Sat Mar 12 20:57:35 UTC 202220220312205735_15.0

patches/packages/polkit-0.120-x86_64-3_slack15.0.txz:  Rebuilt.
  Patched to fix a security issue where an unprivileged user could cause a
  denial of service due to process file descriptor exhaustion.
  Thanks to marav.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4115
  (* Security fix *)

8 files changed, 452 insertions, 0 deletions

diff --git a/patches/packages/polkit-0.120-x86_64-3_slack15.0.txt b/patches/packages/polkit-0.120-x86_64-3_slack15.0.txt
new file mode 100644
index 00000000..3fab4403
--- /dev/null
+++ b/patches/packages/polkit-0.120-x86_64-3_slack15.0.txt
@@ -0,0 +1,11 @@
+polkit: polkit (authentication framework)
+polkit: 
+polkit: PolicyKit is an application-level toolkit for defining and handling
+polkit: the policy that allows unprivileged processes to speak to privileged
+polkit: processes. PolicyKit is specifically targeting applications in rich
+polkit: desktop environments on multi-user UNIX-like operating systems.
+polkit:
+polkit: Homepage: http://www.freedesktop.org/wiki/Software/polkit
+polkit:
+polkit:
+polkit:
diff --git a/patches/source/polkit/0001-configure-fix-elogind-support.patch b/patches/source/polkit/0001-configure-fix-elogind-support.patch
new file mode 100644
index 00000000..4c40bd9b
--- /dev/null
+++ b/patches/source/polkit/0001-configure-fix-elogind-support.patch
@@ -0,0 +1,29 @@
+From 08bb656496cd3d6213bbe9473f63f2d4a110da6e Mon Sep 17 00:00:00 2001
+From: Rasmus Thomsen <cogitri@exherbo.org>
+Date: Wed, 11 Apr 2018 13:14:14 +0200
+Subject: [PATCH] configure: fix elogind support
+
+HAVE_LIBSYSTEMD is used to determine which source files to use.
+We have to check if either have_libsystemd or have_libelogind is
+true, as both of these need the source files which are used when
+HAVE_LIBSYSTEMD is true.
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 36df239..da47ecb 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -221,7 +221,7 @@ AS_IF([test "x$cross_compiling" != "xyes" ], [
+ 
+ AC_SUBST(LIBSYSTEMD_CFLAGS)
+ AC_SUBST(LIBSYSTEMD_LIBS)
+-AM_CONDITIONAL(HAVE_LIBSYSTEMD, [test "$have_libsystemd" = "yes"], [Using libsystemd])
++AM_CONDITIONAL(HAVE_LIBSYSTEMD, [test "$have_libsystemd" = "yes" || test "$have_libelogind" = "yes" ], [Using libsystemd])
+ 
+ dnl ---------------------------------------------------------------------------
+ dnl - systemd unit / service files
+-- 
+2.17.0
+
diff --git a/patches/source/polkit/CVE-2021-4115.patch b/patches/source/polkit/CVE-2021-4115.patch
new file mode 100644
index 00000000..3cb55819
--- /dev/null
+++ b/patches/source/polkit/CVE-2021-4115.patch
@@ -0,0 +1,71 @@
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8ed1363..2fbf5f1 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -62,6 +62,10 @@ enum
+   PROP_NAME,
+ };
+ 
++
++guint8 dbus_call_respond_fails;      // has to be global because of callback
++
++
+ static void subject_iface_init (PolkitSubjectIface *subject_iface);
+ 
+ G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT,
+@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject              *src,
+   if (!v)
+     {
+       data->caught_error = TRUE;
++      dbus_call_respond_fails += 1;
+     }
+   else
+     {
+@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
+   tmp_context = g_main_context_new ();
+   g_main_context_push_thread_default (tmp_context);
+ 
++  dbus_call_respond_fails = 0;
++
+   /* Do two async calls as it's basically as fast as one sync call.
+    */
+   g_dbus_connection_call (connection,
+@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
+ 			  on_retrieved_unix_uid_pid,
+ 			  &data);
+ 
+-  while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+-    g_main_context_iteration (tmp_context, TRUE);
++  while (TRUE)
++  {
++    /* If one dbus call returns error, we must wait until the other call
++     * calls _call_finish(), otherwise fd leak is possible.
