Bug 794052 (CVE-2021-3560)

Summary:	<sys-auth/polkit-0.119: local privilege escalation using polkit_system_bus_name_get_creds_sync() (CVE-2021-3560)
Product:	Gentoo Security	Reporter:	Hank Leininger <hlein>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	allenwebb, atoth, bertrand, freedesktop-bugs, jeff.gazso, sam
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified	Flags:	nattka: sanity-check-
Hardware:	All
OS:	Linux
URL:	https://marc.info/?l=oss-security&m=162272940507612&w=4
See Also:	https://github.com/gentoo/gentoo/pull/25494
Whiteboard:	B1 [glsa+ cve]
Package list:	sys-auth/polkit-0.119-r2	Runtime testing required:	---
Bug Depends on:	832075
Bug Blocks:

Description Hank Leininger 2021-06-03 16:07:11 UTC

From $URL:

"The vulnerability can be reliably used by an unprivileged local attacker
to bypass authorization and escalate permissions up to the root user."

There is a polkit issue URL, https://gitlab.freedesktop.org/polkit/polkit/-/issues/140, but that 404's.

polkit-0.119 was released an hour ago w/a fix.

Comment 1 Sam James archtester

2021-06-03 16:30:43 UTC

Thank you!

Comment 2 Hank Leininger 2021-06-03 16:59:54 UTC

(In reply to Sam James from comment #1)
> Thank you!

Welcome! I beat you for once, 9 times out of 10 when I check on a new vuln you've already created a bug for it ;)

Comment 3 Larry the Git Cow gentoo-dev

2021-06-03 17:57:45 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24b2771a8a9c131fbe598b9725f3e9e61247f131

commit 24b2771a8a9c131fbe598b9725f3e9e61247f131
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-06-03 17:56:58 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-06-03 17:57:39 +0000

    sys-auth/polkit: Security bump to version 0.119
    
    Bug: https://bugs.gentoo.org/794052
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-auth/polkit/Manifest            |   1 +
 sys-auth/polkit/polkit-0.119.ebuild | 131 ++++++++++++++++++++++++++++++++++++
 2 files changed, 132 insertions(+)

Comment 4 John Helmert III archtester

2021-06-03 18:26:53 UTC

No, this isn't fixed yet.

Comment 5 Sam James archtester

2021-06-03 19:57:03 UTC

amd64 done

Comment 6 Sam James archtester

2021-06-03 19:57:29 UTC

x86 done

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2021-06-07 07:09:03 UTC

ppc64 stable

Comment 8 NATTkA bot gentoo-dev

2021-06-24 23:28:23 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: sys-auth/polkit-0.119

Comment 9 NATTkA bot gentoo-dev

2021-06-27 02:12:23 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: sys-auth/polkit-0.119-r1

Comment 10 Sam James archtester

2021-07-12 06:37:24 UTC

arm done

Comment 11 Sam James archtester

2021-07-12 21:56:05 UTC

arm64 done

all arches done

Comment 12 John Helmert III archtester

2021-07-13 00:14:30 UTC

Please cleanup.

Comment 13 John Helmert III archtester

2021-07-13 00:16:41 UTC

GLSA request filed.

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2021-07-13 02:33:07 UTC

This issue was resolved and addressed in
 GLSA 202107-31 at https://security.gentoo.org/glsa/202107-31
by GLSA coordinator John Helmert III (ajak).

Comment 15 John Helmert III archtester

2021-07-13 02:35:39 UTC

Reopening for cleanup

Comment 16 Larry the Git Cow gentoo-dev

2022-01-26 00:51:25 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77e50819c7c7c22dee5ee6b2e7538b3cfff789af

commit 77e50819c7c7c22dee5ee6b2e7538b3cfff789af
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-26 00:50:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-26 00:51:00 +0000

    sys-auth/polkit: backport CVE-2021-3560, CVE-2021-4043 patches to 0.117
    
    Needed for non-Rust arches like sparc.
    
    (Most users are on 0.120 and already fixed in previous commits.)
    
    Bug: https://bugs.gentoo.org/794052
    Bug: https://bugs.gentoo.org/832057
    Signed-off-by: Sam James <sam@gentoo.org>

 .../polkit/files/polkit-0.117-CVE-2021-3560.patch  |  29 +++++
 sys-auth/polkit/polkit-0.117-r3.ebuild             | 136 +++++++++++++++++++++
 2 files changed, 165 insertions(+)

Comment 17 NATTkA bot gentoo-dev

2022-02-05 20:48:47 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: sys-auth/polkit-0.119-r2

Comment 18 Andreas Sturmlechner gentoo-dev

2022-02-05 20:52:14 UTC

Err... cleanup done in c0502be50e13cb62efd5c5fbb3e2cac255490e15.

Comment 19 NATTkA bot gentoo-dev

2022-02-05 20:57:22 UTC

Unable to check for sanity:

> no match for package: sys-auth/polkit-0.119-r2

Comment 20 Larry the Git Cow gentoo-dev

2022-05-15 22:12:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=76caeda5c0ae4a7045d321f32ef95e31722434dd

commit 76caeda5c0ae4a7045d321f32ef95e31722434dd
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-05-15 05:17:19 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-05-15 22:09:39 +0000

    sys-auth/polkit: drop 0.117-r3, 0.120-r3
    
    Bug: https://bugs.gentoo.org/794052
    Bug: https://bugs.gentoo.org/833574
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-auth/polkit/Manifest                           |   2 -
 sys-auth/polkit/files/polkit-0.115-elogind.patch   |  28 ---
 .../polkit/files/polkit-0.117-CVE-2021-3560.patch  |  29 ---
 ...lkit-0.118-make-netgroup-support-optional.patch | 248 ---------------------
 .../polkit/files/polkit-0.120-CVE-2021-4034.patch  |  72 ------
 .../polkit/files/polkit-0.120-CVE-2021-4115.patch  |  78 -------
 sys-auth/polkit/metadata.xml                       |   1 -
 sys-auth/polkit/polkit-0.117-r3.ebuild             | 136 -----------
 sys-auth/polkit/polkit-0.120-r3.ebuild             | 123 ----------
 9 files changed, 717 deletions(-)