[Pkg-utopia-maintainers] Bug#956223: policykit-1: out-of-bounds reads in _localize (submit at bugs.debian.org, line 1127)

Kevin Backhouse kev at github.com
Wed Apr 8 15:57:14 BST 2020 

Package: policykit-1
Version: 0.105-26

Dear Maintainer,

I noticed that there is an out-of-bounds read at the following source
location:

https://salsa.debian.org/utopia-team/polkit/-/blob/debian/0.105-26/src/polkitbackend/polkitbackendactionpool.c#L1127

There is also a potential out-of-bounds write a few lines below in the same
file (line 1131).

The bug happens when the locale string is longer than 256 characters. It
happens because strncpy does not insert a terminating null byte ('\0') when
the source string is too long. This means that the loop can read off the
end of the string, and potentially write out-of-bounds on line 1131.

The bug can be triggered by an unprivileged user sending an
EnumerateActions D-Bus message to polkitd. (I have attached a PoC.)

Although an out-of-bounds read/write is a potential security issue, in
practice my PoC does not cause polkitd to crash. That's because there are
usually some zero bytes on the stack (in the memory above lang2) which
prevent it from hitting anything important. In other words, this bug is
technically a security issue, but it is very low severity.

Weirdly, this bug only exists on the version of polkit used by Debian. It
was fixed 7 years ago in the main polkit repo:

https://gitlab.freedesktop.org/polkit/polkit/-/commit/facadfb5c8c52ba45fd20ffe3b6d3ddd4208a427

The bug is also fixed in policykit-1 version 0.116-2, which is the version
used by Debian experimental. But versions 0.105-15~deb8u4 to 0.105-26,
which are the versions used by the other Debian releases, contain the bug.

Despite the low severity of the bug, I would recommend cherry-picking
commit facadfb5c8c52ba45fd20ffe3b6d3ddd4208a427 onto all of your releases
to fix it.

Thank you,

Kevin Backhouse
GitHub Security Lab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20200408/277a37c1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Polkit_EnumerateActions_PoC.tar.bz2
Type: application/x-bzip
Size: 31744 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20200408/277a37c1/attachment-0001.bin>

More information about the Pkg-utopia-maintainers mailing list