From owner-dev-commits-ports-main@freebsd.org  Fri Jun  4 18:29:58 2021
Return-Path: <owner-dev-commits-ports-main@freebsd.org>
Delivered-To: dev-commits-ports-main@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2D7D1652B91;
 Fri,  4 Jun 2021 18:29:58 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4FxWX60lpBz4ZR7;
 Fri,  4 Jun 2021 18:29:58 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 01A92221DC;
 Fri,  4 Jun 2021 18:29:58 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 154ITvSx036203;
 Fri, 4 Jun 2021 18:29:57 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 154ITv1R036202;
 Fri, 4 Jun 2021 18:29:57 GMT (envelope-from git)
Date: Fri, 4 Jun 2021 18:29:57 GMT
Message-Id: <202106041829.154ITv1R036202@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
 dev-commits-ports-main@FreeBSD.org
From: "Tobias C. Berner" <tcberner@FreeBSD.org>
Subject: git: 0958ffc12c9c - main - security/vuxml: document vulnerability in
 sysutils/polkit
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: tcberner
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 0958ffc12c9c0bba44f9a1adc0ca5173d7cd8bf9
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-ports-main@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commits to the main branch of the FreeBSD ports repository
 <dev-commits-ports-main.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-ports-main>, 
 <mailto:dev-commits-ports-main-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-ports-main/>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Help: <mailto:dev-commits-ports-main-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-ports-main>, 
 <mailto:dev-commits-ports-main-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jun 2021 18:29:58 -0000

The branch main has been updated by tcberner:

URL: https://cgit.FreeBSD.org/ports/commit/?id=0958ffc12c9c0bba44f9a1adc0ca5173d7cd8bf9

commit 0958ffc12c9c0bba44f9a1adc0ca5173d7cd8bf9
Author:     Tobias C. Berner <tcberner@FreeBSD.org>
AuthorDate: 2021-06-04 18:27:49 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2021-06-04 18:29:52 +0000

    security/vuxml: document vulnerability in sysutils/polkit
    
    Cedric Buissart reports:
    
            The function `polkit_system_bus_name_get_creds_sync` is used to get the
            uid and pid of the process requesting the action. It does this by
            sending the unique bus name of the requesting process, which is
            typically something like ":1.96", to `dbus-daemon`. These unique names
            are assigned and managed by `dbus-daemon` and cannot be forged, so this
            is a good way to check the privileges of the requesting process.
    
            The vulnerability happens when the requesting process disconnects from
            `dbus-daemon` just before the call to
            `polkit_system_bus_name_get_creds_sync` starts. In this scenario, the
            unique bus name is no longer valid, so `dbus-daemon` sends back an error
            reply. This error case is handled in
            `polkit_system_bus_name_get_creds_sync` by setting the value of the
            `error` parameter, but it still returns `TRUE`, rather than `FALSE`.
            This behavior means that all callers of
            `polkit_system_bus_name_get_creds_sync` need to carefully check whether
            an error was set. If the calling function forgets to check for errors
            then it will think that the uid of the requesting process is 0 (because
            the `AsyncGetBusNameCredsData` struct is zero initialized). In other
            words, it will think that the action was requested by a root process,
            and will therefore allow it.
    
    PR:             256405
    Security:       CVE-2021-3560 polkit
---
 security/vuxml/vuln.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 38e8f777ddf3..9f9941838dc0 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -76,6 +76,53 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="36a35d83-c560-11eb-84ab-e0d55e2a8bf9">
+    <topic>polkit -- local privilege escalation using polkit_system_bus_name_get_creds_sync</topic>
+    <affects>
+      <package>
+	<name>polkit</name>
+	<range><lt>0.119</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Cedric Buissart reports:</p>
+	<blockquote cite="https://seclists.org/oss-sec/2021/q2/180">
+	  <p>The function <code>polkit_system_bus_name_get_creds_sync</code> is used to get the
+	  uid and pid of the process requesting the action. It does this by
+	  sending the unique bus name of the requesting process, which is
+	  typically something like ":1.96", to <code>dbus-daemon</code>. These unique names
+	  are assigned and managed by <code>dbus-daemon</code> and cannot be forged, so this
+	  is a good way to check the privileges of the requesting process.</p>
+	  <p>The vulnerability happens when the requesting process disconnects from
+	  <code>dbus-daemon</code> just before the call to
+	  <code>polkit_system_bus_name_get_creds_sync</code> starts. In this scenario, the
+	  unique bus name is no longer valid, so <code>dbus-daemon</code> sends back an error
+	  reply. This error case is handled in
+	  <code>polkit_system_bus_name_get_creds_sync</code> by setting the value of the
+	  <code>error</code> parameter, but it still returns <code>TRUE</code>, rather than <code>FALSE</code>.
+	  This behavior means that all callers of
+	  <code>polkit_system_bus_name_get_creds_sync</code> need to carefully check whether
+	  an error was set. If the calling function forgets to check for errors
+	  then it will think that the uid of the requesting process is 0 (because
+	  the <code>AsyncGetBusNameCredsData</code> struct is zero initialized). In other
+	  words, it will think that the action was requested by a root process,
+	  and will therefore allow it.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2021-3560</cvename>
+      <url>https://seclists.org/oss-sec/2021/q2/180</url>
+      <url>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3560</url>
+      <url>https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13a</url>
+    </references>
+    <dates>
+      <discovery>2021-06-03</discovery>
+      <entry>2021-06-04</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="69815a1d-c31d-11eb-9633-b42e99a1b9c3">
     <topic>SOGo -- SAML user authentication impersonation</topic>
     <affects>