++     * Resolves: GHSL-2021-077
++    */
+ 
+-  if (data.caught_error)
+-    goto out;
++    if ( (dbus_call_respond_fails > 1) )
++    {
++      // we got two faults, we can leave
++      goto out;
++    }
++
++    if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid)))
++    {
++      // we got one fault and the other call finally finished, we can leave
++      goto out;
++    }
++
++    if ( !(data.retrieved_uid && data.retrieved_pid) )
++    {
++      g_main_context_iteration (tmp_context, TRUE);
++    }
++    else
++    {
++      break;
++    }
++  }
+ 
+   if (out_uid)
+     *out_uid = data.uid;
diff --git a/patches/source/polkit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch b/patches/source/polkit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch
new file mode 100644
index 00000000..a06300a5
--- /dev/null
+++ b/patches/source/polkit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch
@@ -0,0 +1,79 @@
+From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Tue, 25 Jan 2022 17:21:46 +0000
+Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
+
+---
+ src/programs/pkcheck.c |  5 +++++
+ src/programs/pkexec.c  | 23 ++++++++++++++++++++---
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
+index f1bb4e1..768525c 100644
+--- a/src/programs/pkcheck.c
++++ b/src/programs/pkcheck.c
+@@ -363,6 +363,11 @@ main (int argc, char *argv[])
+   local_agent_handle = NULL;
+   ret = 126;
+ 
++  if (argc < 1)
++    {
++      exit(126);
++    }
++
+   /* Disable remote file access from GIO. */
+   setenv ("GIO_USE_VFS", "local", 1);
+ 
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index 7698c5c..84e5ef6 100644
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -488,6 +488,15 @@ main (int argc, char *argv[])
+   pid_t pid_of_caller;
+   gpointer local_agent_handle;
+ 
++
++  /*
++   * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
++   */
++  if (argc<1)
++    {
++      exit(127);
++    }
++
+   ret = 127;
+   authority = NULL;
+   subject = NULL;
+@@ -614,10 +623,10 @@ main (int argc, char *argv[])
+ 
+       path = g_strdup (pwstruct.pw_shell);
+       if (!path)
+-	{
++        {
+           g_printerr ("No shell configured or error retrieving pw_shell\n");
+           goto out;
+-	}
++        }
+       /* If you change this, be sure to change the if (!command_line)
+ 	 case below too */
+       command_line = g_strdup (path);
+@@ -636,7 +645,15 @@ main (int argc, char *argv[])
+           goto out;
+         }
+       g_free (path);
+-      argv[n] = path = s;
++      path = s;
++
++      /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
++       * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
++       */
++      if (argv[n] != NULL)
++      {
++        argv[n] = path;
++      }
+     }
+   if (access (path, F_OK) != 0)
+     {
+-- 
+GitLab
+
diff --git a/patches/source/polkit/doinst.sh b/patches/source/polkit/doinst.sh
new file mode 100644
index 00000000..3d81307e
--- /dev/null
+++ b/patches/source/polkit/doinst.sh
@@ -0,0 +1,32 @@
+config() {
+  NEW="$1"
+  OLD="$(dirname $NEW)/$(basename $NEW .new)"
+  # If there's no config file by that name, mv it over:
+  if [ ! -r $OLD ]; then
+    mv $NEW $OLD
+  elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then # toss the redundant copy
+    rm $NEW
+  fi
+  # Otherwise, we leave the .new copy for the admin to consider...
+}
+
+if [ -r etc/pam.d/polkit-1.new ]; then
+  config etc/pam.d/polkit-1.new
+fi
+
+# Make sure the polkitd user and group exist:
+if ! grep -q "^polkitd:" etc/passwd ; then
+  echo "polkitd:x:87:87:PolicyKit daemon owner:/var/lib/polkit:/bin/false" >> etc/passwd
+fi
+if ! grep -q "^polkitd:" etc/group ; then
+  echo "polkitd:x:87:" >> etc/group
+fi
+
+# Remove obsolete rules:
+rm -f etc/polkit-1/localauthority/50-local.d/*.pkla{,.new}
+rm -f etc/polkit-1/rules.d/*.pkla{,.new}
+
+# Remove obsolete directory:
+rmdir etc/polkit-1/localauthority/50-local.d 2> /dev/null
+rmdir etc/polkit-1/localauthority 2> /dev/null
+
diff --git a/patches/source/polkit/dont-set-wheel-group-as-admin.diff b/patches/source/polkit/dont-set-wheel-group-as-admin.diff
new file mode 100644
index 00000000..6a86ac28
--- /dev/null
+++ b/patches/source/polkit/dont-set-wheel-group-as-admin.diff
@@ -0,0 +1,10 @@
+diff -Nur polkit-0.112.orig/src/polkitbackend/50-default.rules polkit-0.112/src/polkitbackend/50-default.rules
+--- polkit-0.112.orig/src/polkitbackend/50-default.rules	2013-04-29 12:28:57.000000000 -0500
++++ polkit-0.112/src/polkitbackend/50-default.rules	2015-01-01 23:32:40.154400050 -0600
+@@ -8,5 +8,5 @@
+ // about configuring polkit.
