:: [devuan-dev] [PATCHES] Update of po…
Top Pagina
Delete this message
Reply to this message
Auteur: Svante Signell
Datum:  
Aan: devuan developers internal list
Onderwerp: [devuan-dev] [PATCHES] Update of policykit from 0.105-9+devuan1 to 0.105-18+devuan2.1 for ASCII
Hi,

Attached are patches to upgrade policykit-1 to the Debian version in stretch (of
course Devuanised). It is built in a separate branch from master, and the
debian-branch=suites/ascii-proposed in gbp.conf.

Note that the patch 0001-Merge_remote-tracking-branch.patch is created with git
diff after merging the two Devuan and Debian git repos. I did not succeed to
create a usable patch with git format-patch. The other patches are created with
git format-patch though.

Please test as much as possible until building for ASCII.

Thanks!From 17a753307ffcaa677f37723904637fed48ef14c4 Mon Sep 17 00:00:00 2001
From: Svante Signell <svante.signell@???>
Date: Tue, 19 Dec 2017 19:16:59 +0100
Subject: [PATCH 1/2] Change debian-branch to suites/ascii-proposed

---
debian/gbp.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/gbp.conf b/debian/gbp.conf
index c31be83..0a4a2f3 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,3 +1,3 @@
[DEFAULT]
pristine-tar = True
-debian-branch = master
+debian-branch = suites/experimental
--
2.11.0


From 76be48d84d8e7477f913cf876bd9fa3f25c00ca5 Mon Sep 17 00:00:00 2001
From: Svante Signell <svante.signell@???>
Date: Tue, 19 Dec 2017 19:24:42 +0100
Subject: [PATCH 2/2] Really change branch in gbp.conf

---
debian/gbp.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/gbp.conf b/debian/gbp.conf
index 0a4a2f3..67441ec 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,3 +1,3 @@
[DEFAULT]
pristine-tar = True
-debian-branch = suites/experimental
+debian-branch = suites/ascii-proposed
--
2.11.0

From ec6614691ed06ac68641952c40157d3d94c6f7c6 Mon Sep 17 00:00:00 2001
From: Svante Signell <svante.signell@???>
Date: Tue, 19 Dec 2017 10:55:51 +0100
Subject: [PATCH 1/4] Fix typo in Build-Depends

---
debian/control | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/control b/debian/control
index 9d36c86..7404ba1 100644
--- a/debian/control
+++ b/debian/control
@@ -17,7 +17,7 @@ Build-Depends:
libgirepository1.0-dev (>= 0.9.12),
libglib2.0-dev (>= 2.28.0),
libglib2.0-doc,
- libgtk-3-doc
+ libgtk-3-doc,
libpam0g-dev,
libselinux1-dev [linux-any],
pkg-config,
--
2.11.0

From: Svante Signell <svante.signell@???>
Date: Tue, 19 Dec 2017 10:42:33 +0100
Subject: [PATCH 01/01] Merge remote-tracking branch 'policykit-1.debian/master' into suites/ascii-proposed

diff --git a/debian/changelog b/debian/changelog
index 0e89100..9e6f4a7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,17 +1,184 @@
+policykit-1 (0.105-18+devuan2) unstable; urgency=medium
+
+  * Merge Devuan repo 0.105-9 to Debian 0.105-18
+
+ -- Svante Signell  <svante.signell@???>  Mon, 18 Dec 2017 14:26:36 +0100
+
+policykit-1 (0.105-18) unstable; urgency=medium
+
+  * Team upload.
+  * master/Add-gettext-support-for-.policy-files.patch: Backport from master:
+    Add .loc and .its files so that gettext can be used to translate policy
+    files. Some upstreams, particularly those that are switching to meson,
+    expect these files to be present so that their PK policy files can be
+    translated. (Closes: #863207)
+
+ -- Iain Lane <laney@???>  Wed, 24 May 2017 11:21:35 +0100
+
+policykit-1 (0.105-17) unstable; urgency=medium
+
+  [ Michael Biebl ]
+  * Use https:// for the upstream homepage.
+  * Update Vcs-Browser to use cgit.
+  * Rename the systemd service unit to polkit.service. It is now based on what
+    was added upstream in 0.106.
+
+  [ Simon McVittie ]
+  * Build-depend on intltool instead of relying on gtk-doc-tools'
+    dependency (Closes: #837846)
+
+  [ Martin Pitt ]
+  * Use PAM's common-session-noninteractive modules for pkexec instead of
+    common-session. The latter also runs pam_systemd (the only difference
+    normally) which is a no-op under the classic session-centric
+    D-BUS/graphical login model (as it won't start a new one if it is already
+    running within a logind session), but very expensive when using
+    dbus-user-session and being called from a service that runs outside the
+    PAM session. This causes long delays in e. g. gnome-settings-daemon's
+    backlight helpers. (LP: #1626651)
+
+ -- Michael Biebl <biebl@???>  Fri, 21 Oct 2016 15:44:57 +0200
+
+policykit-1 (0.105-16) unstable; urgency=medium
+
+  [ Michael Biebl ]
+  * Drop obsolete Breaks from pre-wheezy.
+  * Use gir addon instead of calling dh_girepository manually.
+  * Run wrap-and-sort -ast.
+  * Drop explicit Build-Depends on gir1.2-glib-2.0. This dependency is already
+    pulled in via libgirepository1.0-dev.
+
+  [ Martin Pitt ]
+  * Add fallback if agent is not running in a logind session. This fixes
+    polkit with dbus-user-session. Thanks Sebastien Bacher for the patch!
+  * Bump Standards-Version to 3.9.8 (no changes necessary).
+
+ -- Martin Pitt <mpitt@???>  Mon, 25 Jul 2016 14:32:23 +0200
+
+policykit-1 (0.105-15) unstable; urgency=medium
+
+  * Generate tight inter-package dependencies.
+    This ensures that everything from the same source package is upgraded in
+    lockstep. (Closes: #817998)
+
+ -- Michael Biebl <biebl@???>  Thu, 14 Apr 2016 13:57:13 +0200
+
+policykit-1 (0.105-14.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix FTBFS on non-linux/non-systemd. (Closes: #798769)
+
+ -- Adam Borowski <kilobyte@???>  Thu, 14 Jan 2016 06:28:38 +0100
+
+policykit-1 (0.105-14) unstable; urgency=medium
+
+  * debian/policykit-1.preinst: Use systemctl unmask instead of direct symlink
+    removal for consistency.
+  * Fix handling of multi-line helper output. Thanks Dariusz Gadomski! Patch
+    backported from upstream master. (LP: #1510824)
+
+ -- Martin Pitt <mpitt@???>  Mon, 23 Nov 2015 11:38:00 +0100
+
+policykit-1 (0.105-13) unstable; urgency=medium
+
+  * debian/policykit-1.{pre,pos}inst: Temporarily mask polkitd.service while
+    policykit-1 is unpackaged but not yet configured. During that time we
+    don't yet have our D-Bus policy in /etc so that polkitd cannot work yet.
+    This can be dropped once the D-Bus policy moves to /usr.
+    (Closes: #794723, LP: #1447654)
+
+ -- Martin Pitt <mpitt@???>  Wed, 21 Oct 2015 08:11:22 +0200
+
+policykit-1 (0.105-12) unstable; urgency=medium
+
+  * Team upload
+  * Replace 03_complete_session.patch with a change from upstream
+    which seems like a more correct solution for LP#445303, LP#649939
+  * 05_revert-admin-identities-unix-group-wheel.patch: remove confusing
+    staff -> desktop_admin_r change in a man page (desktop_admin_r looks
+    vaguely like a SELinux role but is actually being used as a group);
+    keep only the actual functional change. This matches the syntactically
+    different but functionally similar change in experimental.
+  * 09_pam_environment.patch: replace with the version that went upstream.
+  * Annotate remaining patches with a bit more information.
+    They are:
+    - 00git_fix_memleak.patch, 00git_invalid_object_paths.patch,
+      00git_type_registration.patch, 04_get_cwd.patch,
+      07_set-XAUTHORITY-environment-variable-if-unset.patch,
+      08_deprecate_racy_APIs.patch, 09_pam_environment.patch,
+      cve-2013-4288.patch: either backports from upstream, or already
+      applied upstream, and not discussed further here.
+    - 01_pam_polkit.patch: use Debian's common-* infrastructure,
+      plus pam_env to get the global environment and locale.
+      Debian-specific.
+    - 02_gettext.patch: Use gettext to translate .policy files at
+      runtime, allowing for Ubuntu-style language packs.
+      Debian-specific (mainly for Ubuntu's benefit, really).
+    - 05_revert-admin-identities-unix-group-wheel.patch: Debian does
+      not use the "wheel" group like Red Hat derivatives do;
+      treat uid 0 as the administrative identity instead.
+      Debian-specific.
+    - 06_systemd-service.patch: hook up the systemd service in
+      debian/polkitd.service.
+      Not forwarded: obsoleted by an upstream change in 0.106,
+      commit 2995085.
+  * Re-order patch series to put upstream changes first, sorted by version
+    in which they went upstream, and put them in subdirectories by version
+  * Add patches from 0.113 to fix heap corruption CVE-2015-3255
+    (Closes: #766860) and local authenticated denial of service
+    CVE-2015-4625 (Closes: #796134)
+  * Add numerous other bug-fix patches from 0.113
+    - work around bugs in older versions of libpam-systemd when using
+      su or similar (Closes: #772125)
+    - treat background processes as part of the same uid's active GUI
+      session if they have one (Closes: #779988)
+    - fix some memory leaks (Closes: #775158, LP: #1417637)
+  * Add backported public API polkit_system_bus_name_get_user_sync() to
+    symbols file
+  * Fix FTBFS with dpkg-buildpackage -A by only installing files into
+    policykit-1 in per-arch builds
+  * Run tests with a session bus pretending to be the system bus,
+    so they can pass in a buildd environment
+
+ -- Simon McVittie <smcv@???>  Fri, 11 Sep 2015 09:48:00 +0100
+
+policykit-1 (0.105-11) unstable; urgency=medium
+
+  * Add 00git_invalid_object_paths.patch: backend: Handle invalid object paths
+    in RegisterAuthenticationAgent (CVE-2015-3218, Closes: #787932)
+  * policykit-1.postinst: Reload systemd before restarting polkitd.service, to
+    avoid "Warning: polkitd.service changed on disk". (Closes: #791397)
+
+ -- Martin Pitt <mpitt@???>  Fri, 10 Jul 2015 13:03:33 +0200
+
+policykit-1 (0.105-10) unstable; urgency=medium
+
+  * Add 00git_type_registration.patch: Use GOnce for interface type
+    registration. Fixes frequent udisks segfault (LP: #1236510).
+  * Add 00git_fix_memleak.patch: Fix memory leak in EnumerateActions call
+    results handler. (LP: #1417637)
+
+ -- Martin Pitt <mpitt@???>  Wed, 08 Jul 2015 12:15:41 +0200
+
 policykit-1 (0.105-9+devuan1) unstable; urgency=medium


* rebuild the repo structure importing debian package repo
* Added devuan.patch from Svante Signell
-
+
-- Franco (nextime) Lanza <nextime@???> Wed, 06 May 2015 05:16:36 +0200

policykit-1 (0.105-9) unstable; urgency=medium

+  [ Martin Pitt ]
   * policykit-1.postinst: Don't kill polkitd under systemd, but properly
     restart it. This avoids killing it shortly after systemd tries to
     bus-activate it on installation. (LP: #1447654)


- -- Martin Pitt <mpitt@???>  Fri, 24 Apr 2015 16:51:47 +0100
+  [ Michael Biebl ]
+  * Build against libsystemd instead of the old libsystemd-login compat
+    library. (Closes: #779756)
+
+ -- Michael Biebl <biebl@???>  Wed, 08 Jul 2015 02:10:58 +0200


policykit-1 (0.105-8+devuan2) unstable; urgency=medium

@@ -571,4 +738,4 @@ policykit (0.5-1) experimental; urgency=low

* Initial release. (Closes: #397087)

- -- Michael Biebl <biebl@???> Tue, 02 Oct 2007 22:38:04 +0200
\ No newline at end of file
+ -- Michael Biebl <biebl@???> Tue, 02 Oct 2007 22:38:04 +0200
diff --git a/debian/control b/debian/control
index 070a6c8..9d36c86 100644
--- a/debian/control
+++ b/debian/control
@@ -2,31 +2,41 @@ Source: policykit-1
Section: admin
Priority: optional
Maintainer: Dimitri Puzin <max@???>
-Uploaders: Dima Krasner <dima@???>, Franco (nextime) Lanza <nextime@???>, Svante Signell <svante.signell@???>
-Build-Depends: debhelper (>= 9),
+Uploaders:
+ Dima Krasner <dima@???>,
+ Franco (nextime) Lanza <nextime@???>,
+ Svante Signell <svante.signell@???>
+Build-Depends:
+ dbus,
+ debhelper (>= 9),
dh-autoreconf,
- pkg-config,
- libglib2.0-dev (>= 2.28.0),
- libexpat1-dev,
- libpam0g-dev,
- libselinux1-dev [linux-any],
+ gobject-introspection (>= 0.9.12-4~),
gtk-doc-tools,
- xsltproc,
+ intltool (>= 0.40.0),
+ libexpat1-dev,
libgirepository1.0-dev (>= 0.9.12),
- gobject-introspection (>= 0.9.12-4~),
- gir1.2-glib-2.0,
+ libglib2.0-dev (>= 2.28.0),
libglib2.0-doc,
libgtk-3-doc
-Standards-Version: 3.9.6
+ libpam0g-dev,
+ libselinux1-dev [linux-any],
+ pkg-config,
+ xsltproc,
+Standards-Version: 3.9.8
Vcs-Git: https://git.devuan.org/packages-base/policykit-1.git
Vcs-Browser: https://git.devuan.org/packages-base/policykit-1/
Homepage: http://www.freedesktop.org/wiki/Software/polkit/

