Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 661470 (CVE-2018-1116) - <sys-auth/polkit-0.115: local information disclosure and denial of service caused by trusting client-submitted UIDs when referencing processes (CVE-2018-1116)
Summary: <sys-auth/polkit-0.115: local information disclosure and denial of service ca...
Status: RESOLVED FIXED
Alias: CVE-2018-1116
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://lists.freedesktop.org/archive...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on: 646998 660880 663620 666732
Blocks: CVE-2018-19788 682158 gnome-3.30-stable 685748
  Show dependency tree
 
Reported: 2018-07-18 08:02 UTC by Lars Wendler (Polynomial-C) (RETIRED)
Modified: 2019-08-15 15:55 UTC (History)
5 users (show)

See Also:
Package list:
sys-auth/polkit-0.115-r3 gnome-extra/polkit-gnome-0.105-r1 arm64 dev-lang/spidermonkey-52.9.1_pre1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments
tatt-tests (useflags + rdeps, ppc64) (polkit-661470.report,3.69 KB, text/plain)
2019-01-28 21:54 UTC, ernsteiswuerfel
no flags Details
tatt-tests (useflags + rdeps, ppc) (polkit-661470.report,3.61 KB, text/plain)
2019-01-29 01:04 UTC, ernsteiswuerfel
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2018-07-18 08:02:11 UTC
From URL:

Highlights:
 Fixes CVE-2018-1116, a local information disclosure and denial of service
 caused by trusting client-submitted UIDs when referencing processes.
 Thanks to Matthias Gerstner of the SUSE security team for reporting
 this issue.


=sys-auth/polkit-0.115 is already in the tree but p.masked becasue it requires dev-lang/spidermonkey:52 which is p.masked as well.
Comment 1 Mateusz Lenik 2018-07-29 20:34:34 UTC
FYI this version breaks libvirt and possibly other tools:

$ virsh list
error: failed to connect to the hypervisor
error: error from service: CheckAuthorization: Failed to open file “/proc/23102/status”: No such file or directory

After tracing open syscall it becomes obvious the issue is caused by polkit:
PID    COMM               FD ERR PATH
2975   polkitd            -1   2 /proc/22072/status

Rule that works with <sys-auth/polkit-0.115 is:
polkit.addRule(function(action, subject) {
  polkit.log(action);
  if (action.id == "org.libvirt.unix.manage" && subject.isInGroup("kvm")) {
    return polkit.Result.YES;
  }
});
Comment 2 Mateusz Lenik 2018-07-29 23:07:27 UTC
I was able to find out the cause of this: this was obviously a misconfiguration.

Some time ago I configured mounting proc with hidepids=2, which prevents polkitd from accessing entries for processes of other users as polkit is not running as root. Sorry for the mixup
Comment 3 Guillaume Castagnino 2018-07-30 20:45:36 UTC
(In reply to Mateusz Lenik from comment #2)
> I was able to find out the cause of this: this was obviously a
> misconfiguration.
> 
> Some time ago I configured mounting proc with hidepids=2, which prevents
> polkitd from accessing entries for processes of other users as polkit is not
> running as root. Sorry for the mixup

I have this too. This is a standard kernel option (and this is a very basic option for hardening), and polkit should handle it. It was before. So it’s a real regression.
Comment 4 Guillaume Castagnino 2018-07-30 20:58:45 UTC
(In reply to Guillaume Castagnino from comment #3)
> (In reply to Mateusz Lenik from comment #2)
> > I was able to find out the cause of this: this was obviously a
> > misconfiguration.
> > 
> > Some time ago I configured mounting proc with hidepids=2, which prevents
> > polkitd from accessing entries for processes of other users as polkit is not
> > running as root. Sorry for the mixup
> 
> I have this too. This is a standard kernel option (and this is a very basic
> option for hardening), and polkit should handle it. It was before. So it’s a
> real regression.

