From 87f82e5f1dbbf264a61dfc41b586eb94078efd73 Mon Sep 17 00:00:00 2001 From: Praveen Kumar Date: Fri, 26 Sep 2025 12:38:02 +0530 Subject: [PATCH] polkit: fix CVE-2025-7519 A flaw was found in polkit. When processing an XML policy with 32 or more nested elements in depth, an out-of-bounds write can be triggered. This issue can lead to a crash or other unexpected behavior, and arbitrary code execution is not discarded. To exploit this flaw, a high-privilege account is needed as it's required to place the malicious policy file properly. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-7519 Upstream-patch: https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245 Signed-off-by: Praveen Kumar Signed-off-by: Gyorgy Sarvari --- .../polkit/files/CVE-2025-7519.patch | 34 +++++++++++++++++++ meta-oe/recipes-extended/polkit/polkit_126.bb | 5 ++- 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch b/meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch new file mode 100644 index 0000000000..78945a88fc --- /dev/null +++ b/meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch @@ -0,0 +1,34 @@ +From 107d3801361b9f9084f78710178e683391f1d245 Mon Sep 17 00:00:00 2001 +From: Jan Rybar +Date: Fri, 6 Jun 2025 13:25:55 +0200 +Subject: [PATCH] Nested .policy files cause xml parsing overflow leading to + crash + +CVE: CVE-2025-7519 + +Upstream-Status: Backport [https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245] + +Signed-off-by: Praveen Kumar +--- + src/polkitbackend/polkitbackendactionpool.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/polkitbackend/polkitbackendactionpool.c b/src/polkitbackend/polkitbackendactionpool.c +index 43f89cb..f4acca9 100644 +--- a/src/polkitbackend/polkitbackendactionpool.c ++++ b/src/polkitbackend/polkitbackendactionpool.c +@@ -739,6 +739,12 @@ _start (void *data, const char *el, const char **attr) + guint num_attr; + ParserData *pd = data; + ++ if (pd->stack_depth < 0 || pd->stack_depth >= PARSER_MAX_DEPTH) ++ { ++ g_warning ("XML parsing reached max depth?"); ++ goto error; ++ } ++ + for (num_attr = 0; attr[num_attr] != NULL; num_attr++) + ; + +-- +2.40.0 diff --git a/meta-oe/recipes-extended/polkit/polkit_126.bb b/meta-oe/recipes-extended/polkit/polkit_126.bb index 64aba7b2dd..82d2ef2e6a 100644 --- a/meta-oe/recipes-extended/polkit/polkit_126.bb +++ b/meta-oe/recipes-extended/polkit/polkit_126.bb @@ -5,7 +5,10 @@ LICENSE = "LGPL-2.0-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=155db86cdbafa7532b41f390409283eb" BUGTRACKER = "https://github.com/polkit-org/polkit/issues" -SRC_URI = "git://github.com/polkit-org/polkit.git;protocol=https;branch=main" +SRC_URI = "\ + git://github.com/polkit-org/polkit.git;protocol=https;branch=main \ + file://CVE-2025-7519.patch \ +" S = "${WORKDIR}/git" SRCREV = "d627b0d1e1108563658dabe3fb8d2a065e64df10"