polkit: CVE-2018-1116: polkitd trusting client-supplied UID allows spoofed authentication dialogs

Debian Bug report logs - #903563
polkit: CVE-2018-1116: polkitd trusting client-supplied UID allows spoofed authentication dialogs

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: submit@bugs.debian.org

Subject: polkit: CVE-2018-1116: polkitd trusting client-supplied UID allows spoofed authentication dialogs

Date: Wed, 11 Jul 2018 12:09:28 +0100

Package: policykit-1
Version: 0.105-3+nmu1
Severity: important
Tags: security pending
X-Debbugs-Cc: security@debian.org

Security team: Do you want to do a DSA for this, or should this just be a
stable-update?

I've uploaded policykit-1/0.105-21 with a backport of the patch, but I'd
appreciate a check from other developers on whether I have backported it
correctly. I also have 0.115-1 ready for upload to experimental when I've
tested it.

I will have limited availability this/next week, so I would appreciate it
if someone else could prepare and test whatever security or stable updates
are felt to be appropriate.

Thanks,
    smcv

On Wed, 11 Jul 2018 at 10:21:56 +0200, Matthias Gerstner wrote:
> during a code reviewing related to polkit
> <https://www.freedesktop.org/wiki/Software/polkit/> I found a spoofed
> authentication vulnerability in the implementation of the polkitd
> daemon. It allows a local attacker to trigger authentication dialogs for
> other users' processes. This way the attacker can obtain certain
> information about the polkit rules configuration of other users, confuse
> other users or DoS other users by infinitely triggering authentication
> dialogs.
> 
> Basically the issue is that an attacker is able to specify
> arbitrary target process UIDs when talking to polkitd via D-Bus like
> this:
> 
> $ gdbus call --system --dest org.freedesktop.PolicyKit1 \
> 	--object-path /org/freedesktop/PolicyKit1/Authority \
> 	--method org.freedesktop.PolicyKit1.Authority.CheckAuthorization \
> 	'("unix-process", {"pid": <uint32 ${PID}>, "start-time": <uint64 0>, "uid": <${UID}>})' \
> 	org.freedesktop.timedate1.set-time '[]' 1 ''
> 
> Where ${PID} needs to be the process ID of the target process and ${UID}
> the user ID of the calling process i.e. `id -u`.
> 
> Upstream just released version 0.115 of polkit that addresses this issue
> by way of commit bc7ffad53643a9c80231fc41f5582d6a8931c32c. The issue was
> introduced with a fix for CVE-2013-4288 in polkit version 0.112.
> 
> Further below you can find the upstream commit message with a more
> detailed explanation of the issue and its fix. I want to thank the
> upstream developers for the constructive communication and quick
> handling of the issue.
> 
> Best regards
> 
> Matthias
> 
> Timeline:
> 
> 2018-06-21: I discovered and analyzed the issue
> 2018-06-22: I reported the issue privately to upstream via
>     dbus-security@lists.freedesktop.org. In the following days upstream
>     devised a patch that was discussed and reviewed on the mailing list.
>     Publication has been scheduled for 2018-07-10 together with the
>     release of the fixed polkit version.
> 2018-07-10: The upstream release was published as scheduled.
> 
> References:
> 
> - Upstream Release Notice: https://lists.freedesktop.org/archives/polkit-devel/2018-July/000583.html
> - Upstream Fix: https://cgit.freedesktop.org/polkit/commit/?id=bc7ffad53643a9c80231fc41f5582d6a8931c32c
> - SUSE Bug for the issue: https://bugzilla.suse.com/show_bug.cgi?id=1099031
> 
> Upstream Commit Message:
> 
>      Fix CVE-2018-1116: Trusting client-supplied UID
>       
>      As part of CVE-2013-4288, the D-Bus clients were allowed (and
>      encouraged) to submit the UID of the subject of authorization checks
>      to avoid races against UID changes (notably using executables
>      set-UID to root).
>      
>      However, that also allowed any client to submit an arbitrary UID, and
>      that could be used to bypass "can only ask about / affect the same UID"
>      checks in CheckAuthorization / RegisterAuthenticationAgent /
>      UnregisterAuthenticationAgent.  This allowed an attacker:
>      
>      - With CheckAuthorization, to cause the registered authentication
>        agent in victim's session to pop up a dialog, or to determine whether
>        the victim currently has a temporary authorization to perform an
>        operation.
>      
>        (In principle, the attacker can also determine whether JavaScript
>        rules allow the victim process to perform an operation; however,
>        usually rules base their decisions on information determined from
>        the supplied UID, so the attacker usually won't learn anything new.)
>      
>      - With RegisterAuthenticationAgent, to prevent the victim's
>        authentication agent to work (for a specific victim process),
>        or to learn about which operations requiring authorization
>        the victim is attempting.
>      
>      To fix this, expose internal _polkit_unix_process_get_owner() /
>      obsolete polkit_unix_process_get_owner() as a private
>      polkit_unix_process_get_racy_uid__() (being more explicit about the
>      dangers on relying on it), and use it in
>      polkit_backend_session_monitor_get_user_for_subject() to return
>      a boolean indicating whether the subject UID may be caller-chosen.
>      
>      Then, in the permission checks that require the subject to be
>      equal to the caller, fail on caller-chosen UIDs (and continue
>      through the pre-existing code paths which allow root, or root-designated
>      server processes, to ask about arbitrary subjects.)
>      
>      Signed-off-by: Miloslav Trmač <mitr@redhat.com>

