diff options
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/patches/polkit-CVE-2021-3560.patch | 21 | ||||
-rw-r--r-- | gnu/packages/polkit.scm | 51 |
3 files changed, 19 insertions, 54 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 4f910300ef..df840da601 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1621,7 +1621,6 @@ dist_patch_DATA = \ %D%/packages/patches/plib-CVE-2011-4620.patch \ %D%/packages/patches/plib-CVE-2012-4552.patch \ %D%/packages/patches/plotutils-spline-test.patch \ - %D%/packages/patches/polkit-CVE-2021-3560.patch \ %D%/packages/patches/portaudio-audacity-compat.patch \ %D%/packages/patches/portmidi-modular-build.patch \ %D%/packages/patches/postgresql-disable-resolve_symlinks.patch \ diff --git a/gnu/packages/patches/polkit-CVE-2021-3560.patch b/gnu/packages/patches/polkit-CVE-2021-3560.patch deleted file mode 100644 index 9aa0373fda..0000000000 --- a/gnu/packages/patches/polkit-CVE-2021-3560.patch +++ /dev/null @@ -1,21 +0,0 @@ -This patch fixes CVE-2021-3560, "local privilege escalation using -polkit_system_bus_name_get_creds_sync()": - - https://www.openwall.com/lists/oss-security/2021/06/03/1 - -Patch from <https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13a>. - -diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c -index 8daa12cb9093c1d765c7b83654a2b8d0d382378e..8ed13631508dd96624898df90ee2ece4dcf3e1e5 100644 ---- a/src/polkit/polkitsystembusname.c -+++ b/src/polkit/polkitsystembusname.c -@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus - while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error)) - g_main_context_iteration (tmp_context, TRUE); - -+ if (data.caught_error) -+ goto out; -+ - if (out_uid) - *out_uid = data.uid; - if (out_pid) diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm index 9be5de2aad..ef58f36d6c 100644 --- a/gnu/packages/polkit.scm +++ b/gnu/packages/polkit.scm @@ -7,6 +7,7 @@ ;;; Copyright © 2017 Huang Ying <huang.ying.caritas@gmail.com> ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net> +;;; Copyright © 2021 Morgan Smith <Morgan.J.Smith@outlook.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -33,6 +34,7 @@ #:use-module (gnu packages freedesktop) #:use-module (gnu packages glib) #:use-module (gnu packages gtk) + #:use-module (gnu packages docbook) #:use-module (gnu packages gnuzilla) #:use-module (gnu packages linux) #:use-module (gnu packages nss) @@ -44,8 +46,7 @@ (define-public polkit (package (name "polkit") - (version "0.116") - (replacement polkit/fixed) + (version "0.120") (source (origin (method url-fetch) (uri (string-append @@ -53,7 +54,7 @@ name "-" version ".tar.gz")) (sha256 (base32 - "1c9lbpndh5zis22f154vjrhnqw65z8s85nrgl42v738yf6g0q5w8")) + "00zfg9b9ivkcj2jcf5b92cpvvyljz8cmfwj86lkvy5rihnd5jypf")) (modules '((guix build utils))) (snippet '(begin @@ -62,36 +63,21 @@ (substitute* "test/Makefile.in" (("SUBDIRS = mocklibc . polkit polkitbackend") "SUBDIRS = mocklibc . polkit")) - (substitute* "configure" - ;; Replace libsystemd-login with libelogind. - (("libsystemd-login") "libelogind") - ;; Skip the sanity check that the current system runs - ;; systemd. - (("test ! -d /sys/fs/cgroup/systemd/") "false")) - (substitute* "src/polkit/polkitunixsession-systemd.c" - (("systemd") "elogind")) - (substitute* "src/polkitbackend/polkitbackendsessionmonitor-systemd.c" - (("systemd") "elogind")) - (substitute* "src/polkitbackend/polkitbackendjsauthority.cpp" - (("systemd") "elogind")) - ;; Guix System's polkit service stores actions under ;; /etc/polkit-1/actions. (substitute* "src/polkitbackend/polkitbackendinteractiveauthority.c" (("PACKAGE_DATA_DIR \"/polkit-1/actions\"") "PACKAGE_SYSCONF_DIR \"/polkit-1/actions\"")) - ;; Set the setuid helper's real location. (substitute* "src/polkitagent/polkitagentsession.c" (("PACKAGE_PREFIX \"/lib/polkit-1/polkit-agent-helper-1\"") - "\"/run/setuid-programs/polkit-agent-helper-1\"")) - #t)))) + "\"/run/setuid-programs/polkit-agent-helper-1\"")))))) (build-system gnu-build-system) (inputs `(("expat" ,expat) ("linux-pam" ,linux-pam) ("elogind" ,elogind) - ("mozjs" ,mozjs-60) + ("mozjs" ,mozjs-78) ("nspr" ,nspr))) (propagated-inputs `(("glib" ,glib))) ; required by polkit-gobject-1.pc @@ -99,7 +85,9 @@ `(("pkg-config" ,pkg-config) ("glib:bin" ,glib "bin") ; for glib-mkenums ("intltool" ,intltool) - ("gobject-introspection" ,gobject-introspection))) + ("gobject-introspection" ,gobject-introspection) + ("libxslt" ,libxslt) ; for man page generation + ("docbook-xsl" ,docbook-xsl))) ; for man page generation (arguments `(#:configure-flags '("--sysconfdir=/etc" "--enable-man-pages" @@ -118,8 +106,15 @@ (("@INTROSPECTION_GIRDIR@") (string-append out "/share/gir-1.0/")) (("@INTROSPECTION_TYPELIBDIR@") - (string-append out "/lib/girepository-1.0/"))) - #t))) + (string-append out "/lib/girepository-1.0/")))))) + (add-after 'unpack 'fix-manpage-generation + (lambda* (#:key inputs #:allow-other-keys) + (let ((xsldoc (string-append (assoc-ref inputs "docbook-xsl") + "/xml/xsl/docbook-xsl-" + ,(package-version docbook-xsl)))) + (substitute* '("docs/man/Makefile.am" "docs/man/Makefile.in") + (("http://docbook.sourceforge.net/release/xsl/current") + xsldoc))))) (replace 'install (lambda* (#:key outputs (make-flags '()) #:allow-other-keys) @@ -131,8 +126,7 @@ (string-append "sysconfdir=" out "/etc") (string-append "polkit_actiondir=" out "/share/polkit-1/actions") - make-flags) - #t)))))) + make-flags))))))) (home-page "https://www.freedesktop.org/wiki/Software/polkit/") (synopsis "Authorization API for privilege management") (description "Polkit is an application-level toolkit for defining and @@ -142,13 +136,6 @@ making process with respect to granting access to privileged operations for unprivileged applications.") (license lgpl2.0+))) -(define polkit/fixed - (package - (inherit polkit) - (source (origin - (inherit (package-source polkit)) - (patches (search-patches "polkit-CVE-2021-3560.patch")))))) - (define-public polkit-qt (package (name "polkit-qt") |