Hi,

For those still running CentOS 6 somewhere, the patch below can be added to the source RPM.

Verified to fix the issue on CentOS 6.10 x86_64 with this exploit:

https://packetstormsecurity.com/files/165728/Polkit-pkexec-CVE-2021-4034-Proof-Of-Concept.html

Regards, Simon

PS: Sure, I know nobody is really running old EL6 anymore :-)

diff -Naupr polkit-0.96.patched/src/programs/pkcheck.c polkit-0.96/src/programs/pkcheck.c
— polkit-0.96.patched/src/programs/pkcheck.c 2022-01-26
17:03:29.059789167 +0100
+++ polkit-0.96/src/programs/pkcheck.c 2022-01-26 17:04:34.051159050 +0100
@@ -96,6 +96,11 @@ main (int argc, char *argv[])
allow_user_interaction = FALSE;
ret = 126;

+ if (argc < 1) + { + exit(126); + } + g_type_init (); details = polkit_details_new (); diff -Naupr polkit-0.96.patched/src/programs/pkexec.c polkit-0.96/src/programs/pkexec.c — polkit-0.96.patched/src/programs/pkexec.c 2022-01-26 17:03:29.046789093 +0100 +++ polkit-0.96/src/programs/pkexec.c 2022-01-26 17:04:34.056159079 +0100 @@ -415,6 +415,14 @@ main (int argc, char *argv[]) gchar *opt_user; pid_t pid_of_caller; + /* + * If ‘pkexec’ is called THIS wrong, someone’s probably evil-doing. Don’t be nice, just bail out. + */ + if (argc < 1) + { + exit(127); + } + ret = 127; authority = NULL; subject = NULL; @@ -520,7 +528,15 @@ main (int argc, char *argv[]) goto out; } g_free (path); - argv[n] = path = s; + path = s; + + /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated. + * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination + */ + if (argv[n] != NULL) + { + argv[n] = path; + } } if (access (path, F_OK) != 0) {