[rtkit] CVE-2013-4326
Colin Walters
walters at fedoraproject.org
Mon Sep 23 21:40:29 UTC 2013
commit 77a6f58173426688dd21529b0186fa48345ca1cc
Author: Colin Walters <walters at verbum.org>
Date: Mon Sep 23 17:34:55 2013 -0400
CVE-2013-4326
Resolves: #1009543
0001-SECURITY-Pass-uid-of-caller-to-polkit.patch | 48 ++++++++++++++++++++++
rtkit.spec | 8 +++-
2 files changed, 55 insertions(+), 1 deletions(-)
---
diff --git a/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch b/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch
new file mode 100644
index 0000000..92e54b9
--- /dev/null
+++ b/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch
@@ -0,0 +1,48 @@
+From f44c5776b25ca2abd7569fb8532c6aede9b0c6b0 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters at verbum.org>
+Date: Thu, 22 Aug 2013 16:05:22 -0400
+Subject: [PATCH] [SECURITY] Pass uid of caller to polkit
+
+Otherwise, we force polkit to look up the uid itself in /proc, which
+is racy if they execve() a setuid binary.
+---
+ rtkit-daemon.c | 11 ++++++++++-
+ 1 files changed, 10 insertions(+), 1 deletions(-)
+
+diff --git a/rtkit-daemon.c b/rtkit-daemon.c
+index 2ebe673..3ecc1f7 100644
+--- a/rtkit-daemon.c
++++ b/rtkit-daemon.c
+@@ -1170,12 +1170,14 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process
+ DBusMessage *m = NULL, *r = NULL;
+ const char *unix_process = "unix-process";
+ const char *pid = "pid";
++ const char *uid = "uid";
+ const char *start_time = "start-time";
+ const char *cancel_id = "";
+ uint32_t flags = 0;
+ uint32_t pid_u32 = p->pid;
+- uint64_t start_time_u64 = p->starttime;
++ uint32_t uid_u32 = (uint32_t)u->uid;
+ DBusMessageIter iter_msg, iter_struct, iter_array, iter_dict, iter_variant;
++ uint64_t start_time_u64 = p->starttime;
+ int ret;
+ dbus_bool_t authorized = FALSE;
+
+@@ -1206,6 +1208,13 @@ static int verify_polkit(DBusConnection *c, struct rtkit_user *u, struct process
+ assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant));
+ assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict));
+
++ assert_se(dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict));
++ assert_se(dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &uid));
++ assert_se(dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "u", &iter_variant));
++ assert_se(dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT32, &uid_u32));
++ assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant));
++ assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict));
++
+ assert_se(dbus_message_iter_close_container(&iter_struct, &iter_array));
+ assert_se(dbus_message_iter_close_container(&iter_msg, &iter_struct));
+
+--
+1.7.1
+
diff --git a/rtkit.spec b/rtkit.spec
index a1be6db..02bd223 100644
--- a/rtkit.spec
+++ b/rtkit.spec
@@ -1,6 +1,6 @@
Name: rtkit
Version: 0.11
-Release: 6%{?dist}
+Release: 7%{?dist}
Summary: Realtime Policy and Watchdog Daemon
Group: System Environment/Base
# The daemon itself is GPLv3+, the reference implementation for the client BSD
@@ -17,6 +17,7 @@ BuildRequires: polkit-devel
BuildRequires: autoconf automake libtool
Source0: http://0pointer.de/public/%{name}-%{version}.tar.xz
Patch1: 0001-build-Link-against-lrt.patch
+Patch2: 0001-SECURITY-Pass-uid-of-caller-to-polkit.patch
%description
RealtimeKit is a D-Bus system service that changes the
@@ -28,6 +29,7 @@ processes.
%prep
%setup -q
%patch1 -p1
+%patch2 -p1
%build
autoreconf -fvi
@@ -77,6 +79,10 @@ dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesk
%{_mandir}/man8/*
%changelog
+* Mon Sep 23 2013 Colin Walters <walters at verbum.org> - 0.11-7
+- CVE-2013-4326
+ Resolves: #1009543
+
* Thu Aug 22 2013 Colin Walters <walters at verbum.org> - 0.11-6
- Add patch to make this build again
More information about the scm-commits
mailing list