[AutoPR- Security] Patch polkit for CVE-2025-7519 [MEDIUM] (#14326)

azurelinux-security · web-flow · commit fda604b09729 · 2025-07-28T13:33:38.000+05:30
diff --git a/SPECS/polkit/CVE-2025-7519.patch b/SPECS/polkit/CVE-2025-7519.patch
@@ -0,0 +1,31 @@
+From 34ccf6c4d7a71872c9a216fde20dedb318a40e9a Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <azurelinux-security@microsoft.com>
+Date: Thu, 17 Jul 2025 06:46:54 +0000
+Subject: [PATCH] Fix CVE CVE-2025-7519 in polkit
+
+Upstream Patch Reference: https://github.com/polkit-org/polkit/commit/107d3801361b9f9084f78710178e683391f1d245.patch
+---
+ src/polkitbackend/polkitbackendactionpool.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/polkitbackend/polkitbackendactionpool.c b/src/polkitbackend/polkitbackendactionpool.c
+index 3894fe9..c9fa23e 100644
+--- a/src/polkitbackend/polkitbackendactionpool.c
++++ b/src/polkitbackend/polkitbackendactionpool.c
+@@ -672,6 +672,12 @@ _start (void *data, const char *el, const char **attr)
+   guint num_attr;
+   ParserData *pd = data;
+ 
++  if (pd->stack_depth < 0 || pd->stack_depth >= PARSER_MAX_DEPTH)
++    {
++      g_warning ("XML parsing reached max depth?");
++      goto error;
++    }
++
+   for (num_attr = 0; attr[num_attr] != NULL; num_attr++)
+     ;
+ 
+-- 
+2.45.3
+
diff --git a/SPECS/polkit/polkit.spec b/SPECS/polkit/polkit.spec
@@ -1,13 +1,14 @@
 Summary:           A toolkit for defining and handling authorizations.
 Name:              polkit
 Version:           0.119
-Release:           3%{?dist}
+Release:           4%{?dist}
 Group:             Applications/System
 Vendor:            Microsoft Corporation
 License:           GPLv2+
 URL:               https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
 Source0:           https://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz
 Patch0:            CVE-2021-4034.patch
+Patch1:            CVE-2025-7519.patch
 Distribution:      Mariner
 BuildRequires:     autoconf
 BuildRequires:     expat-devel
@@ -111,6 +112,9 @@ fi
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+*   Thu Jul 17 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.119-4
+-   Patch for CVE-2025-7519
+
 *   Thu Mar 17 2022 Andrew Phelps <anphel@microsoft.com> - 0.119-3
 -   Disable documentation
 
