!35 Fix CVE-2021-4115

From: @panxh_purple 
Reviewed-by: @zhujianwei001 
Signed-off-by: @zhujianwei001

Port-polkit-to-mozjs78.patch

@@ -0,0 +1,103 @@
+From 3e1d61868fa8bfc586099302e931433270e5d17d Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Tue, 25 Aug 2020 16:38:34 +0000
+Subject: [PATCH] Port polkit to mozjs78
+
+---
+ configure.ac                                   |  4 ++--
+ src/polkitbackend/polkitbackendjsauthority.cpp | 15 ++++++---------
+ 2 files changed, 8 insertions(+), 11 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index eea70fc..c4569f1 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -34,7 +34,7 @@ AC_PROG_LN_S
+ AC_SYS_LARGEFILE
+ AM_PROG_CC_C_O
+ AC_PROG_CXX
+-AX_CXX_COMPILE_STDCXX([14], [], [mandatory])
++AX_CXX_COMPILE_STDCXX([17], [], [mandatory])
+ 
+ # Taken from dbus
+ AC_ARG_ENABLE(ansi,             [  --enable-ansi           enable -ansi -pedantic gcc flags],enable_ansi=$enableval,enable_ansi=no)
+@@ -80,7 +80,7 @@ PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
+ AC_SUBST(GLIB_CFLAGS)
+ AC_SUBST(GLIB_LIBS)
+ 
+-PKG_CHECK_MODULES(LIBJS, [mozjs-68])
++PKG_CHECK_MODULES(LIBJS, [mozjs-78])
+ 
+ AC_SUBST(LIBJS_CFLAGS)
+ AC_SUBST(LIBJS_CXXFLAGS)
+diff --git a/src/polkitbackend/polkitbackendjsauthority.cpp b/src/polkitbackend/polkitbackendjsauthority.cpp
+index 25bd1f9..ca17108 100644
+--- a/src/polkitbackend/polkitbackendjsauthority.cpp
++++ b/src/polkitbackend/polkitbackendjsauthority.cpp
+@@ -49,6 +49,7 @@
+ #include <js/Realm.h>
+ #include <js/SourceText.h>
+ #include <js/Warnings.h>
++#include <js/Array.h>
+ #include <jsapi.h>
+ 
+ #include "initjs.h" /* init.js */
+@@ -367,7 +368,7 @@ load_scripts (PolkitBackendJsAuthority  *authority)
+ static void
+ reload_scripts (PolkitBackendJsAuthority *authority)
+ {
+-  JS::AutoValueArray<1> args(authority->priv->cx);
++  JS::RootedValueArray<1> args(authority->priv->cx);
+   JS::RootedValue rval(authority->priv->cx);
+ 
+   JS::RootedObject js_polkit(authority->priv->cx, authority->priv->js_polkit->get ());
+@@ -482,10 +483,6 @@ polkit_backend_js_authority_constructed (GObject *object)
+   if (!JS::InitSelfHostedCode (authority->priv->cx))
+     goto fail;
+ 
+-  JS::ContextOptionsRef (authority->priv->cx)
+-      .setIon (TRUE)
+-      .setBaseline (TRUE)
+-      .setAsmJS (TRUE);
+   JS::SetWarningReporter(authority->priv->cx, report_error);
+   JS_SetContextPrivate (authority->priv->cx, authority);
+ 
+@@ -720,7 +717,7 @@ set_property_strv (PolkitBackendJsAuthority  *authority,
+         elems[n].setNull ();
+     }
+ 
+-  JS::RootedObject array_object(authority->priv->cx, JS_NewArrayObject (authority->priv->cx, elems));
++  JS::RootedObject array_object(authority->priv->cx, JS::NewArrayObject (authority->priv->cx, elems));
+ 
+   value_jsval = JS::ObjectValue (*array_object);
+   JS_SetProperty (authority->priv->cx, obj, name, value_jsval);
+@@ -1114,7 +1111,7 @@ polkit_backend_js_authority_get_admin_auth_identities (PolkitBackendInteractiveA
+ {
+   PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority);
+   GList *ret = NULL;
+-  JS::AutoValueArray<2> args(authority->priv->cx);
++  JS::RootedValueArray<2> args(authority->priv->cx);
+   JS::RootedValue rval(authority->priv->cx);
+   guint n;
+   GError *error = NULL;
+@@ -1218,7 +1215,7 @@ polkit_backend_js_authority_check_authorization_sync (PolkitBackendInteractiveAu
+ {
+   PolkitBackendJsAuthority *authority = POLKIT_BACKEND_JS_AUTHORITY (_authority);
+   PolkitImplicitAuthorization ret = implicit;
+-  JS::AutoValueArray<2> args(authority->priv->cx);
++  JS::RootedValueArray<2> args(authority->priv->cx);
+   JS::RootedValue rval(authority->priv->cx);
+   GError *error = NULL;
+   JS::RootedString ret_jsstr (authority->priv->cx);
+@@ -1409,7 +1406,7 @@ js_polkit_spawn (JSContext  *cx,
+   JS::CallArgs args = JS::CallArgsFromVp (js_argc, vp);
+   array_object = &args[0].toObject();
+ 
+-  if (!JS_GetArrayLength (cx, array_object, &array_len))
++  if (!JS::GetArrayLength (cx, array_object, &array_len))
+     {
+       JS_ReportErrorUTF8 (cx, "Failed to get array length");
+       goto out;
+-- 
+1.8.3.1
+