Message #10 received at 903563-done@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 903563-done@bugs.debian.org

Subject: Re: Bug#903563: polkit: CVE-2018-1116: polkitd trusting client-supplied UID allows spoofed authentication dialogs

Date: Wed, 11 Jul 2018 12:21:07 +0100

Version: 0.105-21

On Wed, 11 Jul 2018 at 12:09:28 +0100, Simon McVittie wrote:
> I've uploaded policykit-1/0.105-21 with a backport of the patch

    smcv

Message #15 received at 903563-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 903563-close@bugs.debian.org

Subject: Bug#903563: fixed in policykit-1 0.115-1

Date: Wed, 11 Jul 2018 19:38:26 +0000

Source: policykit-1
Source-Version: 0.115-1

We believe that the bug you reported is fixed in the latest version of
policykit-1, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 903563@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated policykit-1 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 11 Jul 2018 12:24:20 +0100
Source: policykit-1
Binary: policykit-1 policykit-1-doc libpolkit-gobject-1-0 libpolkit-gobject-1-dev libpolkit-agent-1-0 libpolkit-agent-1-dev gir1.2-polkit-1.0
Architecture: source
Version: 0.115-1
Distribution: experimental
Urgency: medium
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 gir1.2-polkit-1.0 - GObject introspection data for PolicyKit
 libpolkit-agent-1-0 - PolicyKit Authentication Agent API
 libpolkit-agent-1-dev - PolicyKit Authentication Agent API - development files
 libpolkit-gobject-1-0 - PolicyKit Authorization API
 libpolkit-gobject-1-dev - PolicyKit Authorization API - development files
 policykit-1 - framework for managing administrative policies and privileges
 policykit-1-doc - documentation for PolicyKit-1
Closes: 903563
Changes:
 policykit-1 (0.115-1) experimental; urgency=medium
 .
   * New upstream version 0.115
     - Fixes CVE-2018-1116 (Closes: #903563)
     - d/p/jsauthority-pass-s-format-string-to-remaining-report.patch:
       Drop, applied upstream
   * d/watch: Use https
   * d/watch: Download upstream PGP signatures
   * debian/upstream/signing-key.asc: Add public keys for Ray Strode,
     Miloslav Trmac, David Zeuthen
   * d/gbp.conf: Merge upstream tags into the upstream branch
   * Add myself to Uploaders
   * d/libpolkit-gobject-1-0.symbols: Update for new semi-private ABI