Package: policykit-1
Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, consolekit, dbus
+Depends:
+ consolekit [!linux-any],
+ dbus,
+ ${misc:Depends},
+ ${shlibs:Depends},
Multi-Arch: foreign
-Breaks: gdm3 (<< 3.8.4-7~)
+Breaks:
+ gdm3 (<< 3.8.4-7~),
Description: framework for managing administrative policies and privileges
PolicyKit is an application-level toolkit for defining and handling the policy
that allows unprivileged processes to speak to privileged processes.
@@ -38,8 +48,10 @@ Description: framework for managing administrative policies and privileges
Package: policykit-1-doc
Architecture: all
Section: doc
-Depends: ${misc:Depends}
-Suggests: devhelp
+Depends:
+ ${misc:Depends},
+Suggests:
+ devhelp,
Description: documentation for PolicyKit-1
PolicyKit is a toolkit for defining and handling the policy that
allows unprivileged processes to speak to privileged processes.
@@ -49,10 +61,12 @@ Description: documentation for PolicyKit-1
Package: libpolkit-gobject-1-0
Architecture: any
Section: libs
-Pre-Depends: ${misc:Pre-Depends}
-Depends: ${shlibs:Depends}, ${misc:Depends}
+Pre-Depends:
+ ${misc:Pre-Depends},
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
Multi-Arch: same
-Breaks: policykit-1 (<< 0.99), libpolkit-gtk-1-0 (<< 0.99), libpolkit-agent-1-0 (<< 0.99), libpolkit-backend-1-0 (<< 0.99)
Description: PolicyKit Authorization API
PolicyKit is a toolkit for defining and handling the policy that
allows unprivileged processes to speak to privileged processes.
@@ -62,7 +76,11 @@ Description: PolicyKit Authorization API
Package: libpolkit-gobject-1-dev
Architecture: any
Section: libdevel
-Depends: libpolkit-gobject-1-0 (= ${binary:Version}), ${misc:Depends}, libglib2.0-dev, gir1.2-polkit-1.0 (= ${binary:Version})
+Depends:
+ gir1.2-polkit-1.0 (= ${binary:Version}),
+ libglib2.0-dev,
+ libpolkit-gobject-1-0 (= ${binary:Version}),
+ ${misc:Depends},
Description: PolicyKit Authorization API - development files
PolicyKit is a toolkit for defining and handling the policy that
allows unprivileged processes to speak to privileged processes.
@@ -73,8 +91,11 @@ Description: PolicyKit Authorization API - development files
Package: libpolkit-agent-1-0
Architecture: any
Section: libs
-Pre-Depends: ${misc:Pre-Depends}
-Depends: ${shlibs:Depends}, ${misc:Depends}
+Pre-Depends:
+ ${misc:Pre-Depends},
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
Multi-Arch: same
Description: PolicyKit Authentication Agent API
PolicyKit is a toolkit for defining and handling the policy that
@@ -85,7 +106,11 @@ Description: PolicyKit Authentication Agent API
Package: libpolkit-agent-1-dev
Architecture: any
Section: libdevel
-Depends: libpolkit-agent-1-0 (= ${binary:Version}), ${misc:Depends}, libpolkit-gobject-1-dev, gir1.2-polkit-1.0 (= ${binary:Version})
+Depends:
+ gir1.2-polkit-1.0 (= ${binary:Version}),
+ libpolkit-agent-1-0 (= ${binary:Version}),
+ libpolkit-gobject-1-dev,
+ ${misc:Depends},
Description: PolicyKit Authentication Agent API - development files
PolicyKit is a toolkit for defining and handling the policy that
allows unprivileged processes to speak to privileged processes.
@@ -96,10 +121,12 @@ Description: PolicyKit Authentication Agent API - development files
Package: libpolkit-backend-1-0
Architecture: any
Section: libs
-Pre-Depends: ${misc:Pre-Depends}
-Depends: ${shlibs:Depends}, ${misc:Depends}
+Pre-Depends:
+ ${misc:Pre-Depends},
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
Multi-Arch: same
-Breaks: policykit-1 (<< 0.99)
Description: PolicyKit backend API
PolicyKit is a toolkit for defining and handling the policy that
allows unprivileged processes to speak to privileged processes.
@@ -109,7 +136,10 @@ Description: PolicyKit backend API
Package: libpolkit-backend-1-dev
Architecture: any
Section: libdevel
-Depends: libpolkit-backend-1-0 (= ${binary:Version}), ${misc:Depends}, libpolkit-gobject-1-dev
+Depends:
+ libpolkit-backend-1-0 (= ${binary:Version}),
+ libpolkit-gobject-1-dev,
+ ${misc:Depends},
Description: PolicyKit backend API - development files
PolicyKit is a toolkit for defining and handling the policy that
allows unprivileged processes to speak to privileged processes.
@@ -120,7 +150,10 @@ Description: PolicyKit backend API - development files
Package: gir1.2-polkit-1.0
Section: introspection
Architecture: any
-Depends: ${gir:Depends}, ${shlibs:Depends}, ${misc:Depends}
+Depends:
+ ${gir:Depends},
+ ${misc:Depends},
+ ${shlibs:Depends},
Description: GObject introspection data for PolicyKit
PolicyKit is a toolkit for defining and handling the policy that
allows unprivileged processes to speak to privileged processes.
diff --git a/debian/copyright b/debian/copyright
index 36fc382..b73d5e5 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,6 +1,6 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: polkit
-Source: http://www.freedesktop.org/software/polkit/releases/
+Source: https://www.freedesktop.org/software/polkit/releases/

Files: *
Copyright: 2008-2011 Red Hat, Inc.
diff --git a/debian/libpolkit-agent-1-dev.install b/debian/libpolkit-agent-1-dev.install
index c9ce64b..e3ec355 100644
--- a/debian/libpolkit-agent-1-dev.install
+++ b/debian/libpolkit-agent-1-dev.install
@@ -1,5 +1,5 @@
-usr/lib/*/libpolkit-agent*.so
+usr/include/polkit-1/polkitagent/
usr/lib/*/libpolkit-agent*.a
+usr/lib/*/libpolkit-agent*.so
usr/lib/*/pkgconfig/polkit-agent*.pc
-usr/include/polkit-1/polkitagent/
usr/share/gir-1.0/PolkitAgent-1.0.gir
diff --git a/debian/libpolkit-backend-1-dev.install b/debian/libpolkit-backend-1-dev.install
index 4983597..f93f6c4 100644
--- a/debian/libpolkit-backend-1-dev.install
+++ b/debian/libpolkit-backend-1-dev.install
@@ -1,4 +1,4 @@
-usr/lib/*/libpolkit-backend*.so
+usr/include/polkit-1/polkitbackend/
usr/lib/*/libpolkit-backend*.a
+usr/lib/*/libpolkit-backend*.so
usr/lib/*/pkgconfig/polkit-backend*.pc
-usr/include/polkit-1/polkitbackend/
diff --git a/debian/libpolkit-gobject-1-0.symbols b/debian/libpolkit-gobject-1-0.symbols
index 9531612..c9286c7 100644
--- a/debian/libpolkit-gobject-1-0.symbols
+++ b/debian/libpolkit-gobject-1-0.symbols
@@ -100,6 +100,7 @@ libpolkit-gobject-1.so.0 libpolkit-gobject-1-0 #MINVER#
polkit_system_bus_name_get_name@Base 0.94
polkit_system_bus_name_get_process_sync@Base 0.95
polkit_system_bus_name_get_type@Base 0.94
+ polkit_system_bus_name_get_user_sync@Base 0.105-12~
polkit_system_bus_name_new@Base 0.94
polkit_system_bus_name_set_name@Base 0.94
polkit_temporary_authorization_get_action_id@Base 0.94
diff --git a/debian/libpolkit-gobject-1-dev.install b/debian/libpolkit-gobject-1-dev.install
index 0d9fcfe..e571609 100644
--- a/debian/libpolkit-gobject-1-dev.install
+++ b/debian/libpolkit-gobject-1-dev.install
@@ -1,5 +1,5 @@
-usr/lib/*/libpolkit-gobject*.so
+usr/include/polkit-1/polkit/
usr/lib/*/libpolkit-gobject*.a
+usr/lib/*/libpolkit-gobject*.so
usr/lib/*/pkgconfig/polkit-gobject*.pc
-usr/include/polkit-1/polkit/
usr/share/gir-1.0/Polkit-1.0.gir
diff --git a/debian/patches/04_get_cwd.patch b/debian/patches/0.110/04_get_cwd.patch
similarity index 56%
rename from debian/patches/04_get_cwd.patch
rename to debian/patches/0.110/04_get_cwd.patch
index 3634137..acaa68d 100644
--- a/debian/patches/04_get_cwd.patch
+++ b/debian/patches/0.110/04_get_cwd.patch
@@ -1,17 +1,17 @@
-From cd184d77f57d45ffce34f0210bbff72f6fd3116f Mon Sep 17 00:00:00 2001
From: Emilio Pozuelo Monfort <pochu27@???>
Date: Sat, 26 Mar 2011 07:28:14 +0000
-Subject: [PATCH] Fix build on GNU Hurd
+Subject: Fix build on GNU Hurd

-https://bugs.freedesktop.org/show_bug.cgi?id=35685
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=35685
+Applied-upstream: 0.110, commit:d6de13e12379826af8ca9355a32da48707b9831f
 ---
- src/programs/pkexec.c |    5 +++--
- 1 files changed, 3 insertions(+), 2 deletions(-)
+ src/programs/pkexec.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)


-Index: policykit-1/src/programs/pkexec.c
-===================================================================
---- policykit-1.orig/src/programs/pkexec.c    2011-08-02 03:16:07.070394919 +0200
-+++ policykit-1/src/programs/pkexec.c    2011-08-02 03:16:43.241940179 +0200
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index 7fafa14..682fe95 100644
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
 @@ -53,7 +53,7 @@
  #include <polkitagent/polkitagent.h>


@@ -21,7 +21,7 @@ Index: policykit-1/src/programs/pkexec.c
static gchar *command_line = NULL;
static struct passwd *pw;

-@@ -465,7 +465,7 @@
+@@ -465,7 +465,7 @@ main (int argc, char *argv[])
        goto out;
      }


@@ -30,7 +30,7 @@ Index: policykit-1/src/programs/pkexec.c
      {
        g_printerr ("Error getting cwd: %s\n",
                    g_strerror (errno));
-@@ -931,6 +931,7 @@
+@@ -953,6 +953,7 @@ main (int argc, char *argv[])
        g_ptr_array_free (saved_env, TRUE);
      }


diff --git a/debian/patches/07_set-XAUTHORITY-environment-variable-if-unset.patch b/debian/patches/0.110/07_set-XAUTHORITY-environment-variable-if-unset.patch
similarity index 77%
rename from debian/patches/07_set-XAUTHORITY-environment-variable-if-unset.patch
rename to debian/patches/0.110/07_set-XAUTHORITY-environment-variable-if-unset.patch
index f98295f..1ddf78c 100644
--- a/debian/patches/07_set-XAUTHORITY-environment-variable-if-unset.patch
+++ b/debian/patches/0.110/07_set-XAUTHORITY-environment-variable-if-unset.patch
@@ -1,7 +1,6 @@
-From d6acecdd0ebb42e28ff28e04e0207cb01fa20910 Mon Sep 17 00:00:00 2001
From: David Zeuthen <zeuthen@???>
Date: Wed, 19 Dec 2012 14:28:29 -0500
-Subject: [PATCH] Set XAUTHORITY environment variable if is unset
+Subject: Set XAUTHORITY environment variable if is unset

The way it works is that if XAUTHORITY is unset, then its default
value is $HOME/.Xauthority. But since we're changing user identity
@@ -17,18 +16,18 @@ work.

Based on a patch from Peter Wu <lekensteyn@???>.

-https://bugs.freedesktop.org/show_bug.cgi?id=51623
-
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=51623
Signed-off-by: David Zeuthen <zeuthen@???>
+Origin: upstream, 0.110, commit:d6acecdd0ebb42e28ff28e04e0207cb01fa20910
---
- src/programs/pkexec.c | 22 ++++++++++++++++++++++
+ src/programs/pkexec.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)

-Index: policykit-1/src/programs/pkexec.c
-===================================================================
---- policykit-1.orig/src/programs/pkexec.c    2012-12-20 18:41:37.714807215 +0100
-+++ policykit-1/src/programs/pkexec.c    2012-12-20 18:41:37.790805274 +0100
-@@ -597,6 +597,28 @@
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index 373977b..7fafa14 100644
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -597,6 +597,28 @@ main (int argc, char *argv[])
        g_ptr_array_add (saved_env, g_strdup (value));
      }


diff --git a/debian/patches/0.111/09_pam_environment.patch b/debian/patches/0.111/09_pam_environment.patch
new file mode 100644
index 0000000..793efee
--- /dev/null
+++ b/debian/patches/0.111/09_pam_environment.patch
@@ -0,0 +1,43 @@
+From: Steve Langasek <steve.langasek@???>
+Date: Fri, 8 Mar 2013 12:00:00 +0100
+Subject: pkexec: Set process environment from pam_getenvlist()
+
+Various pam modules provide environment variables that are intended to be set
+in the environment of the pam session.  pkexec needs to process the output of
+pam_getenvlist() to get these.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=62016
+Applied-upstream: 0.111, commit:5aef9722c15a350fbf8b20a3b58419f156cc7c98
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/982684
+---
+ src/programs/pkexec.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index 682fe95..9a0570a 100644
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -145,6 +145,7 @@ open_session (const gchar *user_to_auth)
+   gboolean ret;
+   gint rc;
+   pam_handle_t *pam_h;
++  char **envlist;
+   struct pam_conv conversation;
+ 
+   ret = FALSE;
+@@ -176,6 +177,15 @@ open_session (const gchar *user_to_auth)
+ 
+   ret = TRUE;
+ 
++  envlist = pam_getenvlist (pam_h);
++  if (envlist != NULL)
++    {
++      guint n;
++      for (n = 0; envlist[n]; n++)
++        putenv (envlist[n]);
++      free (envlist);
++    }
++
+ out:
+   if (pam_h != NULL)
+     pam_end (pam_h, rc);
diff --git a/debian/patches/0.112/00git_type_registration.patch b/debian/patches/0.112/00git_type_registration.patch
new file mode 100644
index 0000000..3936801
--- /dev/null
+++ b/debian/patches/0.112/00git_type_registration.patch
@@ -0,0 +1,118 @@
+From: Tomas Bzatek <tbzatek@???>
+Date: Wed, 29 May 2013 13:45:31 +0000
+Subject: Use GOnce for interface type registration
+
+Static local variable may not be enough since it doesn't provide locking.
+
+Related to these udisksd warnings:
+  GLib-GObject-WARNING **: cannot register existing type `PolkitSubject'
+
+Thanks to Hans de Goede for spotting this!
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=65130
+Origin: upstream, 0.112, commit:20ad116a6582e57d20f9d8197758947918753a4c
+---
+ src/polkit/polkitidentity.c                   | 10 ++++++----
+ src/polkit/polkitsubject.c                    | 10 ++++++----
+ src/polkitbackend/polkitbackendactionlookup.c | 10 ++++++----
+ 3 files changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/src/polkit/polkitidentity.c b/src/polkit/polkitidentity.c
+index dd15b2f..7813c2c 100644
+--- a/src/polkit/polkitidentity.c
++++ b/src/polkit/polkitidentity.c
+@@ -49,9 +49,9 @@ base_init (gpointer g_iface)
+ GType
+ polkit_identity_get_type (void)
+ {
+-  static GType iface_type = 0;
++  static volatile gsize g_define_type_id__volatile = 0;
+ 
+-  if (iface_type == 0)
++  if (g_once_init_enter (&g_define_type_id__volatile))
+     {
+       static const GTypeInfo info =
+       {
+@@ -67,12 +67,14 @@ polkit_identity_get_type (void)
+         NULL                    /* value_table    */
+       };
+ 
+-      iface_type = g_type_register_static (G_TYPE_INTERFACE, "PolkitIdentity", &info, 0);
++      GType iface_type =
++        g_type_register_static (G_TYPE_INTERFACE, "PolkitIdentity", &info, 0);
+ 
+       g_type_interface_add_prerequisite (iface_type, G_TYPE_OBJECT);
++      g_once_init_leave (&g_define_type_id__volatile, iface_type);
+     }
+ 
+-  return iface_type;
++  return g_define_type_id__volatile;
+ }
+ 
+ /**
+diff --git a/src/polkit/polkitsubject.c b/src/polkit/polkitsubject.c
+index d2c4c20..aed5795 100644
+--- a/src/polkit/polkitsubject.c
++++ b/src/polkit/polkitsubject.c
+@@ -50,9 +50,9 @@ base_init (gpointer g_iface)
+ GType
+ polkit_subject_get_type (void)
+ {
+-  static GType iface_type = 0;
++  static volatile gsize g_define_type_id__volatile = 0;
+ 
+-  if (iface_type == 0)
++  if (g_once_init_enter (&g_define_type_id__volatile))
+     {
+       static const GTypeInfo info =
+       {
+@@ -68,12 +68,14 @@ polkit_subject_get_type (void)
+         NULL                    /* value_table    */
+       };
+ 
+-      iface_type = g_type_register_static (G_TYPE_INTERFACE, "PolkitSubject", &info, 0);
++      GType iface_type =
++        g_type_register_static (G_TYPE_INTERFACE, "PolkitSubject", &info, 0);
+ 
+       g_type_interface_add_prerequisite (iface_type, G_TYPE_OBJECT);
++      g_once_init_leave (&g_define_type_id__volatile, iface_type);
+     }
+ 
+-  return iface_type;
++  return g_define_type_id__volatile;
+ }
+ 
+ /**
+diff --git a/src/polkitbackend/polkitbackendactionlookup.c b/src/polkitbackend/polkitbackendactionlookup.c
+index 5a1a228..20747e7 100644
+--- a/src/polkitbackend/polkitbackendactionlookup.c
++++ b/src/polkitbackend/polkitbackendactionlookup.c
+@@ -74,9 +74,9 @@ base_init (gpointer g_iface)
+ GType
+ polkit_backend_action_lookup_get_type (void)
+ {
+-  static GType iface_type = 0;
++  static volatile gsize g_define_type_id__volatile = 0;
+ 
+-  if (iface_type == 0)
++  if (g_once_init_enter (&g_define_type_id__volatile))
+     {
+       static const GTypeInfo info =
+       {
+@@ -92,12 +92,14 @@ polkit_backend_action_lookup_get_type (void)
+         NULL                    /* value_table    */
+       };
+ 
+-      iface_type = g_type_register_static (G_TYPE_INTERFACE, "PolkitBackendActionLookup", &info, 0);
++      GType iface_type =
++        g_type_register_static (G_TYPE_INTERFACE, "PolkitBackendActionLookup", &info, 0);
+ 
+       g_type_interface_add_prerequisite (iface_type, G_TYPE_OBJECT);
++      g_once_init_leave (&g_define_type_id__volatile, iface_type);
+     }
+ 
+-  return iface_type;
++  return g_define_type_id__volatile;
+ }
+ 
+ /**
diff --git a/debian/patches/08_deprecate_racy_APIs.patch b/debian/patches/0.112/08_deprecate_racy_APIs.patch
similarity index 63%
rename from debian/patches/08_deprecate_racy_APIs.patch
rename to debian/patches/0.112/08_deprecate_racy_APIs.patch
index 73c356c..725a44a 100644
--- a/debian/patches/08_deprecate_racy_APIs.patch
+++ b/debian/patches/0.112/08_deprecate_racy_APIs.patch
@@ -1,12 +1,15 @@
-commit 08291789a1f99d4ab29c74c39344304bcca43023
-Author: Colin Walters <walters@???>
-Date:   Tue Aug 20 15:15:31 2013 -0400
+From: Colin Walters <walters@???>
+Date: Tue, 20 Aug 2013 15:15:31 -0400
+Subject: polkitunixprocess: Deprecate racy APIs


