polkit: Fix local privilege escalation vulnerability

Fixes a local privilege escalation using polkit_system_bus_name_get_creds_sync() Fixes: CVE-2021-3560 (cherry picked from commit 26ac1d5db953292d78f0585dd8baccd9a36a44a4)
2021-06-03 21:28:49 +02:00 · 2021-06-03 21:28:49 +02:00 · 715c85757b
parent c0e22c259c
commit 715c85757b
1 changed files with 7 additions and 0 deletions
--- a/pkgs/development/libraries/polkit/default.nix
+++ b/pkgs/development/libraries/polkit/default.nix
@ -34,6 +34,13 @@ stdenv.mkDerivation rec {
      url = "https://gitlab.freedesktop.org/polkit/polkit/commit/5dd4e22efd05d55833c4634b56e473812b5acbf2.patch";
      sha256 = "17lv7xj5ksa27iv4zpm4zwd4iy8zbwjj4ximslfq3sasiz9kxhlp";
    })
+    (fetchpatch {
+      # https://www.openwall.com/lists/oss-security/2021/06/03/1
+      # https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/79
+      name = "CVE-2021-3560.patch";
+      url = "https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81.patch";
+      sha256 = "157ddsizgr290jsb8fpafrc37gc1qw5pdvl351vnn3pzhqs7n6f4";
+    })
  ] ++ lib.optionals stdenv.hostPlatform.isMusl [
    # Make netgroup support optional (musl does not have it)
    # Upstream MR: https://gitlab.freedesktop.org/polkit/polkit/merge_requests/10