mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 17:59:59 +00:00
Code Issues Projects Releases Wiki Activity

polkit: fix CVE-2025-7519

Browse Source 
A flaw was found in polkit. When processing an XML policy with 32 or
more nested elements in depth, an out-of-bounds write can be triggered.
This issue can lead to a crash or other unexpected behavior, and
arbitrary code execution is not discarded. To exploit this flaw, a
high-privilege account is needed as it's required to place the
malicious policy file properly.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-7519

Upstream-patch:
https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Praveen Kumar
2025-09-26 12:38:02 +05:30
committed by Gyorgy Sarvari
parent 11441e2432
commit 87f82e5f1d
2 changed files with 38 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch
+34
View File
@@ -0,0 +1,34 @@
From 107d3801361b9f9084f78710178e683391f1d245 Mon Sep 17 00:00:00 2001
From: Jan Rybar <jrybar@redhat.com>
Date: Fri, 6 Jun 2025 13:25:55 +0200
Subject: [PATCH] Nested .policy files cause xml parsing overflow leading to
crash
CVE: CVE-2025-7519
Upstream-Status: Backport [https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245]
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
---
src/polkitbackend/polkitbackendactionpool.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/polkitbackend/polkitbackendactionpool.c b/src/polkitbackend/polkitbackendactionpool.c
index 43f89cb..f4acca9 100644
--- a/src/polkitbackend/polkitbackendactionpool.c
+++ b/src/polkitbackend/polkitbackendactionpool.c
@@ -739,6 +739,12 @@ _start (void *data, const char *el, const char **attr)
guint num_attr;
ParserData *pd = data;
+ if (pd->stack_depth < 0 || pd->stack_depth >= PARSER_MAX_DEPTH)
+ {
+ g_warning ("XML parsing reached max depth?");
+ goto error;
+ }
+
for (num_attr = 0; attr[num_attr] != NULL; num_attr++)
;
--
2.40.0
meta-oe/recipes-extended/polkit/polkit_126.bb
+4 -1
View File
@@ -5,7 +5,10 @@ LICENSE = "LGPL-2.0-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=155db86cdbafa7532b41f390409283eb"
BUGTRACKER = "https://github.com/polkit-org/polkit/issues"
SRC_URI = "git://github.com/polkit-org/polkit.git;protocol=https;branch=main"
SRC_URI = "\
git://github.com/polkit-org/polkit.git;protocol=https;branch=main \
file://CVE-2025-7519.patch \
"
S = "${WORKDIR}/git"
SRCREV = "d627b0d1e1108563658dabe3fb8d2a065e64df10"