-    polkitunixprocess: Deprecate racy APIs
-    
-    It's only safe for processes to be created with their owning uid,
-    (without kernel support, which we don't have).  Anything else is
-    subject to clients exec()ing setuid binaries after the fact.
+It's only safe for processes to be created with their owning uid,
+(without kernel support, which we don't have).  Anything else is
+subject to clients exec()ing setuid binaries after the fact.
+
+Origin: upstream, 0.112, commit:08291789a1f99d4ab29c74c39344304bcca43023
+---
+ src/polkit/polkitunixprocess.h | 2 ++
+ 1 file changed, 2 insertions(+)


diff --git a/src/polkit/polkitunixprocess.h b/src/polkit/polkitunixprocess.h
index 531a57d..f5ed1a7 100644
diff --git a/debian/patches/cve-2013-4288.patch b/debian/patches/0.112/cve-2013-4288.patch
similarity index 76%
rename from debian/patches/cve-2013-4288.patch
rename to debian/patches/0.112/cve-2013-4288.patch
index 2aad36c..207bcf0 100644
--- a/debian/patches/cve-2013-4288.patch
+++ b/debian/patches/0.112/cve-2013-4288.patch
@@ -1,7 +1,6 @@
-From 52c927893a2ab135462b616c2e00fec377da9885 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@???>
Date: Mon, 19 Aug 2013 12:16:11 -0400
-Subject: [PATCH 2/4] pkcheck: Support --process=pid,start-time,uid syntax too
+Subject: pkcheck: Support --process=pid,start-time,uid syntax too

The uid is a new addition; this allows callers such as libvirt to
close a race condition in reading the uid of the process talking to
@@ -14,27 +13,29 @@ use:

 pkcheck_supports_uid=$($PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1)
 test x$pkcheck_supports_uid = xyes
+
+Origin: upstream, 0.112, commit:3968411b0c7ba193f9b9276ec911692aec248608
 ---
- data/polkit-gobject-1.pc.in |    3 +++
- docs/man/pkcheck.xml        |   29 ++++++++++++++++++++---------
- src/programs/pkcheck.c      |    9 +++++++--
- 3 files changed, 30 insertions(+), 11 deletions(-)
+ data/polkit-gobject-1.pc.in |  3 +++
+ docs/man/pkcheck.xml        | 29 ++++++++++++++++++++---------
+ src/programs/pkcheck.c      |  7 ++++++-
+ 3 files changed, 29 insertions(+), 10 deletions(-)


-Index: policykit-1-0.105/data/polkit-gobject-1.pc.in
-===================================================================
---- policykit-1-0.105.orig/data/polkit-gobject-1.pc.in    2013-09-11 09:40:56.604225567 -0400
-+++ policykit-1-0.105/data/polkit-gobject-1.pc.in    2013-09-11 09:40:56.596225567 -0400
-@@ -11,3 +11,6 @@
+diff --git a/data/polkit-gobject-1.pc.in b/data/polkit-gobject-1.pc.in
+index c39677d..5c4c620 100644
+--- a/data/polkit-gobject-1.pc.in
++++ b/data/polkit-gobject-1.pc.in
+@@ -11,3 +11,6 @@ Version: @VERSION@
  Libs: -L${libdir} -lpolkit-gobject-1
  Cflags: -I${includedir}/polkit-1
  Requires: gio-2.0 >= 2.18 glib-2.0 >= 2.18
 +# Programs using pkcheck can use this to determine
 +# whether or not it can be passed a uid.
 +pkcheck_supports_uid=true
-Index: policykit-1-0.105/docs/man/pkcheck.xml
-===================================================================
---- policykit-1-0.105.orig/docs/man/pkcheck.xml    2013-09-11 09:40:56.604225567 -0400
-+++ policykit-1-0.105/docs/man/pkcheck.xml    2013-09-11 09:42:28.272223569 -0400
+diff --git a/docs/man/pkcheck.xml b/docs/man/pkcheck.xml
+index 6b8a874..508447e 100644
+--- a/docs/man/pkcheck.xml
++++ b/docs/man/pkcheck.xml
 @@ -55,6 +55,9 @@
              <arg choice="plain">
                <replaceable>pid,pid-start-time</replaceable>
@@ -54,7 +55,7 @@ Index: policykit-1-0.105/docs/man/pkcheck.xml
        is authorized for <replaceable>action</replaceable>. The <option>--detail</option>
        option can be used zero or more times to pass details about <replaceable>action</replaceable>.
        If <option>--allow-user-interaction</option> is passed, <command>pkcheck</command> blocks
-@@ -160,17 +163,25 @@
+@@ -160,17 +163,25 @@ KEY3=VALUE3
    <refsect1 id="pkcheck-notes">
      <title>NOTES</title>
      <para>
@@ -88,11 +89,11 @@ Index: policykit-1-0.105/docs/man/pkcheck.xml
      </para>
    </refsect1>


-Index: policykit-1-0.105/src/programs/pkcheck.c
-===================================================================
---- policykit-1-0.105.orig/src/programs/pkcheck.c    2013-09-11 09:40:56.604225567 -0400
-+++ policykit-1-0.105/src/programs/pkcheck.c    2013-09-11 09:40:56.600225567 -0400
-@@ -372,6 +372,7 @@
+diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
+index 719a36c..057e926 100644
+--- a/src/programs/pkcheck.c
++++ b/src/programs/pkcheck.c
+@@ -372,6 +372,7 @@ main (int argc, char *argv[])
        else if (g_strcmp0 (argv[n], "--process") == 0 || g_strcmp0 (argv[n], "-p") == 0)
          {
            gint pid;
@@ -100,7 +101,7 @@ Index: policykit-1-0.105/src/programs/pkcheck.c
            guint64 pid_start_time;


            n++;
-@@ -381,7 +382,11 @@
+@@ -381,7 +382,11 @@ main (int argc, char *argv[])
                goto out;
              }


