From ed8b418f1341cf7fc576f6b17de5c6dd4017e034 Mon Sep 17 00:00:00 2001 From: "Jeremy A. Puhlman" Date: Thu, 27 Jan 2022 00:01:27 +0000 Subject: [PATCH] CVE-2021-4034: Local privilege escalation in pkexec due to incorrect handling of argument vector Upstream-Status: Backport https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 CVE: CVE-2021-4034 Signed-off-by: Jeremy A. Puhlman --- src/programs/pkcheck.c | 6 ++++++ src/programs/pkexec.c | 21 ++++++++++++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c index f1bb4e1..aff4f60 100644 --- a/src/programs/pkcheck.c +++ b/src/programs/pkcheck.c @@ -363,6 +363,12 @@ main (int argc, char *argv[]) local_agent_handle = NULL; ret = 126; + if (argc < 1) + { + help(); + exit(1); + } + /* Disable remote file access from GIO. */ setenv ("GIO_USE_VFS", "local", 1); diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c index 7698c5c..3ff4c58 100644 --- a/src/programs/pkexec.c +++ b/src/programs/pkexec.c @@ -488,6 +488,17 @@ main (int argc, char *argv[]) pid_t pid_of_caller; gpointer local_agent_handle; + + /* + * If 'pkexec' is called wrong, just show help and bail out. + */ + if (argc<1) + { + clearenv(); + usage(argc, argv); + exit(1); + } + ret = 127; authority = NULL; subject = NULL; @@ -636,7 +647,15 @@ main (int argc, char *argv[]) goto out; } g_free (path); - argv[n] = path = s; + path = s; + + /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated. + * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination + */ + if (argv[n] != NULL) + { + argv[n] = path; + } } if (access (path, F_OK) != 0) { -- 2.26.2