summary refs log tree commit diff
diff options
context:
space:
mode:
authorMarius Bakke <mbakke@fastmail.com>2019-06-04 18:25:58 +0200
committerMarius Bakke <mbakke@fastmail.com>2019-06-05 00:37:39 +0200
commit3588419553176daadcb59644037d169574542b42 (patch)
tree047df9dda8330eb966d14515751d51e29f9fad6f
parent261e9db2cd9669f74ee47f75907725c7d3d01d1b (diff)
downloadguix-3588419553176daadcb59644037d169574542b42.tar.gz
gnu: polkit: Update to 0.116 [fixes CVE-2019-6133].
* gnu/packages/patches/polkit-CVE-2018-19788.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/polkit.scm (polkit): Update to 0.116.
[source](patches): Remove.
[inputs]: Change MOZJS-52 to MOZJS-60.
[arguments]: Add CXXFLAGS=-std=gnu++11 to #:configure-flags.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/patches/polkit-CVE-2018-19788.patch197
-rw-r--r--gnu/packages/polkit.scm10
3 files changed, 6 insertions, 202 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 9680212c06..6878aef44a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1163,7 +1163,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/plink-endian-detection.patch		\
   %D%/packages/patches/plotutils-libpng-jmpbuf.patch		\
   %D%/packages/patches/podofo-cmake-3.12.patch			\
-  %D%/packages/patches/polkit-CVE-2018-19788.patch		\
   %D%/packages/patches/portaudio-audacity-compat.patch		\
   %D%/packages/patches/portmidi-modular-build.patch		\
   %D%/packages/patches/postgresql-disable-resolve_symlinks.patch	\
diff --git a/gnu/packages/patches/polkit-CVE-2018-19788.patch b/gnu/packages/patches/polkit-CVE-2018-19788.patch
deleted file mode 100644
index 58cde6c5dc..0000000000
--- a/gnu/packages/patches/polkit-CVE-2018-19788.patch
+++ /dev/null
@@ -1,197 +0,0 @@
-Fix CVE-2018-19788:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19788
-https://gitlab.freedesktop.org/polkit/polkit/issues/74
-
-Patch copied from upstream source repository:
-
-https://gitlab.freedesktop.org/polkit/polkit/commit/2cb40c4d5feeaa09325522bd7d97910f1b59e379
-
-From 2cb40c4d5feeaa09325522bd7d97910f1b59e379 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Mon, 3 Dec 2018 10:28:58 +0100
-Subject: [PATCH] Allow negative uids/gids in PolkitUnixUser and Group objects
-
-(uid_t) -1 is still used as placeholder to mean "unset". This is OK, since
-there should be no users with such number, see
-https://systemd.io/UIDS-GIDS#special-linux-uids.
-
-(uid_t) -1 is used as the default value in class initialization.
-
-When a user or group above INT32_MAX is created, the numeric uid or
-gid wraps around to negative when the value is assigned to gint, and
-polkit gets confused. Let's accept such gids, except for -1.
-
-A nicer fix would be to change the underlying type to e.g. uint32 to
-not have negative values. But this cannot be done without breaking the
-API, so likely new functions will have to be added (a
-polkit_unix_user_new variant that takes a unsigned, and the same for
-_group_new, _set_uid, _get_uid, _set_gid, _get_gid, etc.). This will
-require a bigger patch.
-
-Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74.
