Fix for CVE-2021-4034 (PwnKit)

rpm/patches/debian/Local-Privilege-Escalation-in-polkit-s-pkexec-CVE-20.patch

@@ -0,0 +1,68 @@
+From ffb7b93a68c13f80be980411286b7d3de4a18988 Mon Sep 17 00:00:00 2001
+From: Salvatore Bonaccorso <carnil@debian.org>
+Date: Tue, 11 Jan 2022 23:18:04 +0100
+Subject: [PATCH] Local Privilege Escalation in polkit's pkexec (CVE-2021-4034)
+
+[Salvatore Bonaccorso: Backport to 0.105:
+ - Refresh for context changes
+ - Drop help() printout in pkcheck, for versions before e8e18d180888
+   ("Don't spawn man for --help") in 0.111. Instead call usage(). It
+   spawns a manpage, but pkcheck is not setuid root.
+]
+---
+ src/programs/pkcheck.c |  6 ++++++
+ src/programs/pkexec.c  | 25 ++++++++++++++++++++++---
+ 2 files changed, 28 insertions(+), 3 deletions(-)
+
+--- a/src/programs/pkcheck.c
++++ b/src/programs/pkcheck.c
+@@ -353,6 +353,12 @@ main (int argc, char *argv[])
+   local_agent_handle = NULL;
+   ret = 126;
+
++  if (argc < 1)
++    {
++      usage (argc, argv);
++      exit(1);
++    }
++
+   g_type_init ();
+
+   details = polkit_details_new ();
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -475,6 +475,17 @@ main (int argc, char *argv[])
+   pid_t pid_of_caller;
+   gpointer local_agent_handle;
+
++
++  /*
++   * If 'pkexec' is called wrong, just show help and bail out.
++   */
++  if (argc<1)
++    {
++      clearenv();
++      usage (argc, argv);
++      exit(1);
++    }
++
+   ret = 127;
+   authority = NULL;
+   subject = NULL;
+@@ -591,7 +602,15 @@ main (int argc, char *argv[])
+           goto out;
+         }
+       g_free (path);
+-      argv[n] = path = s;
++      path = s;
++
++      /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
++       * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
++       */
++      if (argv[n] != NULL)
++      {
++        argv[n] = path;
++      }
+     }
+   if (access (path, F_OK) != 0)
+     {

rpm/patches/debian/series

@@ -61,3 +61,4 @@ Move-D-Bus-policy-file-to-usr-share-dbus-1-system.d.patch
 Statically-link-libpolkit-backend1-into-polkitd.patch
 Remove-example-null-backend.patch
 CVE-2021-3560.patch
+Local-Privilege-Escalation-in-polkit-s-pkexec-CVE-20.patch

rpm/polkit.spec

@@ -69,9 +69,10 @@ Patch0057: patches/debian/Move-D-Bus-policy-file-to-usr-share-dbus-1-system.d.pa
 Patch0058: patches/debian/Statically-link-libpolkit-backend1-into-polkitd.patch
 Patch0059: patches/debian/Remove-example-null-backend.patch
 Patch0060: patches/debian/CVE-2021-3560.patch
-Patch0061: patches/0001-dbus-Use-systemd-service.patch
-Patch0062: patches/0002-build-Disable-gtk-doc-support.patch
-Patch0063: patches/0003-Support-for-annotation-identity-group-check.patch
+Patch0061: patches/debian/Local-Privilege-Escalation-in-polkit-s-pkexec-CVE-20.patch
+Patch0062: patches/0001-dbus-Use-systemd-service.patch
+Patch0063: patches/0002-build-Disable-gtk-doc-support.patch
+Patch0064: patches/0003-Support-for-annotation-identity-group-check.patch
 Requires:   dbus
 Requires(post): /sbin/ldconfig
 Requires(postun): /sbin/ldconfig