[CentOS] Polkit patch for CVE-2021-4034 for CentOS 6

Wed Jan 26 17:18:33 UTC 2022
Simon Matter <simon.matter at invoca.ch>

Hi,

For those still running CentOS 6 somewhere, the patch below can be added
to the source RPM.

Verified to fix the issue on CentOS 6.10 x86_64 with this exploit:

https://packetstormsecurity.com/files/165728/Polkit-pkexec-CVE-2021-4034-Proof-Of-Concept.html

Regards,
Simon

PS: Sure, I know nobody is really running old EL6 anymore :-)

diff -Naupr polkit-0.96.patched/src/programs/pkcheck.c
polkit-0.96/src/programs/pkcheck.c
--- polkit-0.96.patched/src/programs/pkcheck.c	2022-01-26
17:03:29.059789167 +0100
+++ polkit-0.96/src/programs/pkcheck.c	2022-01-26 17:04:34.051159050 +0100
@@ -96,6 +96,11 @@ main (int argc, char *argv[])
   allow_user_interaction = FALSE;
   ret = 126;

+  if (argc < 1)
+    {
+      exit(126);
+    }
+
   g_type_init ();

   details = polkit_details_new ();
diff -Naupr polkit-0.96.patched/src/programs/pkexec.c
polkit-0.96/src/programs/pkexec.c
--- polkit-0.96.patched/src/programs/pkexec.c	2022-01-26
17:03:29.046789093 +0100
+++ polkit-0.96/src/programs/pkexec.c	2022-01-26 17:04:34.056159079 +0100
@@ -415,6 +415,14 @@ main (int argc, char *argv[])
   gchar *opt_user;
   pid_t pid_of_caller;

+  /*
+   * If 'pkexec' is called THIS wrong, someone's probably evil-doing.
Don't be nice, just bail out.
+   */
+  if (argc < 1)
+    {
+      exit(127);
+    }
+
   ret = 127;
   authority = NULL;
   subject = NULL;
@@ -520,7 +528,15 @@ main (int argc, char *argv[])
           goto out;
         }
       g_free (path);
-      argv[n] = path = s;
+      path = s;
+
+      /* argc<2 and pkexec runs just shell, argv is guaranteed to be
null-terminated.
+       * /-less shell shouldn't happen, but let's be defensive and don't
write to null-termination
+       */
+      if (argv[n] != NULL)
+      {
+        argv[n] = path;
+      }
     }
   if (access (path, F_OK) != 0)
     {