You are not logged in.

#1 2021-06-19 22:20:02

badbytes
Member
Registered: 2011-05-23
Posts: 7

polkit security patch on older glib2

I'm trying to patch the security hole in polkit < 0.119 without upgrading the systems (or at least minimally).

Polkit depends on a few newer versioned packages, with gobject-introspection 1.68.0-1, requiring glib2=2.68.0 (virtual) (make)

My environment has a diverse OS versions/dates of install of Arch, and were intentionally frozen for stability, and due to the fact that a lot of custom software is built against those systems.

I tried pulling and building a few dependencies, but I fear I will play whack-a-mole and don't know how to deal with glib2.

Thanks for any suggestions.
BB

Offline

#2 2021-06-19 22:23:33

Slithery
Administrator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 5,776

Re: polkit security patch on older glib2


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#3 2021-06-19 22:31:53

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: polkit security patch on older glib2

badbytes wrote:

and were intentionally frozen for stability...

Thanks for any suggestions.

Install Debian.


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#4 2021-06-20 03:22:35

badbytes
Member
Registered: 2011-05-23
Posts: 7

Re: polkit security patch on older glib2

Slithery wrote:

Given the severity of the exploit, just thought I would see if it was done by someone and could save me the time of digging deep.
Thx

Offline

#5 2021-06-20 03:25:56

badbytes
Member
Registered: 2011-05-23
Posts: 7

Re: polkit security patch on older glib2

jasonwryan wrote:
badbytes wrote:

and were intentionally frozen for stability...

Thanks for any suggestions.

Install Debian.


Ouch. No thank you. I find Arch stable enough. Just every 10 yrs or so, when an exploit like this comes out, I don't really salivate at rebuilding production and breaking user space.

Offline

#6 2021-06-20 08:54:32

Alad
Wiki Admin/IRC Op
From: Bagelstan
Registered: 2014-05-04
Posts: 2,407
Website

Re: polkit security patch on older glib2

So, is there anything saying polkit 0.119 needs gobject-introspection 1.68 to build? Polkit itself has no versioned dependencies.


Mods are just community members who have the occasionally necessary option to move threads around and edit posts. -- Trilby

Offline

#7 2021-06-20 15:58:27

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: polkit security patch on older glib2

badbytes wrote:

I'm trying to patch the security hole in polkit < 0.119 without upgrading the systems (or at least minimally).

Polkit depends on a few newer versioned packages, with gobject-introspection 1.68.0-1, requiring glib2=2.68.0 (virtual) (make)

The actual polkit software requires gobject-introspection>=0.6.2 and glib2>=2.30.0

The Arch packaging doesn't attempt any further restrictions.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#8 2021-06-21 01:59:31

badbytes
Member
Registered: 2011-05-23
Posts: 7

Re: polkit security patch on older glib2

Alad wrote:

So, is there anything saying polkit 0.119 needs gobject-introspection 1.68 to build? Polkit itself has no versioned dependencies.

Thanks eschwartz for the question.
You are correct the package in the arch repo doesn't have either in the package or the PKGFILE any version requirements, but if you don't pacman -Syu (as a forum member above pointed out), gnome login manager breaks due to glib2 version.

Linux from scratch regarding polkit shows...

Polkit Dependencies
Required
GLib-2.68.3 and js78-78.11.0
Optional (Required if building GNOME)
gobject-introspection-1.68.0

Building from the git source repo, I get autogen.sh error
...
checking security/pam_ext.h presence... yes
checking for security/pam_ext.h... yes
checking for pam_vsyslog in -lpam... yes
./configure: line 16718: syntax error near unexpected token `0.6.2'
./configure: line 16718: `GOBJECT_INTROSPECTION_CHECK(0.6.2)'

I read somewhere that I needed gobject-introspection-runtime, but still not able to configure with gobject-introspection-runtime-1.68.0-1

Just to reiterate, trying to patch polkit bug, without pacman -Syu.

Offline

#9 2021-06-21 02:07:58

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: polkit security patch on older glib2

What does Linux from scratch have to do with anything?

Did you try checking out the current PKGBUILD for polkit and building it on your system?
Note, you need "gobject-introspection", not "gobject-introspection-runtime", so you read wrongly.

If you're building the package yourself, it should not be incompatible with the versions of software on your system.

Or you could remove polkit entirely. tongue


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#10 2021-06-21 02:23:01

badbytes
Member
Registered: 2011-05-23
Posts: 7

Re: polkit security patch on older glib2

eschwartz wrote:

What does Linux from scratch have to do with anything?

Did you try checking out the current PKGBUILD for polkit and building it on your system?
Note, you need "gobject-introspection", not "gobject-introspection-runtime", so you read wrongly.

If you're building the package yourself, it should not be incompatible with the versions of software on your system.

Or you could remove polkit entirely. tongue

My initial attempt was from https://gitlab.freedesktop.org/polkit/polkit.git which bails configuring. In tracking the error, I had read on another forum that gobject runtime was required. Just added what I've attempted for completeness.

However following Alad comment, found the software outside of the arch PKGFILE source, in https://www.freedesktop.org/software/polkit/releases/ which seems to build fine. I'll try and build a package and test tomorrow. Thanks for the input.

Offline

#11 2021-06-21 02:25:31

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: polkit security patch on older glib2

gobject-introspection is the development files. The tarball you're looking at has pregenerated configure scripts, and thus does not need autogen.sh, nor for /usr/share/aclocal/introspection.m4 to be installed.

So yes, that's another option.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

Board footer

Powered by FluxBB