   * d/rules: Skip build-time tests if DEB_BUILD_OPTIONS=nocheck
   * Standards-Version: 4.1.5 (no changes required)
   * Set Rules-Requires-Root to no
Checksums-Sha1:
 55b0c0ec5f37d9058d063881eae43f6bf5395831 3038 policykit-1_0.115-1.dsc
 208b7e44fcf0f515d067d37307af9ea1419eb305 1550932 policykit-1_0.115.orig.tar.gz
 9b47898ce58912282327172554e2c155f7dbf49b 376 policykit-1_0.115.orig.tar.gz.asc
 4957f388128364a60042c6d3a716ce438df583f0 29724 policykit-1_0.115-1.debian.tar.xz
 f7cd25d9c45db9a6015b0ddce2aad9ebd0ebd523 8823 policykit-1_0.115-1_source.buildinfo
Checksums-Sha256:
 3266584dac9d710deb5632e86e17ba5f2df57380f34d5c2192d52507a952ff88 3038 policykit-1_0.115-1.dsc
 2f87ecdabfbd415c6306673ceadc59846f059b18ef2fce42bac63fe283f12131 1550932 policykit-1_0.115.orig.tar.gz
 54b7f3c2ef89000c5e31f515b750ecd4a933703438690afbb3d59a6387172504 376 policykit-1_0.115.orig.tar.gz.asc
 082691a26b9fcc9e4e340da450586decbe6d52cc6005bac455808e37fba8ca9e 29724 policykit-1_0.115-1.debian.tar.xz
 28050cbf742956d5a44f1cc55aada835048df71e4d453665b594ce427508a039 8823 policykit-1_0.115-1_source.buildinfo
Files:
 80e3692a042c2561ee19213adf0a5090 3038 admin optional policykit-1_0.115-1.dsc
 f03b055d6ae5fc8eac76838c7d83d082 1550932 admin optional policykit-1_0.115.orig.tar.gz
 391a16597114149c9ca3213478c2813a 376 admin optional policykit-1_0.115.orig.tar.gz.asc
 8872b42b3be553120a75bf6e8b1dd50c 29724 admin optional policykit-1_0.115-1.debian.tar.xz
 5cdc39c5b09d0fec4fa9d82920c1a616 8823 admin optional policykit-1_0.115-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAltGWK0ACgkQ4FrhR4+B
TE+eLQ//UJn6UpYkPcWDlL2Ew4x/2ivBHNJFG+4xvv2ZBO1LMvKjXPVc+ylFeWDN
bspv0d0beOmfxxTLGTIUw50WnqimeRRupIoSb1nys2b4ua87FtrTyQNUrQIkvjzS
LnoHaiA1EgDo72KfYMrvBAjC5On6cYWHBv5YnBa/HVJZVhhGBshqy/oTfU8ycOuS
SePF5tQRUx+iG02Nc/1rIJVDwyaLX4+GCnLfohSOw+G/RxHf90XlZNWpb2HNNsEx
zOL0D4kFPhTyDv8OcYW435JIqSdzfC5usErnBQCVlDtQTvKe48glx/sHsi9s/1N/
1VbZm2oPQqdrM4EL0G7o+uKoiSsAHlSFCKDeKPDHkU3eKlBWKYbb5I03RYCNuujy
dPN+BXokQm5zYkG5OXzFknsEjhVpaarBtuUfgVeTF7dN0VSMfc4/lkZIpNqw0Yu6
uwfoPIZBkjeGEO0sAZeF2iMlsEUz0z+XZXLu8zpyAJP6g0euQiUarqL+y++zEe3M
tbwr4O3RvuiOPUQAk5Th/dpAP9mdVEAWFZPaYeS9PZ6OIoalaplhWl3DyndPomvl
qkG2QOosNjgFKFD5jr2MIy6bFCJLu8eQq9/GoAoMJE/V/KrUsvm0Z2S0jxtujWWg
IuRSS2uR6v9MVVUcOv5+87V8O9QTR9C4Z5jrb16CATpKqU5IQsQ=
=WtgH
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.