Pullup ticket #6579 - requested by khorben

security/polkit: security fix

Revisions pulled up:
- security/polkit/Makefile                                      1.39
- security/polkit/distinfo                                      1.18
- security/polkit/patches/patch-src_programs_pkcheck.c          1.1
- security/polkit/patches/patch-src_programs_pkexec.c           1.3

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Tue Jan 25 19:40:46 UTC 2022

   Modified Files:
   	pkgsrc/security/polkit: Makefile distinfo
   	pkgsrc/security/polkit/patches: patch-src_programs_pkexec.c
   Added Files:
   	pkgsrc/security/polkit/patches: patch-src_programs_pkcheck.c

   Log Message:
   polkit: fix CVE-2021-4034

   Bump PKGREVISION.

4 files changed, 79 insertions, 9 deletions

diff --git a/security/polkit/Makefile b/security/polkit/Makefile
index 7a5a7a3bd28..12bc4fab6da 100644
--- a/security/polkit/Makefile
+++ b/security/polkit/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.38 2021/12/08 16:02:35 adam Exp $
+# $NetBSD: Makefile,v 1.38.2.1 2022/02/06 19:13:51 bsiegert Exp $
 
 DISTNAME=	polkit-0.120
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	security
 MASTER_SITES=	http://www.freedesktop.org/software/polkit/releases/
 
diff --git a/security/polkit/distinfo b/security/polkit/distinfo
index d13e452213f..46cdf711502 100644
--- a/security/polkit/distinfo
+++ b/security/polkit/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.17 2021/11/01 10:20:48 wiz Exp $
+$NetBSD: distinfo,v 1.17.2.1 2022/02/06 19:13:51 bsiegert Exp $
 
 BLAKE2s (polkit-0.120.tar.gz) = d13513e4e4d643bb1f3581fe3c58d467c8f26cd33711034accee42a1546c9781
 SHA512 (polkit-0.120.tar.gz) = db072769439d5e17d0eed681e7b94251b77828c1474b40fe40b94293903a64333e7fa17515a3270648691f04a1374d8b404405ead6abf292a8eb8483164adc46
@@ -13,7 +13,8 @@ SHA1 (patch-src_polkitbackend_polkitbackendduktapeauthority.c) = a80ba55ecd4726f
 SHA1 (patch-src_polkitbackend_polkitbackendinteractiveauthority.c) = dd91b4e74e6c39f24e0f5a9b3150fdac12899cb5
 SHA1 (patch-src_polkitbackend_polkitbackendjsauthority.cpp) = 432a3d7d082ba6e596ba164d91408fc521b84422
 SHA1 (patch-src_polkitbackend_polkitd.c) = b8e11b40e2b171d4f030eb4c4cbc6fdc7a96b2c2
-SHA1 (patch-src_programs_pkexec.c) = bfc0414c7a943c8e8b8412566a2519198eab8abd
+SHA1 (patch-src_programs_pkcheck.c) = 3dd53a15f6741b883447be4d5ccd6e86fd6b6be0
+SHA1 (patch-src_programs_pkexec.c) = c373d8e7eac1107fe056a82510fee85c4c97ea57
 SHA1 (patch-src_programs_pkttyagent.c) = 2c249b61501a1ad2c077bc83fd497e45f2db69a8
 SHA1 (patch-test_mocklibc_src_grp.c) = 435ff94fd4c7f5511d74d03839fad453dd841633
 SHA1 (patch-test_mocklibc_src_netdb.c) = 0fe71068a6261d5e2c8874f2b4507e7e3c002526
diff --git a/security/polkit/patches/patch-src_programs_pkcheck.c b/security/polkit/patches/patch-src_programs_pkcheck.c
new file mode 100644
index 00000000000..9a68e14c4e5
--- /dev/null
+++ b/security/polkit/patches/patch-src_programs_pkcheck.c
@@ -0,0 +1,19 @@
+$NetBSD: patch-src_programs_pkcheck.c,v 1.1.2.2 2022/02/06 19:13:51 bsiegert Exp $
+
+Fix for CVE-2021-4034.
+https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
+
+--- src/programs/pkcheck.c.orig	2018-05-31 11:52:53.000000000 +0000
++++ src/programs/pkcheck.c
+@@ -363,6 +363,11 @@ main (int argc, char *argv[])
+   local_agent_handle = NULL;
+   ret = 126;
+ 
++  if (argc < 1)
++    {
++      exit(126);
++    }
++
+   /* Disable remote file access from GIO. */
+   setenv ("GIO_USE_VFS", "local", 1);
+ 
diff --git a/security/polkit/patches/patch-src_programs_pkexec.c b/security/polkit/patches/patch-src_programs_pkexec.c
index d853c3ff39f..29169a50a30 100644
--- a/security/polkit/patches/patch-src_programs_pkexec.c
+++ b/security/polkit/patches/patch-src_programs_pkexec.c
@@ -1,10 +1,14 @@
-$NetBSD: patch-src_programs_pkexec.c,v 1.2 2016/06/18 12:16:23 youri Exp $
+$NetBSD: patch-src_programs_pkexec.c,v 1.2.46.1 2022/02/06 19:13:51 bsiegert Exp $
 
-Avoid conflict with SunOS function.
+gfdwalk: Avoid conflict with SunOS function.
 
---- src/programs/pkexec.c.orig	2015-06-18 20:20:50.000000000 +0000
+rest:
+Fix for CVE-2021-4034.
+https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683
+
+--- src/programs/pkexec.c.orig	2018-05-31 11:52:53.000000000 +0000
 +++ src/programs/pkexec.c
-@@ -247,7 +247,7 @@ set_close_on_exec (gint     fd,
+@@ -245,7 +245,7 @@ set_close_on_exec (gint     fd,
  }
  
  static gboolean
@@ -13,7 +17,53 @@ Avoid conflict with SunOS function.
          gpointer   user_data)
  {
    gint fd;
-@@ -922,7 +922,7 @@ main (int argc, char *argv[])
+@@ -488,6 +488,15 @@ main (int argc, char *argv[])
+   pid_t pid_of_caller;
+   gpointer local_agent_handle;
+ 
++
++  /*
++   * If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
++   */
++  if (argc<1)
++    {
++      exit(127);
++    }
++
+   ret = 127;
+   authority = NULL;
+   subject = NULL;
+@@ -614,10 +623,10 @@ main (int argc, char *argv[])
+ 
+       path = g_strdup (pwstruct.pw_shell);
+       if (!path)
+-	{
++        {
+           g_printerr ("No shell configured or error retrieving pw_shell\n");
+           goto out;
+-	}
++        }
+       /* If you change this, be sure to change the if (!command_line)
+ 	 case below too */
+       command_line = g_strdup (path);
+@@ -636,7 +645,15 @@ main (int argc, char *argv[])
+           goto out;
+         }
+       g_free (path);
+-      argv[n] = path = s;
++      path = s;
++
++      /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
++       * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
++       */
++      if (argv[n] != NULL)
++      {
++        argv[n] = path;
++      }
+     }
+   if (access (path, F_OK) != 0)
+     {
+@@ -918,7 +935,7 @@ main (int argc, char *argv[])
      }
  
    /* set close_on_exec on all file descriptors except stdin, stdout, stderr */