diff --git a/debian/patches/0.113/00git_fix_memleak.patch b/debian/patches/0.113/00git_fix_memleak.patch
new file mode 100644
index 0000000..4283345
--- /dev/null
+++ b/debian/patches/0.113/00git_fix_memleak.patch
@@ -0,0 +1,26 @@
+From: "Max A. Dednev" <dednev@???>
+Date: Sun, 11 Jan 2015 20:00:44 -0500
+Subject: authority: Fix memory leak in EnumerateActions call results handler
+
+Policykit-1 doesn't release reference counters of GVariant data for
+org.freedesktop.PolicyKit1.Authority.EnumerateActions dbus call.  This
+patch fixed reference counting and following memory leak.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=88288
+Origin: upstream, 0.113, commit:f4d71e0de885010494b8b0b8d62ca910011d7544
+---
+ src/polkit/polkitauthority.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/polkit/polkitauthority.c b/src/polkit/polkitauthority.c
+index 9947cf3..84dab72 100644
+--- a/src/polkit/polkitauthority.c
++++ b/src/polkit/polkitauthority.c
+@@ -715,7 +715,6 @@ polkit_authority_enumerate_actions_finish (PolkitAuthority *authority,
+   while ((child = g_variant_iter_next_value (&iter)) != NULL)
+     {
+       ret = g_list_prepend (ret, polkit_action_description_new_for_gvariant (child));
+-      g_variant_ref_sink (child);
+       g_variant_unref (child);
+     }
+   ret = g_list_reverse (ret);
diff --git a/debian/patches/0.113/00git_invalid_object_paths.patch b/debian/patches/0.113/00git_invalid_object_paths.patch
new file mode 100644
index 0000000..088d170
--- /dev/null
+++ b/debian/patches/0.113/00git_invalid_object_paths.patch
@@ -0,0 +1,116 @@
+From: Colin Walters <walters@???>
+Date: Sat, 30 May 2015 09:06:23 -0400
+Subject: CVE-2015-3218: backend: Handle invalid object paths in
+ RegisterAuthenticationAgent
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Properly propagate the error, otherwise we dereference a `NULL`
+pointer.  This is a local, authenticated DoS.
+
+`RegisterAuthenticationAgentWithOptions` and
+`UnregisterAuthentication` have been validated to not need changes for
+this.
+
+http://lists.freedesktop.org/archives/polkit-devel/2015-May/000420.html
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90829
+Bug-Debian: https://bugs.debian.org/787932
+Reported-by: Tavis Ormandy <taviso@???>
+Reviewed-by: Philip Withnall <philip@???>
+Reviewed-by: Miloslav Trmač <mitr@???>
+Signed-off-by: Colin Walters <walters@???>
+Origin: upstream, 0.113, commit:48e646918efb2bf0b3b505747655726d7869f31c
+---
+ .../polkitbackendinteractiveauthority.c            | 53 ++++++++++++----------
+ 1 file changed, 30 insertions(+), 23 deletions(-)
+
+diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
+index b237e9d..25e13fb 100644
+--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
++++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
+@@ -1558,36 +1558,42 @@ authentication_agent_new (PolkitSubject *scope,
+                           const gchar *unique_system_bus_name,
+                           const gchar *locale,
+                           const gchar *object_path,
+-                          GVariant    *registration_options)
++                          GVariant    *registration_options,
++                          GError     **error)
+ {
+   AuthenticationAgent *agent;
+-  GError *error;
++  GDBusProxy *proxy;
+ 
+-  agent = g_new0 (AuthenticationAgent, 1);
++  if (!g_variant_is_object_path (object_path))
++    {
++      g_set_error (error, POLKIT_ERROR, POLKIT_ERROR_FAILED,
++                   "Invalid object path '%s'", object_path);
++      return NULL;
++    }
++
++  proxy = g_dbus_proxy_new_for_bus_sync (G_BUS_TYPE_SYSTEM,
++                                         G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES |
++                                         G_DBUS_PROXY_FLAGS_DO_NOT_CONNECT_SIGNALS,
++                                         NULL, /* GDBusInterfaceInfo* */
++                                         unique_system_bus_name,
++                                         object_path,
++                                         "org.freedesktop.PolicyKit1.AuthenticationAgent",
++                                         NULL, /* GCancellable* */
++                                         error);
++  if (proxy == NULL)
++    {
++      g_prefix_error (error, "Failed to construct proxy for agent: " );
++      return NULL;
++    }
+ 
++  agent = g_new0 (AuthenticationAgent, 1);
+   agent->ref_count = 1;
+   agent->scope = g_object_ref (scope);
+   agent->object_path = g_strdup (object_path);
+   agent->unique_system_bus_name = g_strdup (unique_system_bus_name);
+   agent->locale = g_strdup (locale);
+   agent->registration_options = registration_options != NULL ? g_variant_ref (registration_options) : NULL;
+-
+-  error = NULL;
+-  agent->proxy = g_dbus_proxy_new_for_bus_sync (G_BUS_TYPE_SYSTEM,
+-                                                G_DBUS_PROXY_FLAGS_DO_NOT_LOAD_PROPERTIES |
+-                                                G_DBUS_PROXY_FLAGS_DO_NOT_CONNECT_SIGNALS,
+-                                                NULL, /* GDBusInterfaceInfo* */
+-                                                agent->unique_system_bus_name,
+-                                                agent->object_path,
+-                                                "org.freedesktop.PolicyKit1.AuthenticationAgent",
+-                                                NULL, /* GCancellable* */
+-                                                &error);
+-  if (agent->proxy == NULL)
+-    {
+-      g_warning ("Error constructing proxy for agent: %s", error->message);
+-      g_error_free (error);
+-      /* TODO: Make authentication_agent_new() return NULL and set a GError */
+-    }
++  agent->proxy = proxy;
+ 
+   return agent;
+ }
+@@ -2234,8 +2240,6 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken
+   caller_cmdline = NULL;
+   agent = NULL;
+ 
+-  /* TODO: validate that object path is well-formed */
+-
+   interactive_authority = POLKIT_BACKEND_INTERACTIVE_AUTHORITY (authority);
+   priv = POLKIT_BACKEND_INTERACTIVE_AUTHORITY_GET_PRIVATE (interactive_authority);
+ 
+@@ -2322,7 +2326,10 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken
+                                     polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (caller)),
+                                     locale,
+                                     object_path,
+-                                    options);
++                                    options,
++                                    error);
++  if (!agent)
++    goto out;
+ 
+   g_hash_table_insert (priv->hash_scope_to_authentication_agent,
+                        g_object_ref (subject),
diff --git a/debian/patches/0.113/03_PolkitAgentSession-fix-race-between-child-and-io-wat.patch b/debian/patches/0.113/03_PolkitAgentSession-fix-race-between-child-and-io-wat.patch
new file mode 100644
index 0000000..956099b
--- /dev/null
+++ b/debian/patches/0.113/03_PolkitAgentSession-fix-race-between-child-and-io-wat.patch
@@ -0,0 +1,120 @@
+From: Rui Matos <tiagomatos@???>
+Date: Thu, 6 Feb 2014 18:41:18 +0100
+Subject: PolkitAgentSession: fix race between child and io watches
+
+The helper flushes and fdatasyncs stdout and stderr before terminating
+but this doesn't guarantee that our io watch is called before our
+child watch. This means that we can end up with a successful return
+from the helper which we still report as a failure.
+
+If we add G_IO_HUP and G_IO_ERR to the conditions we look for in the
+io watch and the child terminates we still run the io watch handler
+which will complete the session.
+
+This means that the child watch is in fact needless and we can remove
+it.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=60847
+Origin: upstream, 0.113, commit:7650ad1e08ab13bdb461783c4995d186d9392840
+Bug: http://bugs.freedesktop.org/show_bug.cgi?id=30515
+Bug-Ubuntu: https://launchpad.net/bugs/649939
+Bug-Ubuntu: https://launchpad.net/bugs/445303
+---
+ src/polkitagent/polkitagentsession.c | 47 +++++++++---------------------------
+ 1 file changed, 11 insertions(+), 36 deletions(-)
+
+diff --git a/src/polkitagent/polkitagentsession.c b/src/polkitagent/polkitagentsession.c
+index 8129cd9..a658a22 100644
+--- a/src/polkitagent/polkitagentsession.c
++++ b/src/polkitagent/polkitagentsession.c
+@@ -92,7 +92,6 @@ struct _PolkitAgentSession
+   int child_stdout;
+   GPid child_pid;
+ 
+-  GSource *child_watch_source;
+   GSource *child_stdout_watch_source;
+   GIOChannel *child_stdout_channel;
+ 
+@@ -377,13 +376,6 @@ kill_helper (PolkitAgentSession *session)
+       session->child_pid = 0;
+     }
+ 
+-  if (session->child_watch_source != NULL)
+-    {
+-      g_source_destroy (session->child_watch_source);
+-      g_source_unref (session->child_watch_source);
+-      session->child_watch_source = NULL;
+-    }
+-
+   if (session->child_stdout_watch_source != NULL)
+     {
+       g_source_destroy (session->child_stdout_watch_source);
+@@ -429,26 +421,6 @@ complete_session (PolkitAgentSession *session,
+     }
+ }
+ 
+-static void
+-child_watch_func (GPid     pid,
+-                  gint     status,
+-                  gpointer user_data)
+-{
+-  PolkitAgentSession *session = POLKIT_AGENT_SESSION (user_data);
+-
+-  if (G_UNLIKELY (_show_debug ()))
+-    {
+-      g_print ("PolkitAgentSession: in child_watch_func for pid %d (WIFEXITED=%d WEXITSTATUS=%d)\n",
+-               (gint) pid,
+-               WIFEXITED(status),
+-               WEXITSTATUS(status));
+-    }
+-
+-  /* kill all the watches we have set up, except for the child since it has exited already */
+-  session->child_pid = 0;
+-  complete_session (session, FALSE);
+-}
+-
+ static gboolean
+ io_watch_have_data (GIOChannel    *channel,
+                     GIOCondition   condition,
+@@ -475,10 +447,13 @@ io_watch_have_data (GIOChannel    *channel,
+                           NULL,
+                           NULL,
+                           &error);
+-  if (error != NULL)
++  if (error != NULL || line == NULL)
+     {
+-      g_warning ("Error reading line from helper: %s", error->message);
+-      g_error_free (error);
++      /* In case we get just G_IO_HUP, line is NULL but error is
++         unset.*/
++      g_warning ("Error reading line from helper: %s",
++                 error ? error->message : "nothing to read");
++      g_clear_error (&error);
+ 
+       complete_session (session, FALSE);
+       goto out;
+@@ -540,6 +515,9 @@ io_watch_have_data (GIOChannel    *channel,
+   g_free (line);
+   g_free (unescaped);
+ 
++  if (condition & (G_IO_ERR | G_IO_HUP))
++    complete_session (session, FALSE);
++
+   /* keep the IOChannel around */
+   return TRUE;
+ }
+@@ -650,12 +628,9 @@ polkit_agent_session_initiate (PolkitAgentSession *session)
+   if (G_UNLIKELY (_show_debug ()))
+     g_print ("PolkitAgentSession: spawned helper with pid %d\n", (gint) session->child_pid);
+ 
+-  session->child_watch_source = g_child_watch_source_new (session->child_pid);
+-  g_source_set_callback (session->child_watch_source, (GSourceFunc) child_watch_func, session, NULL);
+-  g_source_attach (session->child_watch_source, g_main_context_get_thread_default ());
+-
+   session->child_stdout_channel = g_io_channel_unix_new (session->child_stdout);
+-  session->child_stdout_watch_source = g_io_create_watch (session->child_stdout_channel, G_IO_IN);
++  session->child_stdout_watch_source = g_io_create_watch (session->child_stdout_channel,
++                                                          G_IO_IN | G_IO_ERR | G_IO_HUP);
+   g_source_set_callback (session->child_stdout_watch_source, (GSourceFunc) io_watch_have_data, session, NULL);
+   g_source_attach (session->child_stdout_watch_source, g_main_context_get_thread_default ());
+ 
diff --git a/debian/patches/0.113/CVE-2015-3255-Fix-GHashTable-usage.patch b/debian/patches/0.113/CVE-2015-3255-Fix-GHashTable-usage.patch
new file mode 100644
index 0000000..f20fab2
--- /dev/null
+++ b/debian/patches/0.113/CVE-2015-3255-Fix-GHashTable-usage.patch
@@ -0,0 +1,68 @@
+From: =?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@???>
+Date: Wed, 1 Apr 2015 05:22:37 +0200
+Subject: CVE-2015-3255 Fix GHashTable usage.
+
+Don't assume that the hash table with free both the key and the value
+at the same time, supply proper deallocation functions for the key
+and value separately.
+
+Then drop ParsedAction::action_id which is no longer used for anything.
+
+https://bugs.freedesktop.org/show_bug.cgi?id=69501
+and
+https://bugs.freedesktop.org/show_bug.cgi?id=83590
+
+CVE: CVE-2015-3255
+Origin: upstream, 0.113, commit:9f5e0c731784003bd4d6fc75ab739ff8b2ea269f
+Bug-Debian: https://bugs.debian.org/796134
+---
+ src/polkitbackend/polkitbackendactionpool.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/src/polkitbackend/polkitbackendactionpool.c b/src/polkitbackend/polkitbackendactionpool.c
+index e3ed38d..4270d4e 100644
+--- a/src/polkitbackend/polkitbackendactionpool.c
++++ b/src/polkitbackend/polkitbackendactionpool.c
+@@ -40,7 +40,6 @@
+ 
+ typedef struct
+ {
+-  gchar *action_id;
+   gchar *vendor_name;
+   gchar *vendor_url;
+   gchar *icon_name;
+@@ -62,7 +61,6 @@ typedef struct
+ static void
+ parsed_action_free (ParsedAction *action)
+ {
+-  g_free (action->action_id);
+   g_free (action->vendor_name);
+   g_free (action->vendor_url);
+   g_free (action->icon_name);
+@@ -134,7 +132,7 @@ polkit_backend_action_pool_init (PolkitBackendActionPool *pool)
+ 
+   priv->parsed_actions = g_hash_table_new_full (g_str_hash,
+                                                 g_str_equal,
+-                                                NULL,
++                                                g_free,
+                                                 (GDestroyNotify) parsed_action_free);
+ 
+   priv->parsed_files = g_hash_table_new_full (g_str_hash,
+@@ -988,7 +986,6 @@ _end (void *data, const char *el)
+           icon_name = pd->global_icon_name;
+ 
+         action = g_new0 (ParsedAction, 1);
+-        action->action_id = g_strdup (pd->action_id);
+         action->vendor_name = g_strdup (vendor);
+         action->vendor_url = g_strdup (vendor_url);
+         action->icon_name = g_strdup (icon_name);
+@@ -1003,7 +1000,8 @@ _end (void *data, const char *el)
+         action->implicit_authorization_inactive = pd->implicit_authorization_inactive;
+         action->implicit_authorization_active = pd->implicit_authorization_active;
+ 
+-        g_hash_table_insert (priv->parsed_actions, action->action_id, action);
++        g_hash_table_insert (priv->parsed_actions, g_strdup (pd->action_id),
++                             action);
+ 
+         /* we steal these hash tables */
+         pd->annotations = NULL;
diff --git a/debian/patches/0.113/CVE-2015-4625-Bind-use-of-cookies-to-specific-uids.patch b/debian/patches/0.113/CVE-2015-4625-Bind-use-of-cookies-to-specific-uids.patch
new file mode 100644
index 0000000..0516d5c
--- /dev/null
+++ b/debian/patches/0.113/CVE-2015-4625-Bind-use-of-cookies-to-specific-uids.patch
@@ -0,0 +1,485 @@
+From: Colin Walters <walters@???>
+Date: Wed, 17 Jun 2015 13:07:02 -0400
+Subject: CVE-2015-4625: Bind use of cookies to specific uids
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html
+
+The "cookie" value that Polkit hands out is global to all polkit
+users.  And when `AuthenticationAgentResponse` is invoked, we
+previously only received the cookie and *target* identity, and
+attempted to find an agent from that.
+
+The problem is that the current cookie is just an integer
+counter, and if it overflowed, it would be possible for
+an successful authorization in one session to trigger a response
+in another session.
+
+The overflow and ability to guess the cookie were fixed by the
+previous patch.
+
+This patch is conceptually further hardening on top of that.  Polkit
+currently treats uids as equivalent from a security domain
+perspective; there is no support for
+SELinux/AppArmor/etc. differentiation.
+
+We can retrieve the uid from `getuid()` in the setuid helper, which
+allows us to ensure the uid invoking `AuthenticationAgentResponse2`
+matches that of the agent.
+
+Then the authority only looks at authentication sessions matching the
+cookie that were created by a matching uid, thus removing the ability
+for different uids to interfere with each other entirely.
+
+Several fixes to this patch were contributed by:
+Miloslav Trmač <mitr@???>
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90837
+CVE: CVE-2015-4625
+Reported-by: Tavis Ormandy <taviso@???>
+Reviewed-by: Miloslav Trmač <mitr@???>
+Signed-off-by: Colin Walters <walters@???>
+Origin: upstream, 0.113, commit:493aa5dc1d278ab9097110c1262f5229bbaf1766
+Bug-Debian: https://bugs.debian.org/796134
+---
+ ....freedesktop.PolicyKit1.AuthenticationAgent.xml | 14 ++++-
+ data/org.freedesktop.PolicyKit1.Authority.xml      | 24 ++++++++-
+ ...erface-org.freedesktop.PolicyKit1.Authority.xml | 46 +++++++++++++++-
+ docs/polkit/overview.xml                           | 18 ++++---
+ src/polkit/polkitauthority.c                       | 13 ++++-
+ src/polkitbackend/polkitbackendauthority.c         | 61 +++++++++++++++++++++-
+ src/polkitbackend/polkitbackendauthority.h         |  2 +
+ .../polkitbackendinteractiveauthority.c            | 39 ++++++++++++--
+ 8 files changed, 198 insertions(+), 19 deletions(-)
+
+diff --git a/data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml b/data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml
+index 3b519c2..5beef7d 100644
+--- a/data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml
++++ b/data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml
+@@ -8,7 +8,19 @@
+     <annotation name="org.gtk.EggDBus.DocString" value="<para>This D-Bus interface is used for communication between the system-wide PolicyKit daemon and one or more authentication agents each running in a user session.</para><para>An authentication agent must implement this interface and register (passing the object path of the object implementing the interface) using the org.freedesktop.PolicyKit1.Authority.RegisterAuthenticationAgent() and org.freedesktop.PolicyKit1.Authority.UnregisterAuthenticationAgent() methods on the #org.freedesktop.PolicyKit1.Authority interface of the PolicyKit daemon.</para>"/>
