Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Hello,
I have uploaded the attached proposed change for stretch.
The story is that the policykit-1 package was patched in unstable with
0.115/Fix-CVE-2018-1116-Trusting-client-supplied-UID.patch
to fix a CVE, and we have noticed that it completely breaks polkit
authentication in brlapi, which means that braille does not work in
graphical sessions, reported as bug #905058. This is actually due to a
misuse of the polkit API in brltty, which only got to pose problem
with the addition of that policykit patch. A brltty fix has been
uploaded to unstable so the issue is fixed there. policykit maintainers
however plan to upload their patch to stretch, so we need to upload the
brltty fix in stretch too.
Samuel
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable-debug'), (500,
'testing-debug'), (500, 'stable-debug'), (500, 'oldoldstable'), (500,
'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1,
'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.17.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru brltty-5.4/debian/changelog brltty-5.4/debian/changelog
--- brltty-5.4/debian/changelog 2017-03-12 15:31:57.000000000 +0100
+++ brltty-5.4/debian/changelog 2018-08-01 18:14:54.000000000 +0200
@@ -1,3 +1,9 @@
+brltty (5.4-7+deb9u1) stretch; urgency=medium
+
+ * patches/policykit-fix: Fix polkit authentication (Closes: #905058).
+
+ -- Samuel Thibault <sthiba...@debian.org> Wed, 01 Aug 2018 18:14:54 +0200
+
brltty (5.4-7) unstable; urgency=medium
* git-vario-ultra-restart.patch: Fix baum driver restarting when typing too
diff -Nru brltty-5.4/debian/patches/policykit-fix
brltty-5.4/debian/patches/policykit-fix
--- brltty-5.4/debian/patches/policykit-fix 1970-01-01 01:00:00.000000000
+0100
+++ brltty-5.4/debian/patches/policykit-fix 2018-08-01 18:14:54.000000000
+0200
@@ -0,0 +1,22 @@
+commit b185abebde8880209c1735e90bc09ed0fce5d9a0
+Author: Samuel Thibault <samuel.thiba...@ens-lyon.org>
+Date: Wed Aug 1 18:09:16 2018 +0200
+
+ Polkit auth: fix authentication failure with CVE-2018-1116 fix
+
+ Tell polkit_unix_process_new_for_owner to get process start
+ time from /proc, so it matches what the CVE-2018-1116 fix finds.
+
+diff --git a/Programs/auth.c b/Programs/auth.c
+index 26914bf5b..9ad2c63ae 100644
+--- a/Programs/auth.c
++++ b/Programs/auth.c
+@@ -510,7 +510,7 @@ authPolkit_server (AuthDescriptor *auth, FileDescriptor
fd, void *data) {
+ if (getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &cred, &length) != -1) {
+ logMessage(LOG_DEBUG, "attempting to authenticate pid %d via polkit",
cred.pid);
+
+- PolkitSubject *subject = polkit_unix_process_new_for_owner(cred.pid, -1,
cred.uid);
++ PolkitSubject *subject = polkit_unix_process_new_for_owner(cred.pid, 0,
cred.uid);
+ if (subject) {
+ GError *error_local = NULL;
+
diff -Nru brltty-5.4/debian/patches/series brltty-5.4/debian/patches/series
--- brltty-5.4/debian/patches/series 2017-03-12 15:31:57.000000000 +0100
+++ brltty-5.4/debian/patches/series 2018-08-01 18:14:54.000000000 +0200
@@ -15,3 +15,4 @@
xbrlapi-nospam.patch
git-vario-ultra-restart.patch
disable-synth-callback.patch
+policykit-fix