----
- src/polkit/polkitunixgroup.c   | 15 +++++++++++----
- src/polkit/polkitunixprocess.c | 12 ++++++++----
- src/polkit/polkitunixuser.c    | 13 ++++++++++---
- 3 files changed, 29 insertions(+), 11 deletions(-)
-
-diff --git a/src/polkit/polkitunixgroup.c b/src/polkit/polkitunixgroup.c
-index c57a1aa..309f689 100644
---- a/src/polkit/polkitunixgroup.c
-+++ b/src/polkit/polkitunixgroup.c
-@@ -71,6 +71,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixGroup, polkit_unix_group, G_TYPE_OBJECT,
- static void
- polkit_unix_group_init (PolkitUnixGroup *unix_group)
- {
-+  unix_group->gid = -1; /* (git_t) -1 is not a valid GID under Linux */
- }
- 
- static void
-@@ -100,11 +101,14 @@ polkit_unix_group_set_property (GObject      *object,
-                                GParamSpec   *pspec)
- {
-   PolkitUnixGroup *unix_group = POLKIT_UNIX_GROUP (object);
-+  gint val;
- 
-   switch (prop_id)
-     {
-     case PROP_GID:
--      unix_group->gid = g_value_get_int (value);
-+      val = g_value_get_int (value);
-+      g_return_if_fail (val != -1);
-+      unix_group->gid = val;
-       break;
- 
-     default:
-@@ -131,9 +135,9 @@ polkit_unix_group_class_init (PolkitUnixGroupClass *klass)
-                                    g_param_spec_int ("gid",
-                                                      "Group ID",
-                                                      "The UNIX group ID",
--                                                     0,
-+                                                     G_MININT,
-                                                      G_MAXINT,
--                                                     0,
-+                                                     -1,
-                                                      G_PARAM_CONSTRUCT |
-                                                      G_PARAM_READWRITE |
-                                                      G_PARAM_STATIC_NAME |
-@@ -166,9 +170,10 @@ polkit_unix_group_get_gid (PolkitUnixGroup *group)
-  */
- void
- polkit_unix_group_set_gid (PolkitUnixGroup *group,
--                          gint gid)
-+                           gint gid)
- {
-   g_return_if_fail (POLKIT_IS_UNIX_GROUP (group));
-+  g_return_if_fail (gid != -1);
-   group->gid = gid;
- }
- 
-@@ -183,6 +188,8 @@ polkit_unix_group_set_gid (PolkitUnixGroup *group,
- PolkitIdentity *
- polkit_unix_group_new (gint gid)
- {
-+  g_return_val_if_fail (gid != -1, NULL);
-+
-   return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_GROUP,
-                                        "gid", gid,
-                                        NULL));
-diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c
-index 972b777..b02b258 100644
---- a/src/polkit/polkitunixprocess.c
-+++ b/src/polkit/polkitunixprocess.c
-@@ -159,9 +159,14 @@ polkit_unix_process_set_property (GObject      *object,
-       polkit_unix_process_set_pid (unix_process, g_value_get_int (value));
-       break;
- 
--    case PROP_UID:
--      polkit_unix_process_set_uid (unix_process, g_value_get_int (value));
-+    case PROP_UID: {
-+      gint val;
-+
-+      val = g_value_get_int (value);
-+      g_return_if_fail (val != -1);
-+      polkit_unix_process_set_uid (unix_process, val);
-       break;
-+    }
- 
-     case PROP_START_TIME:
-       polkit_unix_process_set_start_time (unix_process, g_value_get_uint64 (value));
-@@ -239,7 +244,7 @@ polkit_unix_process_class_init (PolkitUnixProcessClass *klass)
-                                    g_param_spec_int ("uid",
-                                                      "User ID",
-                                                      "The UNIX user ID",
--                                                     -1,
-+                                                     G_MININT,
-                                                      G_MAXINT,
-                                                      -1,
-                                                      G_PARAM_CONSTRUCT |
-@@ -303,7 +308,6 @@ polkit_unix_process_set_uid (PolkitUnixProcess *process,