+ 
+     <method name="BeginAuthentication">
+-      <annotation name="org.gtk.EggDBus.DocString" value="<para>Called by the PolicyKit daemon when the authentication agent needs the user to authenticate as one of the identities in @identities for the action with the identifier @action_id.</para><para>Upon succesful authentication, the authentication agent must invoke the org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse() method on the #org.freedesktop.PolicyKit1.Authority interface of the PolicyKit daemon before returning.</para><para>If the user dismisses the authentication dialog, the authentication agent should return an error.</para>"/>
++      <annotation name="org.gtk.EggDBus.DocString" value="<para>Called
++      by the PolicyKit daemon when the authentication agent needs the
++      user to authenticate as one of the identities in @identities for
++      the action with the identifier @action_id.</para><para>This
++      authentication is normally achieved via the
++      polkit_agent_session_response() API, which invokes a private
++      setuid helper process to verify the authentication.  When
++      successful, it calls the
++      org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse2()
++      method on the #org.freedesktop.PolicyKit1.Authority interface of
++      the PolicyKit daemon before returning.  If the user dismisses the
++      authentication dialog, the authentication agent should call
++      polkit_agent_session_cancel().</para>"/>
+ 
+       <arg name="action_id" direction="in" type="s">
+         <annotation name="org.gtk.EggDBus.DocString" value="The identifier for the action that the user is authentication for."/>
+diff --git a/data/org.freedesktop.PolicyKit1.Authority.xml b/data/org.freedesktop.PolicyKit1.Authority.xml
+index fbfb9cd..f9021ee 100644
+--- a/data/org.freedesktop.PolicyKit1.Authority.xml
++++ b/data/org.freedesktop.PolicyKit1.Authority.xml
+@@ -313,7 +313,29 @@
+     </method>
+ 
+     <method name="AuthenticationAgentResponse">
+-      <annotation name="org.gtk.EggDBus.DocString" value="Method for authentication agents to invoke on successful authentication. This method will fail unless a sufficiently privileged caller invokes it."/>
++      <annotation name="org.gtk.EggDBus.DocString" value="Method for authentication agents to invoke on successful
++authentication, intended only for use by a privileged helper process
++internal to polkit."/>
++
++      <arg name="cookie" direction="in" type="s">
++        <annotation name="org.gtk.EggDBus.DocString" value="The cookie identifying the authentication request that was passed to the authentication agent."/>
++      </arg>
++
++      <arg name="identity" direction="in" type="(sa{sv})">
++        <annotation name="org.gtk.EggDBus.Type" value="Identity"/>
++        <annotation name="org.gtk.EggDBus.DocString" value="A #Identity struct describing what identity was authenticated."/>
++      </arg>
++    </method>
++
++    <method name="AuthenticationAgentResponse2">
++      <annotation name="org.gtk.EggDBus.DocString" value="Method for authentication agents to invoke on successful
++authentication, intended only for use by a privileged helper process
++internal to polkit.   Note this method was added in 0.114, and should be preferred over AuthenticationAgentResponse
++as it fixes a security issue."/>
++
++      <arg name="uid" direction="in" type="u">
++        <annotation name="org.gtk.EggDBus.DocString" value="The real uid of the agent.  Normally set by the setuid helper program."/>
++      </arg>
+ 
+       <arg name="cookie" direction="in" type="s">
+         <annotation name="org.gtk.EggDBus.DocString" value="The cookie identifying the authentication request that was passed to the authentication agent."/>
+diff --git a/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml b/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml
+index 6525e25..e66bf53 100644
+--- a/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml
++++ b/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml
+@@ -42,6 +42,8 @@ Structure    <link linkend="eggdbus-struct-TemporaryAuthorization">TemporaryAuth
+                                   IN  String                         object_path)
+ <link linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse">AuthenticationAgentResponse</link>      (IN  String                         cookie,
+                                   IN  <link linkend="eggdbus-struct-Identity">Identity</link>                       identity)
++<link linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse">AuthenticationAgentResponse2</link>      (IN uint32 uid, IN  String                         cookie,
++                                  IN  <link linkend="eggdbus-struct-Identity">Identity</link>                       identity)
+ <link linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.EnumerateTemporaryAuthorizations">EnumerateTemporaryAuthorizations</link> (IN  <link linkend="eggdbus-struct-Subject">Subject</link>                        subject,
+                                   OUT Array&lt;<link linkend="eggdbus-struct-TemporaryAuthorization">TemporaryAuthorization</link>&gt;  temporary_authorizations)
+ <link linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.RevokeTemporaryAuthorizations">RevokeTemporaryAuthorizations</link>    (IN  <link linkend="eggdbus-struct-Subject">Subject</link>                        subject)
+@@ -777,10 +779,52 @@ AuthenticationAgentResponse (IN  String    cookie,
+                              IN  <link linkend="eggdbus-struct-Identity">Identity</link>  identity)
+     </programlisting>
+     <para>
+-Method for authentication agents to invoke on successful authentication. This method will fail unless a sufficiently privileged caller invokes it.
++Method for authentication agents to invoke on successful
++authentication, intended only for use by a privileged helper process
++internal to polkit.  Deprecated in favor of AuthenticationAgentResponse2.
++    </para>
++<variablelist role="params">
++  <varlistentry>
++    <term><literal>IN  String <parameter>cookie</parameter></literal>:</term>
++    <listitem>
++      <para>
++The cookie identifying the authentication request that was passed to the authentication agent.
++      </para>
++    </listitem>
++  </varlistentry>
++  <varlistentry>
++    <term><literal>IN  <link linkend="eggdbus-struct-Identity">Identity</link> <parameter>identity</parameter></literal>:</term>
++    <listitem>
++      <para>
++A <link linkend="eggdbus-struct-Identity">Identity</link> struct describing what identity was authenticated.
++      </para>
++    </listitem>
++  </varlistentry>
++</variablelist>
++    </refsect2>
++    <refsect2 role="function" id="eggdbus-method-org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse2">
++      <title>AuthenticationAgentResponse2 ()</title>
++    <programlisting>
++AuthenticationAgentResponse2 (IN  uint32 uid,
++                              IN  String cookie,
++                              IN  <link linkend="eggdbus-struct-Identity">Identity</link>  identity)
++    </programlisting>
++    <para>
++Method for authentication agents to invoke on successful
++authentication, intended only for use by a privileged helper process
++internal to polkit.  Note this method was introduced in 0.114 to fix a security issue.
+     </para>
+ <variablelist role="params">
+   <varlistentry>
++    <term><literal>IN  uint32 <parameter>uid</parameter></literal>:</term>
++    <listitem>
++      <para>
++The user id of the agent; normally this is the owner of the parent pid
++of the process that invoked the internal setuid helper.
++      </para>
++    </listitem>
++  </varlistentry>
++  <varlistentry>
+     <term><literal>IN  String <parameter>cookie</parameter></literal>:</term>
+     <listitem>
+       <para>
+diff --git a/docs/polkit/overview.xml b/docs/polkit/overview.xml
+index 24440d2..c29d8da 100644
+--- a/docs/polkit/overview.xml
++++ b/docs/polkit/overview.xml
+@@ -66,16 +66,18 @@
+     <para>
+       Authentication agents are provided by desktop environments. When
+       an user session starts, the agent registers with the polkit
+-      Authority using
+-      the <link linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.RegisterAuthenticationAgent">RegisterAuthenticationAgent()</link>
++      Authority using the <link
++      linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.RegisterAuthenticationAgent">RegisterAuthenticationAgent()</link>
+       method. When services are needed, the authority will invoke
+-      methods on
+-      the <link linkend="eggdbus-interface-org.freedesktop.PolicyKit1.AuthenticationAgent">org.freedesktop.PolicyKit1.AuthenticationAgent</link>
++      methods on the <link
++      linkend="eggdbus-interface-org.freedesktop.PolicyKit1.AuthenticationAgent">org.freedesktop.PolicyKit1.AuthenticationAgent</link>
+       D-Bus interface. Once the user is authenticated, (a privileged
+-      part of) the agent invokes
+-      the <link linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse">AuthenticationAgentResponse()</link>
+-      method.  Note that the polkit Authority itself does not care
+-      how the agent authenticates the user.
++      part of) the agent invokes the <link
++      linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse">AuthenticationAgentResponse()</link>
++      method.  This method should be treated as an internal
++      implementation detail, and callers should use the public shared
++      library API to invoke it, which currently uses a setuid helper
++      program.
+     </para>
+     <para>
+       The <link linkend="ref-authentication-agent-api">libpolkit-agent-1</link>
+diff --git a/src/polkit/polkitauthority.c b/src/polkit/polkitauthority.c
+index 84dab72..f45abc4 100644
+--- a/src/polkit/polkitauthority.c
++++ b/src/polkit/polkitauthority.c
+@@ -1492,6 +1492,14 @@ polkit_authority_authentication_agent_response (PolkitAuthority      *authority,
+                                                 gpointer              user_data)
+ {
+   GVariant *identity_value;
++  /* Note that in reality, this API is only accessible to root, and
++   * only called from the setuid helper `polkit-agent-helper-1`.
++   *
++   * However, because this is currently public API, we avoid
++   * triggering warnings from ABI diff type programs by just grabbing
++   * the real uid of the caller here.
++   */
++  uid_t uid = getuid ();
+ 
+   g_return_if_fail (POLKIT_IS_AUTHORITY (authority));
+   g_return_if_fail (cookie != NULL);
+@@ -1501,8 +1509,9 @@ polkit_authority_authentication_agent_response (PolkitAuthority      *authority,
+   identity_value = polkit_identity_to_gvariant (identity);
+   g_variant_ref_sink (identity_value);
+   g_dbus_proxy_call (authority->proxy,
+-                     "AuthenticationAgentResponse",
+-                     g_variant_new ("(s@(sa{sv}))",
++                     "AuthenticationAgentResponse2",
++                     g_variant_new ("(us@(sa{sv}))",
++                                    (guint32)uid,
+                                     cookie,
+                                     identity_value),
+                      G_DBUS_CALL_FLAGS_NONE,
+diff --git a/src/polkitbackend/polkitbackendauthority.c b/src/polkitbackend/polkitbackendauthority.c
+index fd4f161..d1b1a25 100644
+--- a/src/polkitbackend/polkitbackendauthority.c
++++ b/src/polkitbackend/polkitbackendauthority.c
+@@ -355,6 +355,7 @@ polkit_backend_authority_unregister_authentication_agent (PolkitBackendAuthority
+ gboolean
+ polkit_backend_authority_authentication_agent_response (PolkitBackendAuthority    *authority,
+                                                         PolkitSubject             *caller,
++                                                        uid_t                      uid,
+                                                         const gchar               *cookie,
+                                                         PolkitIdentity            *identity,
+                                                         GError                   **error)
+@@ -373,7 +374,7 @@ polkit_backend_authority_authentication_agent_response (PolkitBackendAuthority
+     }
+   else
+     {
+-      return klass->authentication_agent_response (authority, caller, cookie, identity, error);
++      return klass->authentication_agent_response (authority, caller, uid, cookie, identity, error);
+     }
+ }
+ 
+@@ -587,6 +588,11 @@ static const gchar *server_introspection_data =
+   "      <arg type='s' name='cookie' direction='in'/>"
+   "      <arg type='(sa{sv})' name='identity' direction='in'/>"
+   "    </method>"
++  "    <method name='AuthenticationAgentResponse2'>"
++  "      <arg type='u' name='uid' direction='in'/>"
++  "      <arg type='s' name='cookie' direction='in'/>"
++  "      <arg type='(sa{sv})' name='identity' direction='in'/>"
++  "    </method>"
+   "    <method name='EnumerateTemporaryAuthorizations'>"
+   "      <arg type='(sa{sv})' name='subject' direction='in'/>"
+   "      <arg type='a(ss(sa{sv})tt)' name='temporary_authorizations' direction='out'/>"
+@@ -1035,6 +1041,57 @@ server_handle_authentication_agent_response (Server                 *server,
+   error = NULL;
+   if (!polkit_backend_authority_authentication_agent_response (server->authority,
+                                                                caller,
++                                                               (uid_t)-1,
++                                                               cookie,
++                                                               identity,
++                                                               &error))
++    {
++      g_dbus_method_invocation_return_gerror (invocation, error);
++      g_error_free (error);
++      goto out;
++    }
++
++  g_dbus_method_invocation_return_value (invocation, g_variant_new ("()"));
++
++ out:
++  if (identity != NULL)
++    g_object_unref (identity);
++}
++
++static void
++server_handle_authentication_agent_response2 (Server                 *server,
++                                              GVariant               *parameters,
++                                              PolkitSubject          *caller,
++                                              GDBusMethodInvocation  *invocation)
++{
++  const gchar *cookie;
++  GVariant *identity_gvariant;
++  PolkitIdentity *identity;
++  GError *error;
++  guint32 uid;
++
++  identity = NULL;
++
++  g_variant_get (parameters,
++                 "(u&s@(sa{sv}))",
++                 &uid,
++                 &cookie,
++                 &identity_gvariant);
++
++  error = NULL;
++  identity = polkit_identity_new_for_gvariant (identity_gvariant, &error);
++  if (identity == NULL)
++    {
++      g_prefix_error (&error, "Error getting identity: ");
++      g_dbus_method_invocation_return_gerror (invocation, error);
++      g_error_free (error);
++      goto out;
++    }
++
++  error = NULL;
++  if (!polkit_backend_authority_authentication_agent_response (server->authority,
++                                                               caller,
++                                                               (uid_t)uid,
+                                                                cookie,
+                                                                identity,
+                                                                &error))
+@@ -1222,6 +1279,8 @@ server_handle_method_call (GDBusConnection        *connection,
+     server_handle_unregister_authentication_agent (server, parameters, caller, invocation);
+   else if (g_strcmp0 (method_name, "AuthenticationAgentResponse") == 0)
+     server_handle_authentication_agent_response (server, parameters, caller, invocation);
++  else if (g_strcmp0 (method_name, "AuthenticationAgentResponse2") == 0)
++    server_handle_authentication_agent_response2 (server, parameters, caller, invocation);
+   else if (g_strcmp0 (method_name, "EnumerateTemporaryAuthorizations") == 0)
+     server_handle_enumerate_temporary_authorizations (server, parameters, caller, invocation);
+   else if (g_strcmp0 (method_name, "RevokeTemporaryAuthorizations") == 0)
+diff --git a/src/polkitbackend/polkitbackendauthority.h b/src/polkitbackend/polkitbackendauthority.h
+index a564054..1c212e0 100644
+--- a/src/polkitbackend/polkitbackendauthority.h
++++ b/src/polkitbackend/polkitbackendauthority.h
+@@ -154,6 +154,7 @@ struct _PolkitBackendAuthorityClass
+ 
+   gboolean (*authentication_agent_response) (PolkitBackendAuthority   *authority,
+                                              PolkitSubject            *caller,
++                                             uid_t                     uid,
+                                              const gchar              *cookie,
+                                              PolkitIdentity           *identity,
+                                              GError                  **error);
+@@ -256,6 +257,7 @@ gboolean polkit_backend_authority_unregister_authentication_agent (PolkitBackend
+ 
+ gboolean polkit_backend_authority_authentication_agent_response (PolkitBackendAuthority    *authority,
+                                                                  PolkitSubject             *caller,
++                                                                 uid_t                      uid,
+                                                                  const gchar               *cookie,
+                                                                  PolkitIdentity            *identity,
+                                                                  GError                   **error);
+diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
+index 10eda2c..5e29af2 100644
+--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
++++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
+@@ -106,8 +106,9 @@ static AuthenticationAgent *get_authentication_agent_for_subject (PolkitBackendI
+                                                                   PolkitSubject *subject);
+ 
+ 
+-static AuthenticationSession *get_authentication_session_for_cookie (PolkitBackendInteractiveAuthority *authority,
