1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
From ed8b418f1341cf7fc576f6b17de5c6dd4017e034 Mon Sep 17 00:00:00 2001
From: "Jeremy A. Puhlman" <jpuhlman@mvista.com>
Date: Thu, 27 Jan 2022 00:01:27 +0000
Subject: [PATCH] CVE-2021-4034: Local privilege escalation in pkexec due to
incorrect handling of argument vector
Upstream-Status: Backport https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
CVE: CVE-2021-4034
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
---
src/programs/pkcheck.c | 6 ++++++
src/programs/pkexec.c | 21 ++++++++++++++++++++-
2 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
index f1bb4e1..aff4f60 100644
--- a/src/programs/pkcheck.c
+++ b/src/programs/pkcheck.c
@@ -363,6 +363,12 @@ main (int argc, char *argv[])
local_agent_handle = NULL;
ret = 126;
+ if (argc < 1)
+ {
+ help();
+ exit(1);
+ }
+
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
index 7698c5c..3ff4c58 100644
--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
@@ -488,6 +488,17 @@ main (int argc, char *argv[])
pid_t pid_of_caller;
gpointer local_agent_handle;
+
+ /*
+ * If 'pkexec' is called wrong, just show help and bail out.
+ */
+ if (argc<1)
+ {
+ clearenv();
+ usage(argc, argv);
+ exit(1);
+ }
+
ret = 127;
authority = NULL;
subject = NULL;
@@ -636,7 +647,15 @@ main (int argc, char *argv[])
goto out;
}
g_free (path);
- argv[n] = path = s;
+ path = s;
+
+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
+ */
+ if (argv[n] != NULL)
+ {
+ argv[n] = path;
+ }
}
if (access (path, F_OK) != 0)
{
--
2.26.2
|