diff mbox series

[dunfell] polkit: fix overlapping changes in recent CVE patches

Message ID 20220406181739.1403657-1-ralph.siemsen@linaro.org
State Accepted, archived
Delegated to: Armin Kuster
Headers show
Series [dunfell] polkit: fix overlapping changes in recent CVE patches | expand

Commit Message

Ralph Siemsen April 6, 2022, 6:17 p.m. UTC 
Commit 17e931e77 ("polkit: fix CVE-2021-3560") contains
- upstream commit a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81

Commit 67ec3e049 ("polkit: Fix for CVE-2021-4115") contains both:
- upstream commit a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 (CVE-2021-3560)
- upstream commit 41cb093f554da8772362654a128a84dd8a5542a7 (CVE-2021-4115)

Thus the fix for CVE-2021-3560 is applied twice, resulting in warnings
during do_patch. Curiously it neither fails nor complains about patch
already applied. Also devtool silently discards the duplicate patch.

Drop the duplicate patch, to resolve following warnings:

WARNING: polkit-0.116-r0 do_patch: Fuzz detected:

Applying patch 0001-GHSL-2021-074-authentication-bypass-vulnerability-in.patch
patching file src/polkit/polkitsystembusname.c
Hunk #1 succeeded at 438 with fuzz 2 (offset 3 lines).

Applying patch CVE-2021-4115.patch
patching file src/polkit/polkitsystembusname.c
Hunk #4 succeeded at 439 with fuzz 2.

Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
---
 ...thentication-bypass-vulnerability-in.patch | 32 -------------------
 .../recipes-extended/polkit/polkit_0.116.bb   |  1 -
 2 files changed, 33 deletions(-)
 delete mode 100644 meta-oe/recipes-extended/polkit/files/0001-GHSL-2021-074-authentication-bypass-vulnerability-in.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-extended/polkit/files/0001-GHSL-2021-074-authentication-bypass-vulnerability-in.patch b/meta-oe/recipes-extended/polkit/files/0001-GHSL-2021-074-authentication-bypass-vulnerability-in.patch
deleted file mode 100644
index 2a2373ed5..000000000
--- a/meta-oe/recipes-extended/polkit/files/0001-GHSL-2021-074-authentication-bypass-vulnerability-in.patch
+++ /dev/null
@@ -1,32 +0,0 @@ 
-From a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Mon Sep 17 00:00:00 2001
-From: Jan Rybar <jrybar@redhat.com>
-Date: Wed, 2 Jun 2021 15:43:38 +0200
-Subject: [PATCH] GHSL-2021-074: authentication bypass vulnerability in polkit
-
-initial values returned if error caught
-
-Upstream-Status: Backport [https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81.patch]
-CVE: CVE-2021-4115
-Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
-
----
- src/polkit/polkitsystembusname.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
-index 8daa12c..8ed1363 100644
---- a/src/polkit/polkitsystembusname.c
-+++ b/src/polkit/polkitsystembusname.c
-@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
-   while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
-     g_main_context_iteration (tmp_context, TRUE);
- 
-+  if (data.caught_error)
-+    goto out;
-+
-   if (out_uid)
-     *out_uid = data.uid;
-   if (out_pid)
--- 
-GitLab
-
diff --git a/meta-oe/recipes-extended/polkit/polkit_0.116.bb b/meta-oe/recipes-extended/polkit/polkit_0.116.bb
index ac48cf6c2..dd8e20861 100644
--- a/meta-oe/recipes-extended/polkit/polkit_0.116.bb
+++ b/meta-oe/recipes-extended/polkit/polkit_0.116.bb
@@ -27,7 +27,6 @@  SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.
            file://0003-make-netgroup-support-optional.patch \
            file://CVE-2021-3560.patch \
            file://CVE-2021-4034.patch \
-           file://0001-GHSL-2021-074-authentication-bypass-vulnerability-in.patch \
            file://CVE-2021-4115.patch \
            "
 SRC_URI[md5sum] = "4b37258583393e83069a0e2e89c0162a"