backport-CVE-2021-3560.patch

@@ -0,0 +1,27 @@
+From a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Wed, 2 Jun 2021 15:43:38 +0200
+Subject: [PATCH] GHSL-2021-074: authentication bypass vulnerability in polkit
+
+initial values returned if error caught
+---
+ src/polkit/polkitsystembusname.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8daa12c..8ed1363 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
+   while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+     g_main_context_iteration (tmp_context, TRUE);
+ 
++  if (data.caught_error)
++    goto out;
++
+   if (out_uid)
+     *out_uid = data.uid;
+   if (out_pid)
+-- 
+GitLab
+

backport-CVE-2021-4034.patch

@@ -0,0 +1,79 @@
+From a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Tue, 25 Jan 2022 17:21:46 +0000
+Subject: [PATCH] pkexec: local privilege escalation (CVE-2021-4034)
+
+---
+ src/programs/pkcheck.c |  5 +++++
+ src/programs/pkexec.c  | 23 ++++++++++++++++++++---
+ 2 files changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
+index f1bb4e1..768525c 100644
+--- a/src/programs/pkcheck.c
++++ b/src/programs/pkcheck.c
+@@ -363,6 +363,11 @@ main (int argc, char *argv[])
+   local_agent_handle = NULL;
+   ret = 126;
+ 
++  if (argc < 1)
++    {
++      exit(126);
++    }
++
+   /* Disable remote file access from GIO. */
+   setenv ("GIO_USE_VFS", "local", 1);
+ 
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index 7698c5c..84e5ef6 100644
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -488,6 +488,15 @@ main (int argc, char *argv[])
+   pid_t pid_of_caller;
+   gpointer local_agent_handle;
+ 
++
++  /*
++   * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
++   */
++  if (argc<1)
++    {
++      exit(127);
++    }
++
+   ret = 127;
+   authority = NULL;
+   subject = NULL;
+@@ -614,10 +623,10 @@ main (int argc, char *argv[])
+ 
+       path = g_strdup (pwstruct.pw_shell);
+       if (!path)
+-	{
++        {
+           g_printerr ("No shell configured or error retrieving pw_shell\n");
+           goto out;
+-	}
++        }
+       /* If you change this, be sure to change the if (!command_line)
+ 	 case below too */
+       command_line = g_strdup (path);
+@@ -636,7 +645,15 @@ main (int argc, char *argv[])
+           goto out;
+         }
+       g_free (path);
+-      argv[n] = path = s;
++      path = s;
++
++      /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
++       * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
++       */
++      if (argv[n] != NULL)
++      {
++        argv[n] = path;
++      }
+     }
+   if (access (path, F_OK) != 0)
+     {
+-- 
+1.8.3.1
+

