[Bug 256405] sysutils/polkit: Update to 0.119

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 256405] sysutils/polkit: Update to 0.119"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 04 Jun 2021 18:30:28 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256405

--- Comment #3 from commit-hook@FreeBSD.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/ports/commit/?id=0958ffc12c9c0bba44f9a1adc0ca5173d7cd8bf9

commit 0958ffc12c9c0bba44f9a1adc0ca5173d7cd8bf9
Author:     Tobias C. Berner <tcberner@FreeBSD.org>
AuthorDate: 2021-06-04 18:27:49 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2021-06-04 18:29:52 +0000

    security/vuxml: document vulnerability in sysutils/polkit

    Cedric Buissart reports:

            The function `polkit_system_bus_name_get_creds_sync` is used to get
the
            uid and pid of the process requesting the action. It does this by
            sending the unique bus name of the requesting process, which is
            typically something like ":1.96", to `dbus-daemon`. These unique
names
            are assigned and managed by `dbus-daemon` and cannot be forged, so
this
            is a good way to check the privileges of the requesting process.

            The vulnerability happens when the requesting process disconnects
from
            `dbus-daemon` just before the call to
            `polkit_system_bus_name_get_creds_sync` starts. In this scenario,
the
            unique bus name is no longer valid, so `dbus-daemon` sends back an
error
            reply. This error case is handled in
            `polkit_system_bus_name_get_creds_sync` by setting the value of the
            `error` parameter, but it still returns `TRUE`, rather than
`FALSE`.
            This behavior means that all callers of
            `polkit_system_bus_name_get_creds_sync` need to carefully check
whether
            an error was set. If the calling function forgets to check for
errors
            then it will think that the uid of the requesting process is 0
(because
            the `AsyncGetBusNameCredsData` struct is zero initialized). In
other
            words, it will think that the action was requested by a root
process,
            and will therefore allow it.

    PR:             256405
    Security:       CVE-2021-3560 polkit

 security/vuxml/vuln.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

-- 
You are receiving this mail because:
You are the assignee for the bug.