Hi,
For those still running CentOS 6 somewhere, the patch below can be added
to the source RPM.
Verified to fix the issue on CentOS 6.10 x86_64 with this exploit:
https://packetstormsecurity.com/files/165728/Polkit-pkexec-CVE-2021-4034-Proof-Of-Concept.html
Regards,
Simon
PS: Sure, I know nobody is really running old EL6 anymore :-)
diff -Naupr polkit-0.96.patched/src/programs/pkcheck.c
polkit-0.96/src/programs/pkcheck.c
--- polkit-0.96.patched/src/programs/pkcheck.c 2022-01-26
17:03:29.059789167 +0100
+++ polkit-0.96/src/programs/pkcheck.c 2022-01-26 17:04:34.051159050 +0100
@@ -96,6 +96,11 @@ main (int argc, char *argv[])
allow_user_interaction = FALSE;
ret = 126;
+ if (argc < 1)
+ {
+ exit(126);
+ }
+
g_type_init ();
details = polkit_details_new ();
diff -Naupr polkit-0.96.patched/src/programs/pkexec.c
polkit-0.96/src/programs/pkexec.c
--- polkit-0.96.patched/src/programs/pkexec.c 2022-01-26
17:03:29.046789093 +0100
+++ polkit-0.96/src/programs/pkexec.c 2022-01-26 17:04:34.056159079 +0100
@@ -415,6 +415,14 @@ main (int argc, char *argv[])
gchar *opt_user;
pid_t pid_of_caller;
+ /*
+ * If 'pkexec' is called THIS wrong, someone's probably evil-doing.
Don't be nice, just bail out.
+ */
+ if (argc < 1)
+ {
+ exit(127);
+ }
+
ret = 127;
authority = NULL;
subject = NULL;
@@ -520,7 +528,15 @@ main (int argc, char *argv[])
goto out;
}
g_free (path);
- argv[n] = path = s;
+ path = s;
+
+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be
null-terminated.
+ * /-less shell shouldn't happen, but let's be defensive and don't
write to null-termination
+ */
+ if (argv[n] != NULL)
+ {
+ argv[n] = path;
+ }
}
if (access (path, F_OK) != 0)
{
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