+-                                                                     const gchar *cookie);
++static AuthenticationSession *get_authentication_session_for_uid_and_cookie (PolkitBackendInteractiveAuthority *authority,
++                                                                             uid_t                              uid,
++                                                                             const gchar                       *cookie);
+ 
+ static GList *get_authentication_sessions_initiated_by_system_bus_unique_name (PolkitBackendInteractiveAuthority *authority,
+                                                                                const gchar *system_bus_unique_name);
+@@ -167,6 +168,7 @@ static gboolean polkit_backend_interactive_authority_unregister_authentication_a
+ 
+ static gboolean polkit_backend_interactive_authority_authentication_agent_response (PolkitBackendAuthority   *authority,
+                                                                               PolkitSubject            *caller,
++                                                                              uid_t                     uid,
+                                                                               const gchar              *cookie,
+                                                                               PolkitIdentity           *identity,
+                                                                               GError                  **error);
+@@ -431,6 +433,7 @@ struct AuthenticationAgent
+ {
+   volatile gint ref_count;
+ 
++  uid_t creator_uid;
+   PolkitSubject *scope;
+   guint64 serial;
+ 
+@@ -1603,6 +1606,7 @@ authentication_agent_unref (AuthenticationAgent *agent)
+ static AuthenticationAgent *
+ authentication_agent_new (guint64      serial,
+                           PolkitSubject *scope,
++                          PolkitIdentity *creator,
+                           const gchar *unique_system_bus_name,
+                           const gchar *locale,
+                           const gchar *object_path,
+@@ -1611,6 +1615,10 @@ authentication_agent_new (guint64      serial,
+ {
+   AuthenticationAgent *agent;
+   GDBusProxy *proxy;
++  PolkitUnixUser *creator_user;
++
++  g_assert (POLKIT_IS_UNIX_USER (creator));
++  creator_user = POLKIT_UNIX_USER (creator);
+ 
+   if (!g_variant_is_object_path (object_path))
+     {
+@@ -1638,6 +1646,7 @@ authentication_agent_new (guint64      serial,
+   agent->ref_count = 1;
+   agent->serial = serial;
+   agent->scope = g_object_ref (scope);
++  agent->creator_uid = (uid_t)polkit_unix_user_get_uid (creator_user);
+   agent->object_path = g_strdup (object_path);
+   agent->unique_system_bus_name = g_strdup (unique_system_bus_name);
+   agent->locale = g_strdup (locale);
+@@ -1736,8 +1745,9 @@ get_authentication_agent_for_subject (PolkitBackendInteractiveAuthority *authori
+ }
+ 
+ static AuthenticationSession *
+-get_authentication_session_for_cookie (PolkitBackendInteractiveAuthority *authority,
+-                                       const gchar *cookie)
++get_authentication_session_for_uid_and_cookie (PolkitBackendInteractiveAuthority *authority,
++                                               uid_t                              uid,
++                                               const gchar                       *cookie)
+ {
+   PolkitBackendInteractiveAuthorityPrivate *priv;
+   GHashTableIter hash_iter;
+@@ -1755,6 +1765,23 @@ get_authentication_session_for_cookie (PolkitBackendInteractiveAuthority *author
+     {
+       GList *l;
+ 
++      /* We need to ensure that if somehow we have duplicate cookies
++       * due to wrapping, that the cookie used is matched to the user
++       * who called AuthenticationAgentResponse2.  See
++       * http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html
++       * 
++       * Except if the legacy AuthenticationAgentResponse is invoked,
++       * we don't know the uid and hence use -1.  Continue to support
++       * the old behavior for backwards compatibility, although everyone
++       * who is using our own setuid helper will automatically be updated
++       * to the new API.
++       */
++      if (uid != (uid_t)-1)
++        {
++          if (agent->creator_uid != uid)
++            continue;
++        }
++
+       for (l = agent->active_sessions; l != NULL; l = l->next)
+         {
+           AuthenticationSession *session = l->data;
+@@ -2388,6 +2415,7 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken
+   priv->agent_serial++;
+   agent = authentication_agent_new (priv->agent_serial,
+                                     subject,
++                                    user_of_caller,
+                                     polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (caller)),
+                                     locale,
+                                     object_path,
+@@ -2601,6 +2629,7 @@ polkit_backend_interactive_authority_unregister_authentication_agent (PolkitBack
+ static gboolean
+ polkit_backend_interactive_authority_authentication_agent_response (PolkitBackendAuthority   *authority,
+                                                               PolkitSubject            *caller,
++                                                              uid_t                     uid,
+                                                               const gchar              *cookie,
+                                                               PolkitIdentity           *identity,
+                                                               GError                  **error)
+@@ -2643,7 +2672,7 @@ polkit_backend_interactive_authority_authentication_agent_response (PolkitBacken
+     }
+ 
+   /* find the authentication session */
+-  session = get_authentication_session_for_cookie (interactive_authority, cookie);
++  session = get_authentication_session_for_uid_and_cookie (interactive_authority, uid, cookie);
+   if (session == NULL)
+     {
+       g_set_error (error,
diff --git a/debian/patches/0.113/CVE-2015-4625-Use-unpredictable-cookie-values-keep-t.patch b/debian/patches/0.113/CVE-2015-4625-Use-unpredictable-cookie-values-keep-t.patch
new file mode 100644
index 0000000..2fae0e7
--- /dev/null
+++ b/debian/patches/0.113/CVE-2015-4625-Use-unpredictable-cookie-values-keep-t.patch
@@ -0,0 +1,540 @@
+From: Colin Walters <walters@???>
+Date: Thu, 4 Jun 2015 12:15:18 -0400
+Subject: CVE-2015-4625: Use unpredictable cookie values, keep them secret
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Tavis noted that it'd be possible with a 32 bit counter for someone to
+cause the cookie to wrap by creating Authentication requests in a
+loop.
+
+Something important to note here is that wrapping of signed integers
+is undefined behavior in C, so we definitely want to fix that.  All
+counter integers used in this patch are unsigned.
+
+See the comment above `authentication_agent_generate_cookie` for
+details, but basically we're now using a cookie of the form:
+
+```
+        <agent serial> - <agent random id> - <session serial> - <session
+random id>
+```
+
+Which has multiple 64 bit counters, plus unpredictable random 128 bit
+integer ids (effectively UUIDs, but we're not calling them that
+because we don't need to be globally unique.
+
+We further ensure that the cookies are not visible to other processes
+by changing the setuid helper to accept them over standard input.  This
+means that an attacker would have to guess both ids.
+
+In any case, the security hole here is better fixed with the other
+change to bind user id (uid) of the agent with cookie lookups, making
+cookie guessing worthless.
+
+Nevertheless, I think it's worth doing this change too, for defense in
+depth.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90832
+CVE: CVE-2015-4625
+Reported-by: Tavis Ormandy <taviso@???>
+Reviewed-by: Miloslav Trmač <mitr@???>
+Signed-off-by: Colin Walters <walters@???>
+Origin: upstream, 0.113, commit:ea544ffc18405237ccd95d28d7f45afef49aca17
+Bug-Debian: https://bugs.debian.org/796134
+---
+ configure.ac                                       |  2 +-
+ src/polkitagent/polkitagenthelper-pam.c            | 12 ++-
+ src/polkitagent/polkitagenthelper-shadow.c         | 12 ++-
+ src/polkitagent/polkitagenthelperprivate.c         | 33 ++++++++
+ src/polkitagent/polkitagenthelperprivate.h         |  2 +
+ src/polkitagent/polkitagentsession.c               | 30 ++++---
+ .../polkitbackendinteractiveauthority.c            | 99 +++++++++++++++++-----
+ 7 files changed, 150 insertions(+), 40 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index aa2760f..388605d 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -123,7 +123,7 @@ if test "x$GCC" = "xyes"; then
+   changequote([,])dnl
+ fi
+ 
+-PKG_CHECK_MODULES(GLIB, [gio-2.0 >= 2.28.0])
++PKG_CHECK_MODULES(GLIB, [gmodule-2.0 gio-unix-2.0 >= 2.30.0])
+ AC_SUBST(GLIB_CFLAGS)
+ AC_SUBST(GLIB_LIBS)
+ 
+diff --git a/src/polkitagent/polkitagenthelper-pam.c b/src/polkitagent/polkitagenthelper-pam.c
+index 85a2671..e1747c1 100644
+--- a/src/polkitagent/polkitagenthelper-pam.c
++++ b/src/polkitagent/polkitagenthelper-pam.c
+@@ -65,7 +65,7 @@ main (int argc, char *argv[])
+ {
+   int rc;
+   const char *user_to_auth;
+-  const char *cookie;
++  char *cookie = NULL;
+   struct pam_conv pam_conversation;
+   pam_handle_t *pam_h;
+   const void *authed_user;
+@@ -97,7 +97,7 @@ main (int argc, char *argv[])
+   openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV);
+ 
+   /* check for correct invocation */
+-  if (argc != 3)
++  if (!(argc == 2 || argc == 3))
+     {
+       syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ());
+       fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n");
+@@ -105,7 +105,10 @@ main (int argc, char *argv[])
+     }
+ 
+   user_to_auth = argv[1];
+-  cookie = argv[2];
++
++  cookie = read_cookie (argc, argv);
++  if (!cookie)
++    goto error;
+ 
+   if (getuid () != 0)
+     {
+@@ -203,6 +206,8 @@ main (int argc, char *argv[])
+       goto error;
+     }
+ 
++  free (cookie);
++
+ #ifdef PAH_DEBUG
+   fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n");
+ #endif /* PAH_DEBUG */
+@@ -212,6 +217,7 @@ main (int argc, char *argv[])
+   return 0;
+ 
+ error:
++  free (cookie);
+   if (pam_h != NULL)
+     pam_end (pam_h, rc);
+ 
+diff --git a/src/polkitagent/polkitagenthelper-shadow.c b/src/polkitagent/polkitagenthelper-shadow.c
+index a4f73ac..e877915 100644
+--- a/src/polkitagent/polkitagenthelper-shadow.c
++++ b/src/polkitagent/polkitagenthelper-shadow.c
+@@ -46,7 +46,7 @@ main (int argc, char *argv[])
+ {
+   struct spwd *shadow;
+   const char *user_to_auth;
+-  const char *cookie;
++  char *cookie = NULL;
+   time_t now;
+ 
+   /* clear the entire environment to avoid attacks with
+@@ -67,7 +67,7 @@ main (int argc, char *argv[])
+   openlog ("polkit-agent-helper-1", LOG_CONS | LOG_PID, LOG_AUTHPRIV);
+ 
+   /* check for correct invocation */
+-  if (argc != 3)
++  if (!(argc == 2 || argc == 3))
+     {
+       syslog (LOG_NOTICE, "inappropriate use of helper, wrong number of arguments [uid=%d]", getuid ());
+       fprintf (stderr, "polkit-agent-helper-1: wrong number of arguments. This incident has been logged.\n");
+@@ -86,7 +86,10 @@ main (int argc, char *argv[])
+     }
+ 
+   user_to_auth = argv[1];
+-  cookie = argv[2];
++
++  cookie = read_cookie (argc, argv);
++  if (!cookie)
++    goto error;
+ 
+ #ifdef PAH_DEBUG
+   fprintf (stderr, "polkit-agent-helper-1: user to auth is '%s'.\n", user_to_auth);
+@@ -153,6 +156,8 @@ main (int argc, char *argv[])
+       goto error;
+     }
+ 
++  free (cookie);
++
+ #ifdef PAH_DEBUG
+   fprintf (stderr, "polkit-agent-helper-1: successfully sent D-Bus message to PolicyKit daemon\n");
+ #endif /* PAH_DEBUG */
+@@ -162,6 +167,7 @@ main (int argc, char *argv[])
+   return 0;
+ 
+ error:
++  free (cookie);
+   fprintf (stdout, "FAILURE\n");
+   flush_and_wait ();
+   return 1;
+diff --git a/src/polkitagent/polkitagenthelperprivate.c b/src/polkitagent/polkitagenthelperprivate.c
+index 4417e70..a99de7d 100644
+--- a/src/polkitagent/polkitagenthelperprivate.c
++++ b/src/polkitagent/polkitagenthelperprivate.c
+@@ -23,6 +23,7 @@
+ #include "config.h"
+ #include "polkitagenthelperprivate.h"
+ #include <stdio.h>
++#include <string.h>
+ #include <stdlib.h>
+ #include <unistd.h>
+ 
+@@ -45,6 +46,38 @@ _polkit_clearenv (void)
+ #endif
+ 
+ 
++char *
++read_cookie (int argc, char **argv)
++{
++  /* As part of CVE-2015-4625, we started passing the cookie
++   * on standard input, to ensure it's not visible to other
++   * processes.  However, to ensure that things continue
++   * to work if the setuid binary is upgraded while old
++   * agents are still running (this will be common with
++   * package managers), we support both modes.
++   */
++  if (argc == 3)
++    return strdup (argv[2]);
++  else
++    {
++      char *ret = NULL;
++      size_t n = 0;
++      ssize_t r = getline (&ret, &n, stdin);
++      if (r == -1)
++        {
++          if (!feof (stdin))
++            perror ("getline");
++          free (ret);
++          return NULL;
++        }
++      else
++        {
++          g_strchomp (ret);
++          return ret;
++        }
++    }
++}
++
+ gboolean
+ send_dbus_message (const char *cookie, const char *user)
+ {
+diff --git a/src/polkitagent/polkitagenthelperprivate.h b/src/polkitagent/polkitagenthelperprivate.h
+index aeca2c7..547fdcc 100644
+--- a/src/polkitagent/polkitagenthelperprivate.h
++++ b/src/polkitagent/polkitagenthelperprivate.h
+@@ -38,6 +38,8 @@
+ 
+ int _polkit_clearenv (void);
+ 
++char *read_cookie (int argc, char **argv);
++
+ gboolean send_dbus_message (const char *cookie, const char *user);
+ 
+ void flush_and_wait ();
+diff --git a/src/polkitagent/polkitagentsession.c b/src/polkitagent/polkitagentsession.c
+index a658a22..6a3d6bc 100644
+--- a/src/polkitagent/polkitagentsession.c
++++ b/src/polkitagent/polkitagentsession.c
+@@ -55,6 +55,7 @@
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <sys/wait.h>
++#include <gio/gunixoutputstream.h>
+ #include <pwd.h>
+ 
+ #include "polkitagentmarshal.h"
+@@ -88,7 +89,7 @@ struct _PolkitAgentSession
+   gchar *cookie;
+   PolkitIdentity *identity;
+ 
+-  int child_stdin;
++  GOutputStream *child_stdin;
+   int child_stdout;
+   GPid child_pid;
+ 
+@@ -129,7 +130,6 @@ G_DEFINE_TYPE (PolkitAgentSession, polkit_agent_session, G_TYPE_OBJECT);
+ static void
+ polkit_agent_session_init (PolkitAgentSession *session)
+ {
+-  session->child_stdin = -1;
+   session->child_stdout = -1;
+ }
+ 
+@@ -395,11 +395,7 @@ kill_helper (PolkitAgentSession *session)
+       session->child_stdout = -1;
+     }
+ 
+-  if (session->child_stdin != -1)
+-    {
+-      g_warn_if_fail (close (session->child_stdin) == 0);
+-      session->child_stdin = -1;
+-    }
++  g_clear_object (&session->child_stdin);
+ 
+   session->helper_is_running = FALSE;
+ 
+@@ -545,9 +541,9 @@ polkit_agent_session_response (PolkitAgentSession *session,
+ 
+   add_newline = (response[response_len] != '\n');
+ 
+-  write (session->child_stdin, response, response_len);
++  (void) g_output_stream_write_all (session->child_stdin, response, response_len, NULL, NULL, NULL);
+   if (add_newline)
+-    write (session->child_stdin, newline, 1);
++    (void) g_output_stream_write_all (session->child_stdin, newline, 1, NULL, NULL, NULL);
+ }
+ 
+ /**
+@@ -567,8 +563,9 @@ polkit_agent_session_initiate (PolkitAgentSession *session)
+ {
+   uid_t uid;
+   GError *error;
+-  gchar *helper_argv[4];
++  gchar *helper_argv[3];
+   struct passwd *passwd;
++  int stdin_fd = -1;
+ 
+   g_return_if_fail (POLKIT_AGENT_IS_SESSION (session));
+ 
+@@ -600,10 +597,8 @@ polkit_agent_session_initiate (PolkitAgentSession *session)
+ 
+   helper_argv[0] = PACKAGE_LIBEXEC_DIR "/polkit-agent-helper-1";
+   helper_argv[1] = passwd->pw_name;
+-  helper_argv[2] = session->cookie;
+-  helper_argv[3] = NULL;
++  helper_argv[2] = NULL;
+ 
+-  session->child_stdin = -1;
+   session->child_stdout = -1;
+ 
+   error = NULL;
+@@ -615,7 +610,7 @@ polkit_agent_session_initiate (PolkitAgentSession *session)
+                                  NULL,
+                                  NULL,
+                                  &session->child_pid,
+-                                 &session->child_stdin,
++                                 &stdin_fd,
+                                  &session->child_stdout,
+                                  NULL,
+                                  &error))
+@@ -628,6 +623,13 @@ polkit_agent_session_initiate (PolkitAgentSession *session)
+   if (G_UNLIKELY (_show_debug ()))
+     g_print ("PolkitAgentSession: spawned helper with pid %d\n", (gint) session->child_pid);
+ 
++  session->child_stdin = (GOutputStream*)g_unix_output_stream_new (stdin_fd, TRUE);
++
++  /* Write the cookie on stdin so it can't be seen by other processes */
++  (void) g_output_stream_write_all (session->child_stdin, session->cookie, strlen (session->cookie),
++                                    NULL, NULL, NULL);
++  (void) g_output_stream_write_all (session->child_stdin, "\n", 1, NULL, NULL, NULL);
++
+   session->child_stdout_channel = g_io_channel_unix_new (session->child_stdout);
+   session->child_stdout_watch_source = g_io_create_watch (session->child_stdout_channel,
+                                                           G_IO_IN | G_IO_ERR | G_IO_HUP);
+diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
+index 00ee044..10eda2c 100644
+--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
++++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
+@@ -212,6 +212,8 @@ typedef struct
+ 
+   GDBusConnection *system_bus_connection;
+   guint name_owner_changed_signal_id;
++
++  guint64 agent_serial;
+ } PolkitBackendInteractiveAuthorityPrivate;
+ 
+ /* ---------------------------------------------------------------------------------------------------- */
+@@ -430,11 +432,15 @@ struct AuthenticationAgent
+   volatile gint ref_count;
+ 
+   PolkitSubject *scope;
++  guint64 serial;
+ 
+   gchar *locale;
+   GVariant *registration_options;
+   gchar *object_path;
+   gchar *unique_system_bus_name;
++  GRand *cookie_pool;
++  gchar *cookie_prefix;
++  guint64  cookie_serial;
