PolicyKit: CVE-2018-19788: Improper handling of user with uid > INT_MAX leading to authentication bypass

[Salvatore Bonaccorso <carnil () debian org>]

Hi

In https://gitlab.freedesktop.org/polkit/polkit/issues/74 (which got
assigned CVE-2018-19788 by MITRE) it was reported that a user with uid
> INT_MAX could successfully execute any systemctl command (but the
issue is broader than that).

There is a proposed commit: 
https://gitlab.freedesktop.org/zbyszek/polkit/commit/fbaab32cb4ed9ed5f1e3eea6cd317d443aa427dc

> From fbaab32cb4ed9ed5f1e3eea6cd317d443aa427dc Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek () in waw pl>
> Date: Mon, 3 Dec 2018 12:51:26 +0100
> Subject: [PATCH] Check gid and uid initalization in PolkitUnixUser and Group
>  objects
>
> When a user or group above INT32_MAX is created, the numeric uid or
> gid wraps around to negative when the value is assigned to gint, and
> polkit gets confused. Let's refuse such uids and gids.
>
> This patch just refuses to initialize uid and gid values to negative.
> A nicer fix is to change the underlying type to e.g. gint64 to allow
> the full range of values in uid_t and gid_t to be represented. But
> this cannot be done without breaking the API, so likely new functions
> will have to be added (a polkit_unix_user_new variant that takes a
> gint64, and the same for _group_new, _set_uid, _get_uid, _set_gid,
> _get_gid, etc.). This will require a bigger patch.
>
> Fixes https://gitlab.freedesktop.org/polkit/polkit/issues/74.
>
> Example sessions from uid=4000000000:
>
> Dec 03 14:35:08 krowka polkitd[21432]: system-bus-name::1.41869 is inquiring whether system-bus-name::1.79432 is 
> authorized for org.freedesktop.systemd1.manage-units
> Dec 03 14:35:08 krowka polkitd[21432]:  user of caller is unix-user:root
> Dec 03 14:35:08 krowka polkitd[21432]: polkit_unix_user_new: assertion 'uid >= 0' failed
> Dec 03 14:35:08 krowka polkitd[21432]: polkit_identity_to_string: assertion 'POLKIT_IS_IDENTITY (identity)' failed
> Dec 03 14:35:08 krowka polkitd[21432]:  user of subject is (null)
> Dec 03 14:35:08 krowka polkitd[21432]: polkit_identity_equal: assertion 'POLKIT_IS_IDENTITY (b)' failed
> Dec 03 14:35:08 krowka polkitd[21432]: checking whether system-bus-name::1.79432 is authorized for 
> org.freedesktop.systemd1.manage-units
> Dec 03 14:35:08 krowka polkitd[21432]: polkit_unix_user_new: assertion 'uid >= 0' failed
> Dec 03 14:35:08 krowka polkitd[21432]:
> Dec 03 14:35:08 krowka polkitd[21432]: polkit_authorization_result_get_is_challenge: assertion 
> 'POLKIT_IS_AUTHORIZATION_RESULT (result)' failed
> Dec 03 14:35:08 krowka polkitd[21432]: g_object_ref: assertion 'G_IS_OBJECT (object)' failed
> Dec 03 14:35:08 krowka polkitd[21432]: g_object_ref: assertion 'G_IS_OBJECT (object)' failed
> Dec 03 14:35:08 krowka polkitd[21432]: polkit_authorization_result_get_details: assertion 
> 'POLKIT_IS_AUTHORIZATION_RESULT (result)' failed
> Dec 03 14:35:08 krowka polkitd[21432]: polkit_authorization_result_get_is_challenge: assertion 
> 'POLKIT_IS_AUTHORIZATION_RESULT (result)' failed
> Dec 03 14:35:08 krowka polkitd[21432]: polkit_authorization_result_get_is_authorized: assertion 
> 'POLKIT_IS_AUTHORIZATION_RESULT (result)' failed
> Dec 03 14:35:08 krowka polkitd[21432]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
> Dec 03 14:35:08 krowka polkitd[21432]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed

Regards,
Salvatore