aboutsummaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch
diff options
context:
space:
mode:
authorDan Tran <dantran@microsoft.com>2019-09-25 17:12:49 +0000
committerArmin Kuster <akuster808@gmail.com>2019-10-05 09:01:00 -0700
commiteb9b369b2491aabdbda08c3b3c87f36caa0bdd0f (patch)
tree3ef3038a03afd8a3f7de57d8850ba00fc158281c /meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch
parent436cf0aa2b2802da706588d4daa1a8240d172df8 (diff)
downloadmeta-openembedded-eb9b369b2491aabdbda08c3b3c87f36caa0bdd0f.tar.gz
meta-openembedded-eb9b369b2491aabdbda08c3b3c87f36caa0bdd0f.tar.bz2
meta-openembedded-eb9b369b2491aabdbda08c3b3c87f36caa0bdd0f.zip
polkit: Fix CVE-2018-19788
Signed-off-by: Dan Tran <dantran@microsoft.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch')
-rw-r--r--meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch153
1 files changed, 153 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch
new file mode 100644
index 000000000..097dfd921
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/polkit/CVE-2018-19788_p2.patch
@@ -0,0 +1,153 @@
+From 17f18d9f81d99b014c680e7e50198d7f190b804e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Mon, 3 Dec 2018 11:20:34 +0100
+Subject: [PATCH 2/3] tests: add tests for high uids
+
+CVE: CVE-2018-19788
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/polkit/polkit/commit/b534a10727455409acd54018a9c91000e7626126]
+
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ test/data/etc/group | 1 +
+ test/data/etc/passwd | 2 +
+ .../etc/polkit-1/rules.d/10-testing.rules | 21 ++++++
+ .../test-polkitbackendjsauthority.c | 72 +++++++++++++++++++
+ 4 files changed, 96 insertions(+)
+
+diff --git a/test/data/etc/group b/test/data/etc/group
+index 12ef328..b9acab9 100644
+--- a/test/data/etc/group
++++ b/test/data/etc/group
+@@ -5,3 +5,4 @@ john:x:500:
+ jane:x:501:
+ sally:x:502:
+ henry:x:503:
++highuid2:x:4000000000:
+diff --git a/test/data/etc/passwd b/test/data/etc/passwd
+index 8544feb..5cf14a5 100644
+--- a/test/data/etc/passwd
++++ b/test/data/etc/passwd
+@@ -3,3 +3,5 @@ john:x:500:500:John Done:/home/john:/bin/bash
+ jane:x:501:501:Jane Smith:/home/jane:/bin/bash
+ sally:x:502:502:Sally Derp:/home/sally:/bin/bash
+ henry:x:503:503:Henry Herp:/home/henry:/bin/bash
++highuid1:x:2147483648:2147483648:The first high uid:/home/highuid1:/sbin/nologin
++highuid2:x:4000000000:4000000000:An example high uid:/home/example:/sbin/nologin
+diff --git a/test/data/etc/polkit-1/rules.d/10-testing.rules b/test/data/etc/polkit-1/rules.d/10-testing.rules
+index 446e622..98bf062 100644
+--- a/test/data/etc/polkit-1/rules.d/10-testing.rules
++++ b/test/data/etc/polkit-1/rules.d/10-testing.rules
+@@ -53,6 +53,27 @@ polkit.addRule(function(action, subject) {
+ }
+ });
+
++polkit.addRule(function(action, subject) {
++ if (action.id == "net.company.john_action") {
++ if (subject.user == "john") {
++ return polkit.Result.YES;
++ } else {
++ return polkit.Result.NO;
++ }
++ }
++});
++
++polkit.addRule(function(action, subject) {
++ if (action.id == "net.company.highuid2_action") {
++ if (subject.user == "highuid2") {
++ return polkit.Result.YES;
++ } else {
++ return polkit.Result.NO;
++ }
++ }
++});
++
++
+ // ---------------------------------------------------------------------
+ // variables
+
+diff --git a/test/polkitbackend/test-polkitbackendjsauthority.c b/test/polkitbackend/test-polkitbackendjsauthority.c
+index b484a26..71aad23 100644
+--- a/test/polkitbackend/test-polkitbackendjsauthority.c
++++ b/test/polkitbackend/test-polkitbackendjsauthority.c
+@@ -330,6 +330,78 @@ static const RulesTestCase rules_test_cases[] = {
+ NULL,
+ POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED,
+ },
++
++ {
++ /* highuid1 is not a member of group 'users', see test/data/etc/group */
++ "group_membership_with_non_member(highuid22)",
++ "net.company.group.only_group_users",
++ "unix-user:highuid2",
++ NULL,
++ POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
++ },
++
++ {
++ /* highuid2 is not a member of group 'users', see test/data/etc/group */
++ "group_membership_with_non_member(highuid21)",
++ "net.company.group.only_group_users",
++ "unix-user:highuid2",
++ NULL,
++ POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
++ },
++
++ {
++ /* highuid1 is not a member of group 'users', see test/data/etc/group */
++ "group_membership_with_non_member(highuid24)",
++ "net.company.group.only_group_users",
++ "unix-user:2147483648",
++ NULL,
++ POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
++ },
++
++ {
++ /* highuid2 is not a member of group 'users', see test/data/etc/group */
++ "group_membership_with_non_member(highuid23)",
++ "net.company.group.only_group_users",
++ "unix-user:4000000000",
++ NULL,
++ POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
++ },
++
++ {
++ /* john is authorized to do this, see 10-testing.rules */
++ "john_action",
++ "net.company.john_action",
++ "unix-user:john",
++ NULL,
++ POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED,
++ },
++
++ {
++ /* only john is authorized to do this, see 10-testing.rules */
++ "jane_action",
++ "net.company.john_action",
++ "unix-user:jane",
++ NULL,
++ POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
++ },
++
++ {
++ /* highuid2 is authorized to do this, see 10-testing.rules */
++ "highuid2_action",
++ "net.company.highuid2_action",
++ "unix-user:highuid2",
++ NULL,
++ POLKIT_IMPLICIT_AUTHORIZATION_AUTHORIZED,
++ },
++
++ {
++ /* only highuid2 is authorized to do this, see 10-testing.rules */
++ "highuid1_action",
++ "net.company.highuid2_action",
++ "unix-user:highuid1",
++ NULL,
++ POLKIT_IMPLICIT_AUTHORIZATION_NOT_AUTHORIZED,
++ },
+ };
+
+ /* ---------------------------------------------------------------------------------------------------- */
+--
+2.22.0.vfs.1.1.57.gbaf16c8