diff mbox series

[meta-oe,scarthgap[PATCH,1/1] polkit: fix CVE-2025-7519

Message ID 20250926070955.1049088-1-praveen.kumar@windriver.com
State New
Headers show
Series [meta-oe,scarthgap[PATCH,1/1] polkit: fix CVE-2025-7519 | expand

Commit Message

pkumar7 Sept. 26, 2025, 7:09 a.m. UTC 
From: Praveen Kumar <praveen.kumar@windriver.com>

A flaw was found in polkit. When processing an XML policy with 32 or
more nested elements in depth, an out-of-bounds write can be triggered.
This issue can lead to a crash or other unexpected behavior, and
arbitrary code execution is not discarded. To exploit this flaw, a
high-privilege account is needed as it's required to place the
malicious policy file properly.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-7519

Upstream-patch:
https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
---
 .../polkit/files/CVE-2025-7519.patch          | 34 +++++++++++++++++++
 meta-oe/recipes-extended/polkit/polkit_124.bb |  5 ++-
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch b/meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch
new file mode 100644
index 0000000000..78945a88fc
--- /dev/null
+++ b/meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch
@@ -0,0 +1,34 @@ 
+From 107d3801361b9f9084f78710178e683391f1d245 Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Fri, 6 Jun 2025 13:25:55 +0200
+Subject: [PATCH] Nested .policy files cause xml parsing overflow leading to
+ crash
+
+CVE: CVE-2025-7519
+
+Upstream-Status: Backport [https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ src/polkitbackend/polkitbackendactionpool.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/polkitbackend/polkitbackendactionpool.c b/src/polkitbackend/polkitbackendactionpool.c
+index 43f89cb..f4acca9 100644
+--- a/src/polkitbackend/polkitbackendactionpool.c
++++ b/src/polkitbackend/polkitbackendactionpool.c
+@@ -739,6 +739,12 @@ _start (void *data, const char *el, const char **attr)
+   guint num_attr;
+   ParserData *pd = data;
+
++  if (pd->stack_depth < 0 || pd->stack_depth >= PARSER_MAX_DEPTH)
++    {
++      g_warning ("XML parsing reached max depth?");
++      goto error;
++    }
++
+   for (num_attr = 0; attr[num_attr] != NULL; num_attr++)
+     ;
+
+--
+2.40.0
diff --git a/meta-oe/recipes-extended/polkit/polkit_124.bb b/meta-oe/recipes-extended/polkit/polkit_124.bb
index a597b40ee3..3709aa0ef4 100644
--- a/meta-oe/recipes-extended/polkit/polkit_124.bb
+++ b/meta-oe/recipes-extended/polkit/polkit_124.bb
@@ -5,7 +5,10 @@  LICENSE = "LGPL-2.0-or-later"
 LIC_FILES_CHKSUM = "file://COPYING;md5=155db86cdbafa7532b41f390409283eb"
 BUGTRACKER = "https://github.com/polkit-org/polkit/issues"
 
-SRC_URI = "git://github.com/polkit-org/polkit.git;protocol=https;branch=main"
+SRC_URI = "\
+     git://github.com/polkit-org/polkit.git;protocol=https;branch=main \
+     file://CVE-2025-7519.patch \
+"
 
 S = "${WORKDIR}/git"
 SRCREV = "82f0924dc0eb23b9df68e88dbaf9e07c81940a5a"