~peter-pearse/ubuntu/oneiric/policykit-1/prop001

Viewing changes to debian/patches/00git-pkexec-information-disclosure.patch

Committer: Bazaar Package Importer
Author(s): Martin Pitt
Date: 2010-04-09 12:09:53 UTC
Revision ID: james.westby@ubuntu.com-20100409120953-kvyaz7oeb0x1lz3q

Tags: 0.96-2

* Urgency medium, just two small, but important bug fixes.
* Add 00git-pkexec-information-disclosure.patch: Fix information disclosure
  vulnerability that allows an attacker to verify whether or not arbitrary
  files exist, violating directory permissions.
* 00git-fix-error-freeing.patch: Fix crash when calling CheckAuthorization()
  with an invalid PID. (LP: #540464)

files added:
debian/patches/00git-fix-error-freeing.patch

debian/patches/00git-pkexec-information-disclosure.patch

files modified:
debian/changelog

debian/patches/series

Show diffs side-by-side

added added

removed removed

debian/patches/00git-pkexec-information-disclosure.patch

From 14bdfd816512a82b1ad258fa143ae5faa945df8a Mon Sep 17 00:00:00 2001

From: Dan Rosenberg <dan.j.rosenberg@gmail.com>

Date: Wed, 10 Mar 2010 12:46:19 -0500

Subject: [PATCH 1/2] =?UTF-8?q?Bug=2026982=20=E2=80=93=20pkexec=20information=20disclosure=20vulnerability?=

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

pkexec is vulnerable to a minor information disclosure vulnerability

that allows an attacker to verify whether or not arbitrary files

exist, violating directory permissions. I reproduced the issue on my

Karmic installation as follows:

$ mkdir secret

$ sudo chown root:root secret

$ sudo chmod 400 secret

$ sudo touch secret/hidden

$ pkexec /home/drosenbe/secret/hidden

(password prompt)

$ pkexec /home/drosenbe/secret/doesnotexist

Error getting information about /home/drosenbe/secret/doesnotexist: No such

file or directory

I've attached my patch for the issue. I replaced the stat() call

entirely with access() using F_OK, so rather than check that the

target exists, pkexec now checks if the user has permission to verify

the existence of the program. There might be another way of doing

this, such as chdir()'ing to the parent directory of the target and

calling lstat(), but this seemed like more code than necessary to

prevent such a minor problem. I see no reason to allow pkexec to

execute targets that are not accessible to the executing user because

of directory permissions. This is such a limited use case anyway that

this doesn't really affect functionality.

http://bugs.freedesktop.org/show_bug.cgi?id=26982

Signed-off-by: David Zeuthen <davidz@redhat.com>

---

src/programs/pkexec.c | 5 ++---

1 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c

index 860e665..17c191e 100644

--- a/src/programs/pkexec.c

+++ b/src/programs/pkexec.c

@@ -411,7 +411,6 @@ main (int argc, char *argv[])

gchar *opt_user;

pid_t pid_of_caller;

uid_t uid_of_caller;

- struct stat statbuf;

ret = 127;

authority = NULL;

@@ -520,9 +519,9 @@ main (int argc, char *argv[])

g_free (path);

argv[n] = path = s;

}

- if (stat (path, &statbuf) != 0)

+ if (access (path, F_OK) != 0)

{

- g_printerr ("Error getting information about %s: %s\n", path, g_strerror (errno));

+ g_printerr ("Error accessing %s: %s\n", path, g_strerror (errno));

goto out;

}

command_line = g_strjoinv (" ", argv + n);

1.7.0

Older »