[AutoPR- Security] Patch polkit for CVE-2026-4897 [MEDIUM] (#16435)

azurelinux-security · web-flow · commit 224de6fa3973 · 2026-04-08T10:59:51.000+05:30
diff --git a/SPECS/polkit/CVE-2026-4897.patch b/SPECS/polkit/CVE-2026-4897.patch
@@ -0,0 +1,65 @@
+From 9aa712d586604fcb8f2d5abbffd9030c147525ed Mon Sep 17 00:00:00 2001
+From: Jan Rybar <jrybar@redhat.com>
+Date: Fri, 27 Mar 2026 15:57:01 +0100
+Subject: [PATCH] CVE-2026-4897 - getline() string overflow
+
+Report and fix by Aisle.com
+Pavel Kohout, Aisle Research
+
+Signed-off-by: Jan Rybar jrybar@redhat.com
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/polkit-org/polkit/commit/7e122c8a5120c2aae2d9d44a26796dc18f5b677c.patch
+---
+ src/polkitagent/polkitagenthelperprivate.c | 23 +++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/src/polkitagent/polkitagenthelperprivate.c b/src/polkitagent/polkitagenthelperprivate.c
+index 1f32c0a..63333f6 100644
+--- a/src/polkitagent/polkitagenthelperprivate.c
++++ b/src/polkitagent/polkitagenthelperprivate.c
+@@ -25,6 +25,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include <errno.h>
+ #include <unistd.h>
+ 
+ #ifndef HAVE_CLEARENV
+@@ -60,21 +61,25 @@ read_cookie (int argc, char **argv)
+     return strdup (argv[2]);
+   else
+     {
+-      char *ret = NULL;
+-      size_t n = 0;
+-      ssize_t r = getline (&ret, &n, stdin);
+-      if (r == -1)
++      #define POLKIT_AGENT_MAX_COOKIE 4096
++      char buf[POLKIT_AGENT_MAX_COOKIE + 2]; /* +1 for newline, +1 for NUL */
++      if (fgets (buf, sizeof(buf), stdin) == NULL)
+         {
+           if (!feof (stdin))
+-            perror ("getline");
+-          free (ret);
++            perror ("fgets");
+           return NULL;
+         }
+-      else
++      if (buf[strlen (buf) - 1] != '\n')
+         {
+-          g_strchomp (ret);
+-          return ret;
++          /* Cookie too long - drain remaining input and reject */
++          int c;
++          while ((c = getchar ()) != '\n' && c != EOF)
++            ;
++          errno = EOVERFLOW;
++          return NULL;
+         }
++      g_strchomp (buf);
++      return strdup (buf);
+     }
+ }
+ 
+-- 
+2.45.4
+
diff --git a/SPECS/polkit/polkit.spec b/SPECS/polkit/polkit.spec
@@ -1,13 +1,14 @@
 Summary:           A toolkit for defining and handling authorizations.
 Name:              polkit
 Version:           123
-Release:           3%{?dist}
+Release:           4%{?dist}
 Group:             Applications/System
 Vendor:            Microsoft Corporation
 License:           GPLv2+
 URL:               https://gitlab.freedesktop.org/polkit/polkit
 Source0:           https://gitlab.freedesktop.org/polkit/polkit/-/archive/%{version}/polkit-%{version}.tar.gz
 Patch0:            CVE-2025-7519.patch
+Patch1:            CVE-2026-4897.patch
 Distribution:   Azure Linux
 BuildRequires:     duktape-devel
 BuildRequires:     expat-devel
@@ -124,6 +125,9 @@ fi
 
 
 %changelog
+* Thu Apr 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 123-4
+- Patch for CVE-2026-4897
+
 * Thu Jul 17 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 123-3
 - Patch for CVE-2025-7519
 