A workaround would be to add "gid=polkitd" tou mount options to allow to keep hidepid=2. But this definitely deserves some care in polkit ebuild at least no issue some notice.
Comment 5 Ian Stakenvicius (RETIRED) gentoo-dev 2018-09-28 20:02:03 UTC
Please stabilize spidermonkey alongside polkit as necessary.
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-11-15 13:14:18 UTC
amd64 stable
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2018-11-15 15:51:20 UTC
x86 stable
Comment 8 Matt Turner gentoo-dev 2018-11-15 22:02:49 UTC
How are we stabilizing this version of spidermonkey when it has this many serious outstanding bugs?

Doesn't configure : Bug 663620
Doesn't build     : Bug 666732
Doesn't pass tests: Bug 661956
Doesn't run       : Bug 667250

The newly stabilized version doesn't build for me on amd64 in exactly the same was as described in 666732.

We should revert the stabilizations. And WTF, we don't even have mozilla@ Cc'd?
Comment 9 Matt Turner gentoo-dev 2018-11-15 22:11:01 UTC
On top of that we already had a blocking bug (646998) that should have prevented this from showing up in tatt/getatoms.py.
Comment 10 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2018-11-16 07:58:26 UTC
No need to CC people who are in mozilla alias as well...
Comment 11 Ortwin Glueck 2018-11-16 08:30:13 UTC
I wonder whether one could make the dependency on spidermonkey optional (USE flag). It's a large codebase and build/dependency/slotting problems with it are extremely likely (I think I remember lots of problems with it in the past).
Comment 12 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2018-11-16 11:16:14 UTC
(In reply to Ortwin Glueck from comment #11)
> I wonder whether one could make the dependency on spidermonkey optional (USE
> flag). It's a large codebase and build/dependency/slotting problems with it
> are extremely likely (I think I remember lots of problems with it in the
> past).

No, it's a hard dependency since polkit-114:

https://cgit.freedesktop.org/polkit/tree/configure.ac#n81
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-11-16 13:00:28 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #10)
> No need to CC people who are in mozilla alias as well...

And security alias as well ;)
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-11-16 13:18:52 UTC
(In reply to Matt Turner from comment #8)
> How are we stabilizing this version of spidermonkey when it has this many
> serious outstanding bugs?
> 
> Doesn't configure : Bug 663620
> Doesn't build     : Bug 666732
> Doesn't pass tests: Bug 661956
> Doesn't run       : Bug 667250
> 
> The newly stabilized version doesn't build for me on amd64 in exactly the
> same was as described in 666732.
> 
> We should revert the stabilizations. And WTF, we don't even have mozilla@
> Cc'd?

the bugs you referenced are arch specific alpha/arm/arm64 and one ~amd64 tests failure I can not reproduce in my clear stable env. so no, stabilization should not be reverted unless the problem relate to either amd64 and x86
Comment 15 Matt Turner gentoo-dev 2018-11-16 17:31:31 UTC
(In reply to Mikle Kolyada from comment #14)
> (In reply to Matt Turner from comment #8)
> > How are we stabilizing this version of spidermonkey when it has this many
> > serious outstanding bugs?
> > 
> > Doesn't configure : Bug 663620
> > Doesn't build     : Bug 666732
> > Doesn't pass tests: Bug 661956
> > Doesn't run       : Bug 667250
> > 
> > The newly stabilized version doesn't build for me on amd64 in exactly the
> > same was as described in 666732.
> > 
> > We should revert the stabilizations. And WTF, we don't even have mozilla@
> > Cc'd?
> 
> the bugs you referenced are arch specific alpha/arm/arm64 and one ~amd64
> tests failure I can not reproduce in my clear stable env. so no,
> stabilization should not be reverted unless the problem relate to either
> amd64 and x86

Yes, as I said it fails to configure for me on amd64.
Comment 16 Miroslaw Mieszczak 2018-11-21 09:32:07 UTC
(In reply to Mateusz Lenik from comment #1)