-                              gint               uid)
- {
-   g_return_if_fail (POLKIT_IS_UNIX_PROCESS (process));
--  g_return_if_fail (uid >= -1);
-   process->uid = uid;
- }
- 
-diff --git a/src/polkit/polkitunixuser.c b/src/polkit/polkitunixuser.c
-index 8bfd3a1..234a697 100644
---- a/src/polkit/polkitunixuser.c
-+++ b/src/polkit/polkitunixuser.c
-@@ -72,6 +72,7 @@ G_DEFINE_TYPE_WITH_CODE (PolkitUnixUser, polkit_unix_user, G_TYPE_OBJECT,
- static void
- polkit_unix_user_init (PolkitUnixUser *unix_user)
- {
-+  unix_user->uid = -1;  /* (uid_t) -1 is not a valid UID under Linux */
-   unix_user->name = NULL;
- }
- 
-@@ -112,11 +113,14 @@ polkit_unix_user_set_property (GObject      *object,
-                                GParamSpec   *pspec)
- {
-   PolkitUnixUser *unix_user = POLKIT_UNIX_USER (object);
-+  gint val;
- 
-   switch (prop_id)
-     {
-     case PROP_UID:
--      unix_user->uid = g_value_get_int (value);
-+      val = g_value_get_int (value);
-+      g_return_if_fail (val != -1);
-+      unix_user->uid = val;
-       break;
- 
-     default:
-@@ -144,9 +148,9 @@ polkit_unix_user_class_init (PolkitUnixUserClass *klass)
-                                    g_param_spec_int ("uid",
-                                                      "User ID",
-                                                      "The UNIX user ID",
--                                                     0,
-+                                                     G_MININT,
-                                                      G_MAXINT,
--                                                     0,
-+                                                     -1,
-                                                      G_PARAM_CONSTRUCT |
-                                                      G_PARAM_READWRITE |
-                                                      G_PARAM_STATIC_NAME |
-@@ -182,6 +186,7 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
-                           gint uid)
- {
-   g_return_if_fail (POLKIT_IS_UNIX_USER (user));
-+  g_return_if_fail (uid != -1);
-   user->uid = uid;
- }
- 
-@@ -196,6 +201,8 @@ polkit_unix_user_set_uid (PolkitUnixUser *user,
- PolkitIdentity *
- polkit_unix_user_new (gint uid)
- {
-+  g_return_val_if_fail (uid != -1, NULL);
-+
-   return POLKIT_IDENTITY (g_object_new (POLKIT_TYPE_UNIX_USER,
-                                         "uid", uid,
-                                         NULL));
--- 
-2.18.1
-
diff --git a/gnu/packages/polkit.scm b/gnu/packages/polkit.scm
index ccb8ebf8f8..ac24adef43 100644
--- a/gnu/packages/polkit.scm
+++ b/gnu/packages/polkit.scm
@@ -43,16 +43,15 @@
 (define-public polkit
   (package
     (name "polkit")
-    (version "0.115")
+    (version "0.116")
     (source (origin
              (method url-fetch)
              (uri (string-append
                    "https://www.freedesktop.org/software/polkit/releases/"
                    name "-" version ".tar.gz"))
-             (patches (search-patches "polkit-CVE-2018-19788.patch"))
              (sha256
               (base32
-               "0c91y61y4gy6p91cwbzg32dhavw4b7fflg370rimqhdxpzdfr1rg"))
+               "1c9lbpndh5zis22f154vjrhnqw65z8s85nrgl42v738yf6g0q5w8"))
              (modules '((guix build utils)))
              (snippet
               '(begin
@@ -90,7 +89,7 @@
      `(("expat" ,expat)
        ("linux-pam" ,linux-pam)
        ("elogind" ,elogind)
-       ("mozjs" ,mozjs-52)
+       ("mozjs" ,mozjs-60)
        ("nspr" ,nspr)))
     (propagated-inputs
      `(("glib" ,glib))) ; required by polkit-gobject-1.pc
@@ -101,6 +100,9 @@
        ("gobject-introspection" ,gobject-introspection)))
     (arguments
      `(#:configure-flags '("--sysconfdir=/etc"
+                           ;; XXX: MozJS 60 requires the C++11 ABI or higher.
+                           ;; Remove when the default compiler is >= GCC 6.
+                           "CXXFLAGS=-std=gnu++11"
                            "--enable-man-pages")
        #:phases
        (modify-phases %standard-phases