+ 
+ polkit.addAdminRule(function(action, subject) {
+-    return ["unix-group:wheel"];
++    return ["unix-user:root"];
+ });
diff --git a/patches/source/polkit/polkit.SlackBuild b/patches/source/polkit/polkit.SlackBuild
new file mode 100755
index 00000000..abe639fc
--- /dev/null
+++ b/patches/source/polkit/polkit.SlackBuild
@@ -0,0 +1,201 @@
+#!/bin/bash
+
+# Copyright 2009, 2011, 2015  Robby Workman, Northport, Alabama, USA
+# Copyright 2010  Eric Hameleers, Eindhoven, NL
+# Copyright 2009, 2010, 2011, 2012, 2013, 2018, 2020  Patrick J. Volkerding, Sebeka, MN, USA
+# All rights reserved.
+
+# Redistribution and use of this script, with or without modification, is
+# permitted provided that the following conditions are met:
+#
+# 1. Redistributions of this script must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ''AS IS'' AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
+# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+cd $(dirname $0) ; CWD=$(pwd)
+
+PKGNAM=polkit
+VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
+BUILD=${BUILD:-3_slack15.0}
+
+# Automatically determine the architecture we're building on:
+if [ -z "$ARCH" ]; then
+  case "$( uname -m )" in
+    i?86) export ARCH=i586 ;;
+    arm*) export ARCH=arm ;;
+    # Unless $ARCH is already set, use uname -m for all other archs:
+       *) export ARCH=$( uname -m ) ;;
+  esac
+fi
+
+# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
+# the name of the created package would be, and then exit. This information
+# could be useful to other scripts.
+if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
+  echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz"
+  exit 0
+fi
+
+NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "}
+
+TMP=${TMP:-/tmp}
+PKG=$TMP/package-$PKGNAM
+
+if [ "$ARCH" = "i586" ]; then
+  SLKCFLAGS="-O2 -march=i586 -mtune=i686"
+  LIBDIRSUFFIX=""
+elif [ "$ARCH" = "s390" ]; then
+  SLKCFLAGS="-O2"
+  LIBDIRSUFFIX=""
+elif [ "$ARCH" = "x86_64" ]; then
+  SLKCFLAGS="-O2 -fPIC"
+  LIBDIRSUFFIX="64"
+else
+  SLKCFLAGS="-O2"
+  LIBDIRSUFFIX=""
+fi
+
+rm -rf $PKG
+mkdir -p $TMP $PKG
+cd $TMP
+rm -rf $PKGNAM-$VERSION
+tar xvf $CWD/$PKGNAM-$VERSION.tar.?z || exit 1
+cd $PKGNAM-$VERSION || exit 1
+
+# Make sure ownerships and permissions are sane:
+chown -R root:root .
+find . \
+ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
+ -exec chmod 755 {} \+ -o \
+ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
+ -exec chmod 644 {} \+
+
+zcat $CWD/dont-set-wheel-group-as-admin.diff.gz | patch -p1 --verbose || exit 1
+zcat $CWD/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683.patch.gz | patch -p1 --verbose || exit 1
+zcat $CWD/CVE-2021-4115.patch.gz | patch -p1 --verbose || exit 1
+
+# https://gitlab.freedesktop.org/polkit/polkit/-/issues/29
+zcat $CWD/0001-configure-fix-elogind-support.patch.gz | patch -p1 || exit 1
+
+# If we get here and don't have a polkitd user/group, add one.
+# Otherwise a few directories in the package will have wrong permissions.
