_strdup (pwstruct.pw_shell);
+       if (!path)
+-	{
++        {
+           g_printerr ("No shell configured or error retrieving pw_shell\n");
+           goto out;
+-	}
++        }
+       /* If you change this, be sure to change the if (!command_line)
+ 	 case below too */
+       command_line = g_strdup (path);
+@@ -636,7 +645,15 @@ main (int argc, char *argv[])
+           goto out;
+         }
+       g_free (path);
+-      argv[n] = path = s;
++      path = s;
++
++      /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
++       * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
++       */
++      if (argv[n] != NULL)
++      {
++        argv[n] = path;
++      }
+     }
+   if (access (path, F_OK) != 0)
+     {
+GitLab
diff --git a/sys-auth/polkit/polkit-0.120-r2.ebuild b/sys-auth/polkit/polkit-0.120-r2.ebuild
new file mode 100644
index 000000000000..6af327e19f2f
--- /dev/null
+++ b/sys-auth/polkit/polkit-0.120-r2.ebuild
@@ -0,0 +1,120 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit meson pam pax-utils systemd xdg-utils
+
+DESCRIPTION="Policy framework for controlling privileges for system-wide services"
+HOMEPAGE="https://www.freedesktop.org/wiki/Software/polkit https://gitlab.freedesktop.org/polkit/polkit"
+SRC_URI="https://www.freedesktop.org/software/${PN}/releases/${P}.tar.gz"
+
+LICENSE="LGPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~mips ~ppc64 ~riscv ~s390 ~x86"
+IUSE="examples gtk +introspection kde pam selinux systemd test"
+#RESTRICT="!test? ( test )"
+# Tests currently don't work with meson. See
+#   https://gitlab.freedesktop.org/polkit/polkit/-/issues/144
+RESTRICT="test"
+
+BDEPEND="
+	acct-user/polkitd
+	app-text/docbook-xml-dtd:4.1.2
+	app-text/docbook-xsl-stylesheets
+	dev-libs/glib
+	dev-libs/gobject-introspection-common
+	dev-libs/libxslt
+	dev-util/glib-utils
+	sys-devel/gettext
+	virtual/pkgconfig
+	introspection? ( dev-libs/gobject-introspection )
+"
+DEPEND="
+	dev-lang/spidermonkey:78[-debug]
+	dev-libs/glib:2
+	dev-libs/expat
+	pam? (
+		sys-auth/pambase
+		sys-libs/pam
+	)
+	!pam? ( virtual/libcrypt:= )
+	systemd? ( sys-apps/systemd:0=[policykit] )
+	!systemd? ( sys-auth/elogind )
+"
+RDEPEND="${DEPEND}
+	acct-user/polkitd
+	selinux? ( sec-policy/selinux-policykit )
+"
+PDEPEND="
+	gtk? ( || (
+		>=gnome-extra/polkit-gnome-0.105
+		>=lxde-base/lxsession-0.5.2
+	) )
+	kde? ( kde-plasma/polkit-kde-agent )
+"
+
+DOCS=( docs/TODO HACKING NEWS README )
+
+QA_MULTILIB_PATHS="
+	usr/lib/polkit-1/polkit-agent-helper-1
+	usr/lib/polkit-1/polkitd"
+
+src_prepare() {
+	local PATCHES=(
+		"${FILESDIR}/polkit-0.120-meson.patch"
+		"${FILESDIR}/polkit-0.120-CVE-2021-4043.patch"
+	)
+	default
+
+	sed -i -e 's|unix-group:wheel|unix-user:0|' src/polkitbackend/*-default.rules || die #401513
+}
+
+src_configure() {
+	xdg_environment_reset
+
+	local emesonargs=(
+		--localstatedir="${EPREFIX}"/var
+		-Dauthfw="$(usex pam pam shadow)"
+		-Dexamples=false
+		-Dgtk_doc=false
+		-Dman=true
+		-Dos_type=gentoo
+		-Dsession_tracking="$(usex systemd libsystemd-login libelogind)"
+		-Dsystemdsystemunitdir="$(systemd_get_systemunitdir)"
+		$(meson_use introspection)
+		$(meson_use test tests)
+		$(usex pam "-Dpam_module_dir=$(getpam_mod_dir)" '')
+	)
+	meson_src_configure
+}
+
+src_compile() {
+	meson_src_compile
+
+	# Required for polkitd on hardened/PaX due to spidermonkey's JIT
+	pax-mark mr src/polkitbackend/.libs/polkitd test/polkitbackend/.libs/polkitbackendjsauthoritytest
+}
+
+src_install() {
+	meson_src_install
+
+	if use examples ; then
+		docinto examples
+		dodoc src/examples/{*.c,*.policy*}
+	fi
+
+	diropts -m 0700 -o polkitd
+	keepdir /usr/share/polkit-1/rules.d
+
+	# meson does not install required files with SUID bit. See
+	#  https://bugs.gentoo.org/816393
+	# Remove the following lines once this has been fixed by upstream
+	fperms u+s /usr/bin/pkexec
+	fperms u+s /usr/lib/polkit-1/polkit-agent-helper-1
+}
+
+pkg_postinst() {
+	chmod 0700 "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+	chown polkitd "${EROOT}"/{etc,usr/share}/polkit-1/rules.d
+}