+ 
+   GDBusProxy *proxy;
+ 
+@@ -1430,9 +1436,54 @@ authentication_session_cancelled_cb (GCancellable *cancellable,
+   authentication_session_cancel (session);
+ }
+ 
++/* We're not calling this a UUID, but it's basically
++ * the same thing, just not formatted that way because:
++ *
++ *  - I'm too lazy to do it
++ *  - If we did, people might think it was actually
++ *    generated from /dev/random, which we're not doing
++ *    because this value doesn't actually need to be
++ *    globally unique.
++ */
++static void
++append_rand_u128_str (GString *buf,
++                      GRand   *pool)
++{
++  g_string_append_printf (buf, "%08x%08x%08x%08x",
++                          g_rand_int (pool),
++                          g_rand_int (pool),
++                          g_rand_int (pool),
++                          g_rand_int (pool));
++}
++
++/* A value that should be unique to the (AuthenticationAgent, AuthenticationSession)
++ * pair, and not guessable by other agents.
++ *
++ * <agent serial> - <agent uuid> - <session serial> - <session uuid>
++ *
++ * See http://lists.freedesktop.org/archives/polkit-devel/2015-June/000425.html
++ *
++ */
++static gchar *
++authentication_agent_generate_cookie (AuthenticationAgent *agent)
++{
++  GString *buf = g_string_new ("");
++
++  g_string_append (buf, agent->cookie_prefix);
++  
++  g_string_append_c (buf, '-');
++  agent->cookie_serial++;
++  g_string_append_printf (buf, "%" G_GUINT64_FORMAT, 
++                          agent->cookie_serial);
++  g_string_append_c (buf, '-');
++  append_rand_u128_str (buf, agent->cookie_pool);
++
++  return g_string_free (buf, FALSE);
++}
++
++
+ static AuthenticationSession *
+ authentication_session_new (AuthenticationAgent         *agent,
+-                            const gchar                 *cookie,
+                             PolkitSubject               *subject,
+                             PolkitIdentity              *user_of_subject,
+                             PolkitSubject               *caller,
+@@ -1449,7 +1500,7 @@ authentication_session_new (AuthenticationAgent         *agent,
+ 
+   session = g_new0 (AuthenticationSession, 1);
+   session->agent = authentication_agent_ref (agent);
+-  session->cookie = g_strdup (cookie);
++  session->cookie = authentication_agent_generate_cookie (agent);
+   session->subject = g_object_ref (subject);
+   session->user_of_subject = g_object_ref (user_of_subject);
+   session->caller = g_object_ref (caller);
+@@ -1496,16 +1547,6 @@ authentication_session_free (AuthenticationSession *session)
+   g_free (session);
+ }
+ 
+-static gchar *
+-authentication_agent_new_cookie (AuthenticationAgent *agent)
+-{
+-  static gint counter = 0;
+-
+-  /* TODO: use a more random-looking cookie */
+-
+-  return g_strdup_printf ("cookie%d", counter++);
+-}
+-
+ static PolkitSubject *
+ authentication_agent_get_scope (AuthenticationAgent *agent)
+ {
+@@ -1553,12 +1594,15 @@ authentication_agent_unref (AuthenticationAgent *agent)
+       g_free (agent->unique_system_bus_name);
+       if (agent->registration_options != NULL)
+         g_variant_unref (agent->registration_options);
++      g_rand_free (agent->cookie_pool);
++      g_free (agent->cookie_prefix);
+       g_free (agent);
+     }
+ }
+ 
+ static AuthenticationAgent *
+-authentication_agent_new (PolkitSubject *scope,
++authentication_agent_new (guint64      serial,
++                          PolkitSubject *scope,
+                           const gchar *unique_system_bus_name,
+                           const gchar *locale,
+                           const gchar *object_path,
+@@ -1592,6 +1636,7 @@ authentication_agent_new (PolkitSubject *scope,
+ 
+   agent = g_new0 (AuthenticationAgent, 1);
+   agent->ref_count = 1;
++  agent->serial = serial;
+   agent->scope = g_object_ref (scope);
+   agent->object_path = g_strdup (object_path);
+   agent->unique_system_bus_name = g_strdup (unique_system_bus_name);
+@@ -1599,6 +1644,25 @@ authentication_agent_new (PolkitSubject *scope,
+   agent->registration_options = registration_options != NULL ? g_variant_ref (registration_options) : NULL;
+   agent->proxy = proxy;
+ 
++  {
++    GString *cookie_prefix = g_string_new ("");
++    GRand *agent_private_rand = g_rand_new ();
++
++    g_string_append_printf (cookie_prefix, "%" G_GUINT64_FORMAT "-", agent->serial);
++
++    /* Use a uniquely seeded PRNG to get a prefix cookie for this agent,
++     * whose sequence will not correlate with the per-authentication session
++     * cookies.
++     */
++    append_rand_u128_str (cookie_prefix, agent_private_rand);
++    g_rand_free (agent_private_rand);
++
++    agent->cookie_prefix = g_string_free (cookie_prefix, FALSE);
++    
++    /* And a newly seeded pool for per-session cookies */
++    agent->cookie_pool = g_rand_new ();
++  }
++
+   return agent;
+ }
+ 
+@@ -2083,7 +2147,6 @@ authentication_agent_initiate_challenge (AuthenticationAgent         *agent,
+                                          gpointer                     user_data)
+ {
+   AuthenticationSession *session;
+-  gchar *cookie;
+   GList *l;
+   GList *identities;
+   gchar *localized_message;
+@@ -2104,8 +2167,6 @@ authentication_agent_initiate_challenge (AuthenticationAgent         *agent,
+                                     &localized_icon_name,
+                                     &localized_details);
+ 
+-  cookie = authentication_agent_new_cookie (agent);
+-
+   identities = NULL;
+ 
+   /* select admin user if required by the implicit authorization */
+@@ -2125,7 +2186,6 @@ authentication_agent_initiate_challenge (AuthenticationAgent         *agent,
+     }
+ 
+   session = authentication_session_new (agent,
+-                                        cookie,
+                                         subject,
+                                         user_of_subject,
+                                         caller,
+@@ -2179,7 +2239,6 @@ authentication_agent_initiate_challenge (AuthenticationAgent         *agent,
+ 
+   g_list_foreach (identities, (GFunc) g_object_unref, NULL);
+   g_list_free (identities);
+-  g_free (cookie);
+ 
+   g_free (localized_message);
+   g_free (localized_icon_name);
+@@ -2326,7 +2385,9 @@ polkit_backend_interactive_authority_register_authentication_agent (PolkitBacken
+       goto out;
+     }
+ 
+-  agent = authentication_agent_new (subject,
++  priv->agent_serial++;
++  agent = authentication_agent_new (priv->agent_serial,
++                                    subject,
+                                     polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (caller)),
+                                     locale,
+                                     object_path,
diff --git a/debian/patches/0.113/Don-t-discard-error-data-returned-by-polkit_system_b.patch b/debian/patches/0.113/Don-t-discard-error-data-returned-by-polkit_system_b.patch
new file mode 100644
index 0000000..e49e47e
--- /dev/null
+++ b/debian/patches/0.113/Don-t-discard-error-data-returned-by-polkit_system_b.patch
@@ -0,0 +1,29 @@
+From: Miloslav Trmač <mitr@???>
+Date: Mon, 11 Nov 2013 23:51:23 +0100
+Subject: [PATCH] Don't discard error data returned by
+ polkit_system_bus_name_get_user_sync
+
+https://bugs.freedesktop.org/show_bug.cgi?id=71458
+
+Origin: upstream, 0.113, commit: 145d43b9c891f248ad68ebe597cb151a865bdb3a
+Bug-Debian: https://bugs.debian.org/798769
+---
+ src/polkitbackend/polkitbackendsessionmonitor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/polkitbackend/polkitbackendsessionmonitor.c b/src/polkitbackend/polkitbackendsessionmonitor.c
+index 05f51c5..e1a9ab3 100644
+--- a/src/polkitbackend/polkitbackendsessionmonitor.c
++++ b/src/polkitbackend/polkitbackendsessionmonitor.c
+@@ -306,7 +306,7 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor
+     }
+   else if (POLKIT_IS_SYSTEM_BUS_NAME (subject))
+     {
+-      ret = (PolkitIdentity*)polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, NULL);
++      ret = (PolkitIdentity*)polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error);
+     }
+   else if (POLKIT_IS_UNIX_SESSION (subject))
+     {
+-- 
+2.1.4
+
diff --git a/debian/patches/0.113/Fix-a-crash-when-two-authentication-requests-are-in-.patch b/debian/patches/0.113/Fix-a-crash-when-two-authentication-requests-are-in-.patch
new file mode 100644
index 0000000..ee44531
--- /dev/null
+++ b/debian/patches/0.113/Fix-a-crash-when-two-authentication-requests-are-in-.patch
@@ -0,0 +1,36 @@
+From: =?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@???>
+Date: Sat, 6 Jun 2015 01:07:08 +0200
+Subject: Fix a crash when two authentication requests are in flight.
+
+To reproduce:
+1. pkttyagent -p $$ # or another suitable PID
+2. pkcheck -p $that_pid -a org.freedesktop.policykit.exec -u
+3. pkcheck -p $that_pid -a org.freedesktop.policykit.exec -u
+4. Then, in the pkttyagent prompt, press Enter.
+
+polkit_agent_text_listener_initiate_authentication was already setting
+an appropriate error code, so the g_assert was unnecessary.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90879
+Origin: upstream, 0.113, commit:e2d2fafd106624ddfea4b17d3f40704b2031c00b
+---
+ src/polkitagent/polkitagenttextlistener.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/src/polkitagent/polkitagenttextlistener.c b/src/polkitagent/polkitagenttextlistener.c
+index b5c8a3f..e63c285 100644
+--- a/src/polkitagent/polkitagenttextlistener.c
++++ b/src/polkitagent/polkitagenttextlistener.c
+@@ -546,12 +546,10 @@ polkit_agent_text_listener_initiate_authentication_finish (PolkitAgentListener
+                                                            GAsyncResult         *res,
+                                                            GError              **error)
+ {
+-  PolkitAgentTextListener *listener = POLKIT_AGENT_TEXT_LISTENER (_listener);
+   gboolean ret;
+ 
+   g_warn_if_fail (g_simple_async_result_get_source_tag (G_SIMPLE_ASYNC_RESULT (res)) ==
+                   polkit_agent_text_listener_initiate_authentication);
+-  g_assert (listener->active_session == NULL);
+ 
+   ret = FALSE;
+ 
diff --git a/debian/patches/0.113/Fix-a-memory-leak-when-registering-an-authentication.patch b/debian/patches/0.113/Fix-a-memory-leak-when-registering-an-authentication.patch
new file mode 100644
index 0000000..b7fdcf4
--- /dev/null
+++ b/debian/patches/0.113/Fix-a-memory-leak-when-registering-an-authentication.patch
@@ -0,0 +1,22 @@
+From: =?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@???>
+Date: Tue, 1 Jul 2014 20:00:48 +0200
+Subject: Fix a memory leak when registering an authentication agent
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69501
+Origin: upstream, 0.113, commit:ec039f9d7ede5b839f5511e26d5cd6ae9107cb2e
+---
+ src/polkitbackend/polkitbackendauthority.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/polkitbackend/polkitbackendauthority.c b/src/polkitbackend/polkitbackendauthority.c
+index 39eb5b9..afe5b90 100644
+--- a/src/polkitbackend/polkitbackendauthority.c
++++ b/src/polkitbackend/polkitbackendauthority.c
+@@ -900,6 +900,7 @@ server_handle_register_authentication_agent (Server                 *server,
+   g_dbus_method_invocation_return_value (invocation, g_variant_new ("()"));
+ 
+  out:
++  g_variant_unref (subject_gvariant);
+   if (subject != NULL)
+     g_object_unref (subject);
+ }
diff --git a/debian/patches/0.113/Fix-a-per-authorization-memory-leak.patch b/debian/patches/0.113/Fix-a-per-authorization-memory-leak.patch
new file mode 100644
index 0000000..eaafed6
--- /dev/null
+++ b/debian/patches/0.113/Fix-a-per-authorization-memory-leak.patch
@@ -0,0 +1,49 @@
+From: =?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@???>
+Date: Tue, 1 Jul 2014 20:00:48 +0200
+Subject: Fix a per-authorization memory leak
+
+We were leaking PolkitAuthorizationResult on every request, primarily on
+the success path, but also on various error paths as well.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69501
+Origin: upstream, 0.113, commit:0f5852a4bdabe377ddcdbed09a0c1f95710e17fe
+---
+ src/polkitbackend/polkitbackendauthority.c            | 1 +
+ src/polkitbackend/polkitbackendinteractiveauthority.c | 5 ++++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/polkitbackend/polkitbackendauthority.c b/src/polkitbackend/polkitbackendauthority.c
+index 10b8af3..39eb5b9 100644
+--- a/src/polkitbackend/polkitbackendauthority.c
++++ b/src/polkitbackend/polkitbackendauthority.c
+@@ -714,6 +714,7 @@ check_auth_cb (GObject      *source_object,
+       g_variant_ref_sink (value);
+       g_dbus_method_invocation_return_value (data->invocation, g_variant_new ("(@(bba{ss}))", value));
+       g_variant_unref (value);
++      g_object_unref (result);
+     }
+ 
+   check_auth_data_free (data);
+diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
+index 5e29af2..73d0a0e 100644
+--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
++++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
+@@ -1015,7 +1015,7 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority
+ 
+   /* Otherwise just return the result */
+   g_simple_async_result_set_op_res_gpointer (simple,
+-                                             result,
++                                             g_object_ref (result),
+                                              g_object_unref);
+   g_simple_async_result_complete (simple);
+   g_object_unref (simple);
+@@ -1032,6 +1032,9 @@ polkit_backend_interactive_authority_check_authorization (PolkitBackendAuthority
+   g_free (subject_str);
+   g_free (user_of_caller_str);
+   g_free (user_of_subject_str);
++
++  if (result != NULL)
++    g_object_unref (result);
+ }
+ 
+ /* ---------------------------------------------------------------------------------------------------- */
diff --git a/debian/patches/0.113/Fix-a-possible-NULL-dereference.patch b/debian/patches/0.113/Fix-a-possible-NULL-dereference.patch
new file mode 100644
index 0000000..ba685eb
--- /dev/null
+++ b/debian/patches/0.113/Fix-a-possible-NULL-dereference.patch
@@ -0,0 +1,35 @@
+From: =?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@???>
+Date: Wed, 11 Jun 2014 22:36:50 +0200
+Subject: Fix a possible NULL dereference.
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+polkit_backend_session_monitor_get_user_for_subject() may return NULL
+(and because it is using external processes, we can’t really rule it
+out).  The code was already anticipating NULL in the cleanup section, so
+handle it also when actually using the value.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=80767
+Origin: upstream, 0.113, commit:6109543303def367b84eaac97d2ff9cefe735efb
+---
+ src/polkitbackend/polkitbackendinteractiveauthority.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/polkitbackend/polkitbackendinteractiveauthority.c b/src/polkitbackend/polkitbackendinteractiveauthority.c
+index 25e13fb..00ee044 100644
+--- a/src/polkitbackend/polkitbackendinteractiveauthority.c
++++ b/src/polkitbackend/polkitbackendinteractiveauthority.c
+@@ -557,7 +557,11 @@ log_result (PolkitBackendInteractiveAuthority    *authority,
+   user_of_subject = polkit_backend_session_monitor_get_user_for_subject (priv->session_monitor, subject, NULL);
+ 
+   subject_str = polkit_subject_to_string (subject);
+-  user_of_subject_str = polkit_identity_to_string (user_of_subject);
++
++  if (user_of_subject != NULL)
++    user_of_subject_str = polkit_identity_to_string (user_of_subject);
++  else
++    user_of_subject_str = g_strdup ("<unknown>");
+   caller_str = polkit_subject_to_string (caller);
+ 
+   subject_cmdline = _polkit_subject_get_cmdline (subject);
diff --git a/debian/patches/0.113/Fix-duplicate-GError-use-when-uid-is-missing.patch b/debian/patches/0.113/Fix-duplicate-GError-use-when-uid-is-missing.patch
new file mode 100644
index 0000000..f11cb3d
--- /dev/null
+++ b/debian/patches/0.113/Fix-duplicate-GError-use-when-uid-is-missing.patch
@@ -0,0 +1,32 @@
+From: =?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@???>
+Date: Mon, 15 Sep 2014 19:45:15 +0200
+Subject: Fix duplicate GError use when "uid" is missing
+
+Some GLib versions complain loudly about this.
+
+To reproduce, call e.g. RegisterAuthenticationAgent with the following
+parameters:
+("unix-process", {"pid": __import__('gi.repository.GLib', globals(),
+locals(), ['Variant']).Variant("u", 1), "start-time":
+__import__('gi.repository.GLib', globals(), locals(),
+['Variant']).Variant("t", 1)}), "cs", "/"
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90877
+Origin: upstream, 0.113, commit:2c8738941be18ef05ce724df46547f41dbc02fb5
+---
+ src/polkit/polkitsubject.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/polkit/polkitsubject.c b/src/polkit/polkitsubject.c
+index aed5795..78ec745 100644
+--- a/src/polkit/polkitsubject.c
++++ b/src/polkit/polkitsubject.c
+@@ -424,7 +424,7 @@ polkit_subject_new_for_gvariant (GVariant  *variant,
+       start_time = g_variant_get_uint64 (v);
+       g_variant_unref (v);
+ 
+-      v = lookup_asv (details_gvariant, "uid", G_VARIANT_TYPE_INT32, error);
++      v = lookup_asv (details_gvariant, "uid", G_VARIANT_TYPE_INT32, NULL);
+       if (v != NULL)
+         {
+           uid = g_variant_get_int32 (v);
diff --git a/debian/patches/0.113/Fix-use-after-free-in-polkitagentsession.c.patch b/debian/patches/0.113/Fix-use-after-free-in-polkitagentsession.c.patch
new file mode 100644
index 0000000..6f7bd35
--- /dev/null
+++ b/debian/patches/0.113/Fix-use-after-free-in-polkitagentsession.c.patch
@@ -0,0 +1,32 @@
+From: =?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@???>
+Date: Tue, 14 Apr 2015 22:27:41 +0200
+Subject: Fix use-after-free in polkitagentsession.c
+
+PolkitAgentTextListener's "completed" handler drops the last reference
+to the session; in fact this is explicitly recommended in the signal's
+documentation.  So we must not access any members of session after
+emitting the signal.
+
+Found while dealing with
+https://bugs.freedesktop.org/show_bug.cgi?id=69501
+
+Origin: upstream, 0.113, commit:efb6cd56a423ba15bb1f44ee3c4987aad5a5fd45
+---
+ src/polkitagent/polkitagentsession.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/polkitagent/polkitagentsession.c b/src/polkitagent/polkitagentsession.c
+index 6a3d6bc..46fbaf0 100644