+if ! grep -q "^polkitd:" /etc/passwd ; then
+  groupadd -fg 87 polkitd
+  useradd -c "PolicyKit daemon owner" -d /var/lib/polkit -u 87 -g polkitd -s /bin/false polkitd
+fi
+
+# Choose correct options depending on whether PAM is installed:
+if [ -L /lib${LIBDIRSUFFIX}/libpam.so.? ]; then
+  PAM_OPTIONS="--with-authfw=pam --with-pam-module-dir=/lib${LIBDIRSUFFIX}/security"
+  unset SHADOW_OPTIONS
+else
+  unset PAM_OPTIONS
+  SHADOW_OPTIONS="--with-authfw=shadow"
+fi
+
+if [ ! -r configure ]; then
+  if [ -x ./autogen.sh ]; then
+    NOCONFIGURE=1 ./autogen.sh
+  else
+    autoreconf -vif
+  fi
+fi
+
+LIBELOGIND_CFLAGS="$(pkg-config --cflags libelogind)" \
+LIBELOGIND_LIBS="$(pkg-config --libs libelogind)" \
+CFLAGS="$SLKCFLAGS" \
+CXXFLAGS="$SLKCFLAGS" \
+./configure \
+  --prefix=/usr \
+  --libdir=/usr/lib${LIBDIRSUFFIX} \
+  --sysconfdir=/etc \
+  --localstatedir=/var \
+  --docdir=/usr/doc/$PKGNAM-$VERSION \
+  --enable-man-pages \
+  --enable-gtk-doc \
+  --mandir=/usr/man \
+  --disable-static \
+  --disable-examples \
+  --enable-introspection \
+  --enable-libsystemd-login=no \
+  --enable-libelogind=yes \
+  $PAM_OPTIONS \
+  $SHADOW_OPTIONS \
+  --enable-verbose-mode \
+  --with-os-type=Slackware \
+  --build=$ARCH-slackware-linux || exit 1
+
+# Build and install:
+make $NUMJOBS || make || exit 1
+make install DESTDIR=$PKG || exit 1
+
+# Don't ship .la files:
+rm -f $PKG/{,usr/}lib${LIBDIRSUFFIX}/*.la
+
+# Create homedir for polkit.  This is mentioned in /etc/passwd, but isn't
+# actually used for anything later.  Perms don't matter.
+mkdir -p $PKG/var/lib/polkit
+
+# Move dbus configs to system location:
+mkdir -p $PKG/usr/share/dbus-1/system.d/
+mv $PKG/etc/dbus-1/system.d/* $PKG/usr/share/dbus-1/system.d/
+rmdir --parents $PKG/etc/dbus-1/system.d/
+
+# Leave the /etc/polkit-1/rules.d/ dir in place, but move the config(s)
+mv $PKG/etc/polkit-1/rules.d/* $PKG/usr/share/polkit-1/rules.d/
+
+if [ ! -z "$PAM_OPTIONS" ]; then
+  # Make the PAM file .new:
+  mv $PKG/etc/pam.d/polkit-1 $PKG/etc/pam.d/polkit-1.new
+fi
+
+# Strip binaries:
+find $PKG | xargs file | grep -e "executable" -e "shared object" \
+  | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null
+
+# Compress and link manpages, if any:
+if [ -d $PKG/usr/man ]; then
+  ( cd $PKG/usr/man
+    for manpagedir in $(find . -type d -name "man*") ; do
+      ( cd $manpagedir
+        for eachpage in $( find . -type l -maxdepth 1) ; do
+          ln -s $( readlink $eachpage ).gz $eachpage.gz
+          rm $eachpage
+        done
+        gzip -9 *.*
+      )
+    done
+  )
+fi
+
+# Add a documentation directory:
+mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION
+cp -a \
+  AUTHORS COPYING HACKING INSTALL NEWS README \
+  $PKG/usr/doc/$PKGNAM-$VERSION
+( cd $PKG/usr/doc/$PKGNAM-$VERSION; ln -s ../../share/gtk-doc/html/polkit-1 html )
+
+# If there's a ChangeLog, installing at least part of the recent history
+# is useful, but don't let it get totally out of control:
+if [ -r ChangeLog ]; then
+  DOCSDIR=$(echo $PKG/usr/doc/*-$VERSION)
+  cat ChangeLog | head -n 1000 > $DOCSDIR/ChangeLog
+  touch -r ChangeLog $DOCSDIR/ChangeLog
+fi
+
+mkdir -p $PKG/install
+zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh
+cat $CWD/slack-desc > $PKG/install/slack-desc
+
+cd $PKG
+/sbin/makepkg -l y -c n $TMP/$PKGNAM-$VERSION-$ARCH-$BUILD.txz
diff --git a/patches/source/polkit/slack-desc b/patches/source/polkit/slack-desc
new file mode 100644
index 00000000..5eb518d6
--- /dev/null
+++ b/patches/source/polkit/slack-desc
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description. Line
+# up the first '|' above the ':' following the base package name, and the '|'
+# on the right side marks the last column you can put a character in. You must
+# make exactly 11 lines for the formatting to be correct. It's also
+# customary to leave one space after the ':'.
+
+      |-----handy-ruler-----------------------------------------------------|
+polkit: polkit (authentication framework)
+polkit: 
+polkit: PolicyKit is an application-level toolkit for defining and handling
+polkit: the policy that allows unprivileged processes to speak to privileged
+polkit: processes. PolicyKit is specifically targeting applications in rich
+polkit: desktop environments on multi-user UNIX-like operating systems.
+polkit:
+polkit: Homepage: http://www.freedesktop.org/wiki/Software/polkit
+polkit:
+polkit:
+polkit: