Browse Source

[trunk] -> [testing] 'rtkit-0.11+11-1' add

master
M. Herdiansyah 4 years ago
parent
commit
fc6079a8fa
  1. 41
      repos/testing-x86_64/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch
  2. 48
      repos/testing-x86_64/PKGBUILD
  3. 41
      trunk/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch
  4. 16
      trunk/PKGBUILD

41
repos/testing-x86_64/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch

@ -0,0 +1,41 @@
Author: Colin Walters <walters@verbum.org>
From: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4326
Description: Pass uid of caller to polkit
Otherwise, we force polkit to look up the uid itself in /proc, which
is racy if they execve() a setuid binary.
---
rtkit-daemon.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- rtkit.orig/rtkit-daemon.c
+++ rtkit/rtkit-daemon.c
@@ -1170,12 +1170,14 @@ static int verify_polkit(DBusConnection
DBusMessage *m = NULL, *r = NULL;
const char *unix_process = "unix-process";
const char *pid = "pid";
+ const char *uid = "uid";
const char *start_time = "start-time";
const char *cancel_id = "";
uint32_t flags = 0;
uint32_t pid_u32 = p->pid;
- uint64_t start_time_u64 = p->starttime;
+ uint32_t uid_u32 = (uint32_t)u->uid;
DBusMessageIter iter_msg, iter_struct, iter_array, iter_dict, iter_variant;
+ uint64_t start_time_u64 = p->starttime;
int ret;
dbus_bool_t authorized = FALSE;
@@ -1206,6 +1208,13 @@ static int verify_polkit(DBusConnection
assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant));
assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict));
+ assert_se(dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict));
+ assert_se(dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &uid));
+ assert_se(dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "u", &iter_variant));
+ assert_se(dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT32, &uid_u32));
+ assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant));
+ assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict));
+
assert_se(dbus_message_iter_close_container(&iter_struct, &iter_array));
assert_se(dbus_message_iter_close_container(&iter_msg, &iter_struct));

48
repos/testing-x86_64/PKGBUILD

@ -0,0 +1,48 @@
# Maintainer: Muhammad Herdiansyah <koni@artixlinux.org>
# Contributor: Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
# Contributor: Corrado Primier <bardo@aur.archlinux.org>
pkgname=rtkit
pkgver=0.11+11
_pkgver=0.11
pkgrel=1
pkgdesc="Realtime Policy and Watchdog Daemon"
arch=(x86_64)
url="http://git.0pointer.de/?p=rtkit.git"
license=(GPL3 'custom:BSD')
depends=(dbus polkit)
source=("http://0pointer.de/public/$pkgname-$_pkgver.tar.xz"
"0001-SECURITY-Pass-uid-of-caller-to-polkit.patch")
sha256sums=('68859108cff6410901502b58365eb7607da37110a06b837762f771735f58acd0'
'690dce4fdaedeeadb2bbd9b02673ae5103e8bce08014cd8cb80b48ab19139c86')
prepare() {
cd $pkgname-$_pkgver
patch -Np1 -i ../0001-SECURITY-Pass-uid-of-caller-to-polkit.patch
}
build() {
cd $pkgname-$_pkgver
./configure \
--prefix=/usr \
--sbindir=/usr/bin \
--sysconfdir=/etc \
--libexecdir=/usr/lib
make
./rtkit-daemon --introspect > org.freedesktop.RealtimeKit1.xml
}
package() {
cd $pkgname-$_pkgver
make DESTDIR="$pkgdir" install
install -Dt "$pkgdir/usr/share/dbus-1/interfaces" -m644 org.freedesktop.RealtimeKit1.xml
echo 'u rtkit 133 "RealtimeKit" /proc' |
install -Dm644 /dev/stdin "$pkgdir/usr/lib/sysusers.d/$pkgname.conf"
install -Dt "$pkgdir/usr/share/licenses/$pkgname" -m644 LICENSE
sed -ne '4,25p' rtkit.c >"$pkgdir/usr/share/licenses/$pkgname/COPYING"
}

