Commit a2bf5c9c authored by Jan Rybar's avatar Jan Rybar
Browse files

pkexec: local privilege escalation (CVE-2021-4034)

parent 4ff1abe4
Pipeline #492548 passed with stage
in 5 minutes and 57 seconds
......@@ -363,6 +363,11 @@ main (int argc, char *argv[])
local_agent_handle = NULL;
ret = 126;
if (argc < 1)
{
exit(126);
}
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
......
......@@ -488,6 +488,15 @@ main (int argc, char *argv[])
pid_t pid_of_caller;
gpointer local_agent_handle;
/*
* If 'pkexec' is called THIS wrong, someone's probably evil-doing. Don't be nice, just bail out.
*/
if (argc<1)
{
exit(127);
}
ret = 127;
authority = NULL;
subject = NULL;
......@@ -614,10 +623,10 @@ main (int argc, char *argv[])
path = g_strdup (pwstruct.pw_shell);
if (!path)
{
{
g_printerr ("No shell configured or error retrieving pw_shell\n");
goto out;
}
}
/* If you change this, be sure to change the if (!command_line)
case below too */
command_line = g_strdup (path);
......@@ -636,7 +645,15 @@ main (int argc, char *argv[])
goto out;
}
g_free (path);
argv[n] = path = s;
path = s;
/* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
* /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
*/
if (argv[n] != NULL)
{
argv[n] = path;
}
}
if (access (path, F_OK) != 0)
{
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment