patches/polkit-0.105/0032-0.113-CVE-2015-3255-Fix-GHashTable-usage.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

From: =?UTF-8?q?Miloslav=20Trma=C4=8D?= <mitr@redhat.com>
Date: Wed, 1 Apr 2015 05:22:37 +0200
Subject: [PATCH] 0.113: CVE-2015-3255 Fix GHashTable usage.

Don't assume that the hash table with free both the key and the value
at the same time, supply proper deallocation functions for the key
and value separately.

Then drop ParsedAction::action_id which is no longer used for anything.

https://bugs.freedesktop.org/show_bug.cgi?id=69501
and
https://bugs.freedesktop.org/show_bug.cgi?id=83590

CVE: CVE-2015-3255
Origin: upstream, 0.113, commit:9f5e0c731784003bd4d6fc75ab739ff8b2ea269f
Bug-Debian: https://bugs.debian.org/796134

Imported from policykit-1_0.105-25.debian.tar.xz

Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
---
 src/polkitbackend/polkitbackendactionpool.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/src/polkitbackend/polkitbackendactionpool.c b/src/polkitbackend/polkitbackendactionpool.c
index e3ed38d4a81e..4270d4ed2b41 100644
--- a/src/polkitbackend/polkitbackendactionpool.c
+++ b/src/polkitbackend/polkitbackendactionpool.c
@@ -40,7 +40,6 @@
 
 typedef struct
 {
-  gchar *action_id;
   gchar *vendor_name;
   gchar *vendor_url;
   gchar *icon_name;
@@ -62,7 +61,6 @@ typedef struct
 static void
 parsed_action_free (ParsedAction *action)
 {
-  g_free (action->action_id);
   g_free (action->vendor_name);
   g_free (action->vendor_url);
   g_free (action->icon_name);
@@ -134,7 +132,7 @@ polkit_backend_action_pool_init (PolkitBackendActionPool *pool)
 
   priv->parsed_actions = g_hash_table_new_full (g_str_hash,
                                                 g_str_equal,
-                                                NULL,
+                                                g_free,
                                                 (GDestroyNotify) parsed_action_free);
 
   priv->parsed_files = g_hash_table_new_full (g_str_hash,
@@ -988,7 +986,6 @@ _end (void *data, const char *el)
           icon_name = pd->global_icon_name;
 
         action = g_new0 (ParsedAction, 1);
-        action->action_id = g_strdup (pd->action_id);
         action->vendor_name = g_strdup (vendor);
         action->vendor_url = g_strdup (vendor_url);
         action->icon_name = g_strdup (icon_name);
@@ -1003,7 +1000,8 @@ _end (void *data, const char *el)
         action->implicit_authorization_inactive = pd->implicit_authorization_inactive;
         action->implicit_authorization_active = pd->implicit_authorization_active;
 
-        g_hash_table_insert (priv->parsed_actions, action->action_id, action);
+        g_hash_table_insert (priv->parsed_actions, g_strdup (pd->action_id),
+                             action);
 
         /* we steal these hash tables */
         pd->annotations = NULL;