Package: policykit-1 / 0.105-15~deb8u2

0.113/Refuse-duplicate-user-arguments-to-pkexec.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
From: =?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@redhat.com>
Date: Tue, 26 Aug 2014 17:59:47 +0200
Subject: Refuse duplicate --user arguments to pkexec

This usage is clearly errorneous, so we should tell the users they are
making a mistake.

Besides, this allows an attacker to cause a high number of heap
allocations with attacker-controlled sizes (
http://googleprojectzero.blogspot.cz/2014/08/the-poisoned-nul-byte-2014-edition.html
), making some exploits easier.

(To be clear, this is not a pkexec vulnerability, and we will not
refuse attacker-affected malloc() usage as a matter of policy; but this
commit is both user-friendly and adding some hardening.)

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83093
Origin: upstream, 0.113, commit:6c992bc8aefa195a41eaa41c07f46f17de18e25c
---
 src/programs/pkexec.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
index 5e99044..abc660d 100644
--- a/src/programs/pkexec.c
+++ b/src/programs/pkexec.c
@@ -533,6 +533,11 @@ main (int argc, char *argv[])
               goto out;
             }
 
+          if (opt_user != NULL)
+            {
+              g_printerr ("--user specified twice\n");
+              goto out;
+            }
           opt_user = g_strdup (argv[n]);
         }
       else if (strcmp (argv[n], "--disable-internal-agent") == 0)