[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] Polkit should use cryptographically strong cookies
From: |
Andy Wingo |
Subject: |
[PATCH] Polkit should use cryptographically strong cookies |
Date: |
Wed, 24 Feb 2016 16:40:14 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Hi,
[Adding Colin and Miloslav onto Cc as they landed the change in polkit
that this patch modifies.]
Our polkit installation broke when we upgraded to 0.113 because of a bug
introduced when addressing a CVE:
https://bugs.freedesktop.org/show_bug.cgi?id=90837#c20
I created this bug to address the issue:
https://bugs.freedesktop.org/show_bug.cgi?id=94269
The issue includes this patch which fixes the issue for me:
https://github.com/wingo/polkit/commit/4c9a813f3fc1ada4fcce508d286e95f965a3002a
That patch is against polkit master. This one is against 0.113:
https://github.com/wingo/polkit/commit/2b451ebf25f3d3f3f33c693213851a9ca45f1869
I admit still have a hard time understanding polkit's security model
around cookies, so I definitely need some review. Maybe Mark, if you
have any moments? Attached a patch to Guix to update our package to
include this patch. I verify that it fixes the authentication problem
described in the original bug, but it needs more review :)
Thanks in advance for the scrutiny,
Andy
>From 81192534597bffd5cb1237f2c84bc0619c1c0fc2 Mon Sep 17 00:00:00 2001
From: Andy Wingo <address@hidden>
Date: Wed, 24 Feb 2016 16:31:34 +0100
Subject: [PATCH] gnu: polkit: Fix pkexec authentication
* gnu/packages/polkit.scm (polkit): Add patch from
https://bugs.freedesktop.org/show_bug.cgi?id=94269.
---
gnu/packages/polkit.scm | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm
index 0a4f70f..6adad30 100644
--- a/gnu/packages/polkit.scm
+++ b/gnu/packages/polkit.scm
@@ -48,7 +48,16 @@
(sha256
(base32
"109w86kfqrgz83g9ivggplmgc77rz8kx8646izvm2jb57h4rbh71"))
- (patches (list (search-patch "polkit-drop-test.patch")))
+ (patches
+ (list (search-patch "polkit-drop-test.patch")
+ (origin
+ (method url-fetch)
+ (uri "https://github.com/wingo/polkit/commit/\
+2b451ebf25f3d3f3f33c693213851a9ca45f1869.patch")
+ (sha256
+ (base32
+
"1dnix2pl9vj6gdv9rz0ja3gbijm632lfx7i0sbs0k8h358p06gpw"))
+ (file-name
"polkit-cryptographically-strong-cookies.patch"))))
(modules '((guix build utils)))
(snippet
'(begin
--
2.6.3
- [PATCH] Polkit should use cryptographically strong cookies,
Andy Wingo <=