After installation of polkit-0.115-p1 I also experience this bug in NetworkManager. As result I cannot connect/disconnect into/from any network.
Comment 17 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2018-11-21 09:41:40 UTC
Please stop spamming this bug with new polkit-0.115 issues but file new bugs against the package instead.
Comment 18 Mike Gilbert gentoo-dev 2018-12-06 23:21:26 UTC
We should probably switch stabilization to bug 672578, but I will leave that to the security team to execute.
Comment 19 Aaron Bauman (RETIRED) gentoo-dev 2018-12-08 03:12:15 UTC
@arches, re-adding all arches due to new target package.
Comment 20 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-12-12 16:21:19 UTC
amd64 stable
Comment 21 Thomas Deutschmann (RETIRED) gentoo-dev 2018-12-13 12:53:20 UTC
x86 stable
Comment 22 Markus Meier gentoo-dev 2019-01-02 12:15:04 UTC
arm stable
Comment 23 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-01-04 22:40:34 UTC
s390 stable
Comment 24 ernsteiswuerfel archtester 2019-01-28 21:54:15 UTC
Created attachment 563146 [details]
tatt-tests (useflags + rdeps, ppc64)

Looking good on ppc64.

spidermonkey-52.9.1_pre1 fails tests (bug #675348).
Comment 25 ernsteiswuerfel archtester 2019-01-29 01:04:46 UTC
Created attachment 563158 [details]
tatt-tests (useflags + rdeps, ppc)

Looking good on ppc.

rdep dev-libs/gjs-1.48.7 fails tests (bug #676674).
Comment 26 Sergei Trofimovich (RETIRED) gentoo-dev 2019-02-17 17:49:42 UTC
ppc/ppc64 stable thanks to ernsteiswuerfel!
Comment 27 Andreas Sturmlechner gentoo-dev 2019-04-20 09:05:53 UTC
Bumping target to sys-auth/polkit-0.115-r3, adding arm64 which is needed for initial elogind stabilisation.
Comment 28 Andreas Sturmlechner gentoo-dev 2019-04-20 09:49:09 UTC
gnome-extra/polkit-gnome-0.105-r1 arm64 is required for sys-auth/polkit[gtk].
Comment 29 Aaron Bauman (RETIRED) gentoo-dev 2019-04-20 22:31:10 UTC
arm64 stable.
Comment 30 Aaron Bauman (RETIRED) gentoo-dev 2019-05-05 00:36:43 UTC
Waiting on final arches...
Comment 31 Larry the Git Cow gentoo-dev 2019-05-06 15:25:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac67dcaed322a88fe2ba459dd5857c468430012d

commit ac67dcaed322a88fe2ba459dd5857c468430012d
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2019-05-06 15:24:46 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2019-05-06 15:24:46 +0000

    sys-auth/polkit-0.115-r3: alpha stable
    
    Bug: http://bugs.gentoo.org/661470
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 sys-auth/polkit/polkit-0.115-r3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=262f0c1066eeb2d5ed63126cbb85e6f332e3560f

commit 262f0c1066eeb2d5ed63126cbb85e6f332e3560f
Author:     Tobias Klausmann <klausman@gentoo.org>
AuthorDate: 2019-05-06 15:24:46 +0000
Commit:     Tobias Klausmann <klausman@gentoo.org>
CommitDate: 2019-05-06 15:24:46 +0000

    dev-lang/spidermonkey-52.9.1_pre1-r0: alpha stable
    
    Bug: http://bugs.gentoo.org/661470
    Signed-off-by: Tobias Klausmann <klausman@gentoo.org>

 dev-lang/spidermonkey/spidermonkey-52.9.1_pre1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 32 Matt Turner gentoo-dev 2019-05-07 21:53:25 UTC
ia64 stable
Comment 33 Rolf Eike Beer archtester 2019-06-04 20:30:53 UTC
sparc stable
Comment 34 Andreas Sturmlechner gentoo-dev 2019-06-09 11:39:47 UTC
hppa timeout, cleaned up vulnerable in 39b7c2d3a288642b41a319357d4452b3b2e6cb23.
Comment 35 Matt Turner gentoo-dev 2019-06-29 16:48:53 UTC
security@: ping
Comment 36 GLSAMaker/CVETool Bot gentoo-dev 2019-08-15 15:55:45 UTC
This issue was resolved and addressed in
 GLSA 201908-14 at https://security.gentoo.org/glsa/201908-14
by GLSA coordinator Aaron Bauman (b-man).