backport-CVE-2021-4115-GHSL-2021-077-fix.patch

@@ -0,0 +1,83 @@
+From 41cb093f554da8772362654a128a84dd8a5542a7 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Mon, 21 Feb 2022 08:29:05 +0000
+Subject: [PATCH] CVE-2021-4115 (GHSL-2021-077) fix
+
+---
+ src/polkit/polkitsystembusname.c | 38 ++++++++++++++++++++++++++++++++++----
+ 1 file changed, 34 insertions(+), 4 deletions(-)
+
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 8ed1363..2fbf5f1 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -62,6 +62,10 @@ enum
+   PROP_NAME,
+ };
+ 
++
++guint8 dbus_call_respond_fails;      // has to be global because of callback
++
++
+ static void subject_iface_init (PolkitSubjectIface *subject_iface);
+ 
+ G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT,
+@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject              *src,
+   if (!v)
+     {
+       data->caught_error = TRUE;
++      dbus_call_respond_fails += 1;
+     }
+   else
+     {
+@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
+   tmp_context = g_main_context_new ();
+   g_main_context_push_thread_default (tmp_context);
+ 
++  dbus_call_respond_fails = 0;
++
+   /* Do two async calls as it's basically as fast as one sync call.
+    */
+   g_dbus_connection_call (connection,
+@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
+ 			  on_retrieved_unix_uid_pid,
+ 			  &data);
+ 
+-  while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
+-    g_main_context_iteration (tmp_context, TRUE);
++  while (TRUE)
++  {
++    /* If one dbus call returns error, we must wait until the other call
++     * calls _call_finish(), otherwise fd leak is possible.
++     * Resolves: GHSL-2021-077
++    */
+ 
+-  if (data.caught_error)
+-    goto out;
++    if ( (dbus_call_respond_fails > 1) )
++    {
++      // we got two faults, we can leave
++      goto out;
++    }
++
++    if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid)))
++    {
++      // we got one fault and the other call finally finished, we can leave
++      goto out;
++    }
++
++    if ( !(data.retrieved_uid && data.retrieved_pid) )
++    {
++      g_main_context_iteration (tmp_context, TRUE);
++    }
++    else
++    {
++      break;
++    }
++  }
+ 
+   if (out_uid)
+     *out_uid = data.uid;
+-- 
+1.8.3.1
+

polkit.spec

@@ -1,17 +1,22 @@
 Name:             polkit
 Version:          0.116
-Release:          4
+Release:          10
 Summary:          Define and Handle authorizations tool
-License:          LGPLv2+
+License:          LGPLv2+ and Apache 2.0
 URL:              http://www.freedesktop.org/wiki/Software/polkit
 Source0:          http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz
 Source1:          http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz.sign
 Source2:          10-shutdown.rules
 
-Patch9000:        modify-admin-authorization-from-wheel-group-to-root.patch
+Patch0:           modify-admin-authorization-from-wheel-group-to-root.patch
+Patch1:           backport-CVE-2021-3560.patch
+Patch2:           Port-JavaScript-authority-to-mozjs-68.patch
+Patch3:           Port-polkit-to-mozjs78.patch
+Patch4:           backport-CVE-2021-4034.patch
+Patch5:           backport-CVE-2021-4115-GHSL-2021-077-fix.patch
 
 BuildRequires:    gcc-c++ glib2-devel >= 2.30.0 expat-devel pam-devel gtk-doc intltool
-BuildRequires:    gobject-introspection-devel systemd systemd-devel pkgconfig(mozjs-60)
+BuildRequires:    gobject-introspection-devel systemd systemd-devel pkgconfig(mozjs-78)
 BuildRequires:    libxslt autoconf automake libtool
 Requires:         dbus polkit-pkla-compat
 Requires:         %{name}-libs%{?_isa} = %{version}-%{release}
@@ -127,6 +132,21 @@ exit 0
 %{_datadir}/man/man8/*
 
 %changelog
+* Sat Mar 5 2022 panxiaohe <panxh.life@foxmail.com> - 0.116-10
+- Fix CVE-2021-4115
+
+* Wed Jan 26 2022 panxiaohe <panxiaohe@huawei.com> - 0.116-9
+- Fix CVE-2021-4034
+
+* Tue Jun 22 2021 Hugel <gengqihu1@huawei.com> - 0.116-8
+- Port polkit to mozjs78
+
+* Tue Jun 15 2021 panxiaohe <panxiaohe@huawei.com> - 0.116-7
+- Fix CVE-2021-3560
+
+* Tue Feb 9 2021 Steven Y.Gui <steven_ygui@163.com> - 0.116-6
+- Rebuild with new version number
+
 * Sun Sep 29 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.116-4
 - Add libs