CVE-2021-4034 (polkit) & CVE-2021-45469 (kernel)

[travier]

CVE-2021-45469 kernel: out-of-bounds memory access in __f2fs_setxattr() in fs/f2fs/xattr.c when an inode has an invalid last xattr entry

See:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45469
• https://nvd.nist.gov/vuln/detail/CVE-2021-45469
• https://bugzilla.redhat.com/show_bug.cgi?id=2035817

CVE-2021-4034: pwnkit: Local Privilege Escalation in polkit's pkexec

Describe the bug

Link to the advisory: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt RHSA: https://access.redhat.com/security/vulnerabilities/RHSB-2022-001 Upstream fix: https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Not fixed in Fedora yet: https://src.fedoraproject.org/rpms/polkit

Mitigation

Potential mitigation until a package update is released in Fedora:

• Warning: Removing polkit & polkit-pkla-compat from FCOS breaks Zincati & rpm-ostree.
• Mitigation from the linked advisory (will break Zincati deadend logic, but auto-updates will keep working):

  # rpm-ostree usroverlay       <-- Makes /usr writable again
  # chmod 0755 /usr/bin/pkexec  <-- Removes SUID bit from pkexec

• Run everything in containers (!)
• To be confirmed: Run unprivileged users under the user_u SELinux user

[travier]

Made: https://src.fedoraproject.org/rpms/polkit/pull-request/4

[jlebon]

Made: src.fedoraproject.org/rpms/polkit/pull-request/4

To clarify, AFAICT this patch is already applied on f34 and f35, and this PR is also adding it on rawhide (not sure why it wasn't done there before and then propagated down).

f35 build with patch is already in bodhi and being pushed to stable: https://bodhi.fedoraproject.org/updates/FEDORA-2022-da040e6b94

We were going to do an ad-hoc release soon anyway to unpin the kernel, so we can bundle this too.

[jlebon]

Fast-tracks: https://github.com/coreos/fedora-coreos-config/pull/1446 https://github.com/coreos/fedora-coreos-config/pull/1447

[travier]

To clarify, AFAICT this patch is already applied on f34 and f35, and this PR is also adding it on rawhide (not sure why it wasn't done there before and then propagated down).

Oh, indeed. I was wondering why this had not been done yet. This makes sense now.

[dustymabe]

Fixed by:

• https://github.com/coreos/fedora-coreos-config/pull/1446
• https://github.com/coreos/fedora-coreos-config/pull/1447
• https://github.com/coreos/fedora-coreos-config/pull/1456
• https://github.com/coreos/fedora-coreos-config/pull/1457

[dustymabe]

The fix for this went into next stream release 35.20220116.1.1. Please try out the new release and report issues.

[dustymabe]

The fix for this went into testing stream release 35.20220116.2.1. Please try out the new release and report issues.

[dustymabe]

The fix for this went into stable stream release 35.20220116.3.0.