41
trunk/0001-SECURITY-Pass-uid-of-caller-to-polkit.patch

@ -0,0 +1,41 @@
Author: Colin Walters <walters@verbum.org>
From: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4326
Description: Pass uid of caller to polkit
Otherwise, we force polkit to look up the uid itself in /proc, which
is racy if they execve() a setuid binary.
---
rtkit-daemon.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- rtkit.orig/rtkit-daemon.c
+++ rtkit/rtkit-daemon.c
@@ -1170,12 +1170,14 @@ static int verify_polkit(DBusConnection
DBusMessage *m = NULL, *r = NULL;
const char *unix_process = "unix-process";
const char *pid = "pid";
+ const char *uid = "uid";
const char *start_time = "start-time";
const char *cancel_id = "";
uint32_t flags = 0;
uint32_t pid_u32 = p->pid;
- uint64_t start_time_u64 = p->starttime;
+ uint32_t uid_u32 = (uint32_t)u->uid;
DBusMessageIter iter_msg, iter_struct, iter_array, iter_dict, iter_variant;
+ uint64_t start_time_u64 = p->starttime;
int ret;
dbus_bool_t authorized = FALSE;
@@ -1206,6 +1208,13 @@ static int verify_polkit(DBusConnection
assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant));
assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict));
+ assert_se(dbus_message_iter_open_container(&iter_array, DBUS_TYPE_DICT_ENTRY, NULL, &iter_dict));
+ assert_se(dbus_message_iter_append_basic(&iter_dict, DBUS_TYPE_STRING, &uid));
+ assert_se(dbus_message_iter_open_container(&iter_dict, DBUS_TYPE_VARIANT, "u", &iter_variant));
+ assert_se(dbus_message_iter_append_basic(&iter_variant, DBUS_TYPE_UINT32, &uid_u32));
+ assert_se(dbus_message_iter_close_container(&iter_dict, &iter_variant));
+ assert_se(dbus_message_iter_close_container(&iter_array, &iter_dict));
+
assert_se(dbus_message_iter_close_container(&iter_struct, &iter_array));
assert_se(dbus_message_iter_close_container(&iter_msg, &iter_struct));

16
trunk/PKGBUILD

@ -3,7 +3,7 @@
# Contributor: Corrado Primier <bardo@aur.archlinux.org>
pkgname=rtkit
pkgver=0.11+9
pkgver=0.11+11
_pkgver=0.11
pkgrel=1
pkgdesc="Realtime Policy and Watchdog Daemon"
@ -11,8 +11,15 @@ arch=(x86_64)
url="http://git.0pointer.de/?p=rtkit.git"
license=(GPL3 'custom:BSD')
depends=(dbus polkit)
source=("http://0pointer.de/public/$pkgname-$_pkgver.tar.xz")
sha256sums=('68859108cff6410901502b58365eb7607da37110a06b837762f771735f58acd0')
source=("http://0pointer.de/public/$pkgname-$_pkgver.tar.xz"
"0001-SECURITY-Pass-uid-of-caller-to-polkit.patch")
sha256sums=('68859108cff6410901502b58365eb7607da37110a06b837762f771735f58acd0'
'690dce4fdaedeeadb2bbd9b02673ae5103e8bce08014cd8cb80b48ab19139c86')
prepare() {
cd $pkgname-$_pkgver
patch -Np1 -i ../0001-SECURITY-Pass-uid-of-caller-to-polkit.patch
}
build() {
cd $pkgname-$_pkgver
@ -36,7 +43,6 @@ package() {
echo 'u rtkit 133 "RealtimeKit" /proc' |
install -Dm644 /dev/stdin "$pkgdir/usr/lib/sysusers.d/$pkgname.conf"
sed -ne '4,25p' rtkit.c |
install -Dm644 /dev/stdin "$pkgdir/usr/share/licenses/$pkgname/COPYING"
install -Dt "$pkgdir/usr/share/licenses/$pkgname" -m644 LICENSE
sed -ne '4,25p' rtkit.c >"$pkgdir/usr/share/licenses/$pkgname/COPYING"
}

Loading…
Cancel
Save