+--- a/src/polkitagent/polkitagentsession.c
++++ b/src/polkitagent/polkitagentsession.c
+@@ -412,8 +412,9 @@ complete_session (PolkitAgentSession *session,
+     {
+       if (G_UNLIKELY (_show_debug ()))
+         g_print ("PolkitAgentSession: emitting ::completed(%s)\n", result ? "TRUE" : "FALSE");
+-      g_signal_emit_by_name (session, "completed", result);
+       session->have_emitted_completed = TRUE;
++      /* Note that the signal handler may drop the last reference to session. */
++      g_signal_emit_by_name (session, "completed", result);
+     }
+ }
+ 
diff --git a/debian/patches/0.113/Fixed-compilation-problem-in-the-backend.patch b/debian/patches/0.113/Fixed-compilation-problem-in-the-backend.patch
new file mode 100644
index 0000000..5e37113
--- /dev/null
+++ b/debian/patches/0.113/Fixed-compilation-problem-in-the-backend.patch
@@ -0,0 +1,26 @@
+From: Xabier Rodriguez Calvar <calvaris@???>
+Date: Sun, 10 Nov 2013 19:16:41 +0100
+Subject: [PATCH] Fixed compilation problem in the backend
+
+Origin: upstream, 0.113, commit: dbbb7dc60abdd970af0a8fae404484181fa909c9
+Bug-Debian: https://bugs.debian.org/798769
+---
+ src/polkitbackend/polkitbackendsessionmonitor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/polkitbackend/polkitbackendsessionmonitor.c b/src/polkitbackend/polkitbackendsessionmonitor.c
+index 4075d3f..05f51c5 100644
+--- a/src/polkitbackend/polkitbackendsessionmonitor.c
++++ b/src/polkitbackend/polkitbackendsessionmonitor.c
+@@ -306,7 +306,7 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor
+     }
+   else if (POLKIT_IS_SYSTEM_BUS_NAME (subject))
+     {
+-      ret = (PolkitIdentity*)polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (subject));
++      ret = (PolkitIdentity*)polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, NULL);
+     }
+   else if (POLKIT_IS_UNIX_SESSION (subject))
+     {
+-- 
+2.1.4
+
diff --git a/debian/patches/0.113/PolkitSystemBusName-Add-public-API-to-retrieve-Unix-.patch b/debian/patches/0.113/PolkitSystemBusName-Add-public-API-to-retrieve-Unix-.patch
new file mode 100644
index 0000000..a162aef
--- /dev/null
+++ b/debian/patches/0.113/PolkitSystemBusName-Add-public-API-to-retrieve-Unix-.patch
@@ -0,0 +1,166 @@
+From: Colin Walters <walters@???>
+Date: Wed, 21 Aug 2013 12:23:55 -0400
+Subject: PolkitSystemBusName: Add public API to retrieve Unix user
+
+And change the duplicated code in the backend session monitors to use
+it.  This just a code cleanup resulting from review after
+CVE-2013-4288.  There's no security impact from this patch, it just
+removes duplicated code.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69538
+Origin: upstream, 0.113, commit:904d8404d93dec45fce3b719eb1a626acc6b8a73
+---
+ src/polkit/polkitsystembusname.c                   | 56 ++++++++++++++++++++++
+ src/polkit/polkitsystembusname.h                   |  4 ++
+ .../polkitbackendsessionmonitor-systemd.c          | 20 +-------
+ src/polkitbackend/polkitbackendsessionmonitor.c    | 20 +-------
+ 4 files changed, 62 insertions(+), 38 deletions(-)
+
+diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
+index 2a297c4..51e4a69 100644
+--- a/src/polkit/polkitsystembusname.c
++++ b/src/polkit/polkitsystembusname.c
+@@ -25,6 +25,7 @@
+ 
+ #include <string.h>
+ #include "polkitsystembusname.h"
++#include "polkitunixuser.h"
+ #include "polkitsubject.h"
+ #include "polkitprivate.h"
+ 
+@@ -396,3 +397,58 @@ polkit_system_bus_name_get_process_sync (PolkitSystemBusName  *system_bus_name,
+   return ret;
+ }
+ 
++/**
++ * polkit_system_bus_name_get_user_sync:
++ * @system_bus_name: A #PolkitSystemBusName.
++ * @cancellable: (allow-none): A #GCancellable or %NULL.
++ * @error: (allow-none): Return location for error or %NULL.
++ *
++ * Synchronously gets a #PolkitUnixUser object for @system_bus_name;
++ * the calling thread is blocked until a reply is received.
++ *
++ * Returns: (allow-none) (transfer full): A #PolkitUnixUser object or %NULL if @error is set.
++ **/
++PolkitUnixUser *
++polkit_system_bus_name_get_user_sync (PolkitSystemBusName  *system_bus_name,
++                      GCancellable         *cancellable,
++                      GError              **error)
++{
++  GDBusConnection *connection;
++  PolkitUnixUser *ret;
++  GVariant *result;
++  guint32 uid;
++
++  g_return_val_if_fail (POLKIT_IS_SYSTEM_BUS_NAME (system_bus_name), NULL);
++  g_return_val_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable), NULL);
++  g_return_val_if_fail (error == NULL || *error == NULL, NULL);
++
++  ret = NULL;
++
++  connection = g_bus_get_sync (G_BUS_TYPE_SYSTEM, cancellable, error);
++  if (connection == NULL)
++    goto out;
++
++  result = g_dbus_connection_call_sync (connection,
++                                        "org.freedesktop.DBus",       /* name */
++                                        "/org/freedesktop/DBus",      /* object path */
++                                        "org.freedesktop.DBus",       /* interface name */
++                                        "GetConnectionUnixUser",      /* method */
++                                        g_variant_new ("(s)", system_bus_name->name),
++                                        G_VARIANT_TYPE ("(u)"),
++                                        G_DBUS_CALL_FLAGS_NONE,
++                                        -1,
++                                        cancellable,
++                                        error);
++  if (result == NULL)
++    goto out;
++
++  g_variant_get (result, "(u)", &uid);
++  g_variant_unref (result);
++
++  ret = (PolkitUnixUser*)polkit_unix_user_new (uid);
++
++ out:
++  if (connection != NULL)
++    g_object_unref (connection);
++  return ret;
++}
+diff --git a/src/polkit/polkitsystembusname.h b/src/polkit/polkitsystembusname.h
+index 1fc464f..38d31f7 100644
+--- a/src/polkit/polkitsystembusname.h
++++ b/src/polkit/polkitsystembusname.h
+@@ -56,6 +56,10 @@ PolkitSubject  *polkit_system_bus_name_get_process_sync   (PolkitSystemBusName
+                                                            GCancellable         *cancellable,
+                                                            GError              **error);
+ 
++PolkitUnixUser * polkit_system_bus_name_get_user_sync     (PolkitSystemBusName  *system_bus_name,
++                               GCancellable         *cancellable,
++                               GError              **error);
++
+ G_END_DECLS
+ 
+ #endif /* __POLKIT_SYSTEM_BUS_NAME_H */
+diff --git a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
+index 58593c3..0185310 100644
+--- a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
++++ b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
+@@ -277,25 +277,7 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor
+     }
+   else if (POLKIT_IS_SYSTEM_BUS_NAME (subject))
+     {
+-      GVariant *result;
+-
+-      result = g_dbus_connection_call_sync (monitor->system_bus,
+-                                            "org.freedesktop.DBus",
+-                                            "/org/freedesktop/DBus",
+-                                            "org.freedesktop.DBus",
+-                                            "GetConnectionUnixUser",
+-                                            g_variant_new ("(s)", polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (subject))),
+-                                            G_VARIANT_TYPE ("(u)"),
+-                                            G_DBUS_CALL_FLAGS_NONE,
+-                                            -1, /* timeout_msec */
+-                                            NULL, /* GCancellable */
+-                                            error);
+-      if (result == NULL)
+-        goto out;
+-      g_variant_get (result, "(u)", &uid);
+-      g_variant_unref (result);
+-
+-      ret = polkit_unix_user_new (uid);
++      ret = (PolkitIdentity*)polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error);
+     }
+   else if (POLKIT_IS_UNIX_SESSION (subject))
+     {
+diff --git a/src/polkitbackend/polkitbackendsessionmonitor.c b/src/polkitbackend/polkitbackendsessionmonitor.c
+index 9c331b6..4075d3f 100644
+--- a/src/polkitbackend/polkitbackendsessionmonitor.c
++++ b/src/polkitbackend/polkitbackendsessionmonitor.c
+@@ -306,25 +306,7 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor
+     }
+   else if (POLKIT_IS_SYSTEM_BUS_NAME (subject))
+     {
+-      GVariant *result;
+-
+-      result = g_dbus_connection_call_sync (monitor->system_bus,
+-                                            "org.freedesktop.DBus",
+-                                            "/org/freedesktop/DBus",
+-                                            "org.freedesktop.DBus",
+-                                            "GetConnectionUnixUser",
+-                                            g_variant_new ("(s)", polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (subject))),
+-                                            G_VARIANT_TYPE ("(u)"),
+-                                            G_DBUS_CALL_FLAGS_NONE,
+-                                            -1, /* timeout_msec */
+-                                            NULL, /* GCancellable */
+-                                            error);
+-      if (result == NULL)
+-        goto out;
+-      g_variant_get (result, "(u)", &uid);
+-      g_variant_unref (result);
+-
+-      ret = polkit_unix_user_new (uid);
++      ret = (PolkitIdentity*)polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (subject));
+     }
+   else if (POLKIT_IS_UNIX_SESSION (subject))
+     {
diff --git a/debian/patches/0.113/Port-internals-non-deprecated-PolkitProcess-API-wher.patch b/debian/patches/0.113/Port-internals-non-deprecated-PolkitProcess-API-wher.patch
new file mode 100644
index 0000000..8a8fa3c
--- /dev/null
+++ b/debian/patches/0.113/Port-internals-non-deprecated-PolkitProcess-API-wher.patch
@@ -0,0 +1,29 @@
+From: Colin Walters <walters@???>
+Date: Sat, 9 Nov 2013 13:48:21 -0500
+Subject: Port internals non-deprecated PolkitProcess API where possible
+
+We can't port everything, but in PolkitPermission and these test
+cases, we can use _for_owner() with the right information.
+
+[smcv: drop the part that touches
+test/polkitbackend/test-polkitbackendjsauthority.c which is not
+in this branch]
+
+Origin: upstream, 0.113, commit:6d3d0a8ffb0fd8ae59eb35593b305ec87da8858d
+---
+ src/polkit/polkitpermission.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/polkit/polkitpermission.c b/src/polkit/polkitpermission.c
+index 22d195f..f8a666e 100644
+--- a/src/polkit/polkitpermission.c
++++ b/src/polkit/polkitpermission.c
+@@ -122,7 +122,7 @@ polkit_permission_constructed (GObject *object)
+   PolkitPermission *permission = POLKIT_PERMISSION (object);
+ 
+   if (permission->subject == NULL)
+-    permission->subject = polkit_unix_process_new (getpid ());
++    permission->subject = polkit_unix_process_new_for_owner (getpid (), 0, getuid ());
+ 
+   if (G_OBJECT_CLASS (polkit_permission_parent_class)->constructed != NULL)
+     G_OBJECT_CLASS (polkit_permission_parent_class)->constructed (object);
diff --git a/debian/patches/0.113/README-Note-to-send-security-reports-via-DBus-s-mech.patch b/debian/patches/0.113/README-Note-to-send-security-reports-via-DBus-s-mech.patch
new file mode 100644
index 0000000..9484699
--- /dev/null
+++ b/debian/patches/0.113/README-Note-to-send-security-reports-via-DBus-s-mech.patch
@@ -0,0 +1,39 @@
+From: Colin Walters <walters@???>
+Date: Thu, 4 Jun 2015 08:41:36 -0400
+Subject: README: Note to send security reports via DBus's mechanism
+
+This avoids duplicating effort.
+
+Origin: upstream, 0.113, commit:ccec766c509d16dab417582e94f43d906cefd4ae
+---
+ README | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/README b/README
+index b075162..0723002 100644
+--- a/README
++++ b/README
+@@ -22,6 +22,22 @@ To verify the authenticity of the compressed tarball, use this command
+ BUGS and DEVELOPMENT
+ ====================
+ 
+-Please report bugs via the freedesktop.org bugzilla at
++Please report non-security bugs via the freedesktop.org bugzilla at
+ 
+  https://bugs.freedesktop.org/enter_bug.cgi?product=PolicyKit
++
++SECURITY ISSUES
++===============
++
++polkit uses the same mechanism for reporting security issues as dbus,
++the most recent copy of instructions can be found in the DBus git
++repository:
++
++http://cgit.freedesktop.org/dbus/dbus/tree/HACKING
++
++A copy of the instructions as of 2015-06-04:
++
++If you find a security vulnerability that is not known to the public,
++please report it privately to dbus-security@???
++or by reporting a freedesktop.org bug that is marked as
++restricted to the "D-BUS security group".
diff --git a/debian/patches/0.113/Refuse-duplicate-user-arguments-to-pkexec.patch b/debian/patches/0.113/Refuse-duplicate-user-arguments-to-pkexec.patch
new file mode 100644
index 0000000..c64a87a
--- /dev/null
+++ b/debian/patches/0.113/Refuse-duplicate-user-arguments-to-pkexec.patch
@@ -0,0 +1,38 @@
+From: =?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@???>
+Date: Tue, 26 Aug 2014 17:59:47 +0200
+Subject: Refuse duplicate --user arguments to pkexec
+
+This usage is clearly errorneous, so we should tell the users they are
+making a mistake.
+
+Besides, this allows an attacker to cause a high number of heap
+allocations with attacker-controlled sizes (
+http://googleprojectzero.blogspot.cz/2014/08/the-poisoned-nul-byte-2014-edition.html
+), making some exploits easier.
+
+(To be clear, this is not a pkexec vulnerability, and we will not
+refuse attacker-affected malloc() usage as a matter of policy; but this
+commit is both user-friendly and adding some hardening.)
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83093
+Origin: upstream, 0.113, commit:6c992bc8aefa195a41eaa41c07f46f17de18e25c
+---
+ src/programs/pkexec.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index 5e99044..abc660d 100644
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -533,6 +533,11 @@ main (int argc, char *argv[])
+               goto out;
+             }
+ 
++          if (opt_user != NULL)
++            {
++              g_printerr ("--user specified twice\n");
++              goto out;
++            }
+           opt_user = g_strdup (argv[n]);
+         }
+       else if (strcmp (argv[n], "--disable-internal-agent") == 0)
diff --git a/debian/patches/0.113/docs-Update-for-changes-to-uid-binding-Authenticatio.patch b/debian/patches/0.113/docs-Update-for-changes-to-uid-binding-Authenticatio.patch
new file mode 100644
index 0000000..451c299
--- /dev/null
+++ b/debian/patches/0.113/docs-Update-for-changes-to-uid-binding-Authenticatio.patch
@@ -0,0 +1,259 @@
+From: =?utf-8?q?Miloslav_Trma=C4=8D?= <mitr@???>
+Date: Wed, 17 Jun 2015 01:01:27 +0200
+Subject: docs: Update for changes to uid binding/AuthenticationAgentResponse2
+
+ - Refer to PolkitAgentSession in general instead of to _response only
+ - Revert to the original description of authentication cancellation, the
+   agent really needs to return an error to the caller (in addition to dealing
+   with the session if any).
+ - Explicitly document the UID assumption; in the process fixing bug #69980.
+ - Keep documenting that we need a sufficiently privileged caller.
+ - Refer to the ...Response2 API in more places.
+ - Also update docbook documentation.
+ - Drop a paragraph suggesting non-PolkitAgentSession implementations are
+   expected and commonplace.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=90837
+Reviewed-by: Colin Walters <walters@???>
+Origin: upstream, 0.113, commit:fb5076b7c05d01a532d593a4079a29cf2d63a228
+Bug-Debian: https://bugs.debian.org/796134
+---
+ ....freedesktop.PolicyKit1.AuthenticationAgent.xml |  6 +++---
+ data/org.freedesktop.PolicyKit1.Authority.xml      | 11 ++++++----
+ ....freedesktop.PolicyKit1.AuthenticationAgent.xml |  7 +++++--
+ ...erface-org.freedesktop.PolicyKit1.Authority.xml | 12 +++++++----
+ docs/polkit/overview.xml                           |  8 ++++----
+ src/polkit/polkitauthority.c                       | 24 ++++++++++++++++++++--
+ src/polkitagent/polkitagentlistener.c              |  5 +----
+ src/polkitbackend/polkitbackendauthority.c         |  1 +
+ 8 files changed, 51 insertions(+), 23 deletions(-)
+
+diff --git a/data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml b/data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml
+index 5beef7d..482332f 100644
+--- a/data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml
++++ b/data/org.freedesktop.PolicyKit1.AuthenticationAgent.xml
+@@ -13,14 +13,14 @@
+       user to authenticate as one of the identities in @identities for
+       the action with the identifier @action_id.</para><para>This
+       authentication is normally achieved via the
+-      polkit_agent_session_response() API, which invokes a private
++      PolkitAgentSession API, which invokes a private
+       setuid helper process to verify the authentication.  When
+       successful, it calls the
+       org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse2()
+       method on the #org.freedesktop.PolicyKit1.Authority interface of
+       the PolicyKit daemon before returning.  If the user dismisses the
+-      authentication dialog, the authentication agent should call
+-      polkit_agent_session_cancel().</para>"/>
++      authentication dialog, the authentication agent should return an
++      error.</para>"/>
+ 
+       <arg name="action_id" direction="in" type="s">
+         <annotation name="org.gtk.EggDBus.DocString" value="The identifier for the action that the user is authentication for."/>
+diff --git a/data/org.freedesktop.PolicyKit1.Authority.xml b/data/org.freedesktop.PolicyKit1.Authority.xml
+index f9021ee..88da3c0 100644
+--- a/data/org.freedesktop.PolicyKit1.Authority.xml
++++ b/data/org.freedesktop.PolicyKit1.Authority.xml
+@@ -283,7 +283,7 @@
+     <!-- ---------------------------------------------------------------------------------------------------- -->
+ 
+     <method name="RegisterAuthenticationAgent">
+-      <annotation name="org.gtk.EggDBus.DocString" value="<para>Register an authentication agent.</para><para>Note that current versions of PolicyKit will only work if @session_id is set to the empty string. In the future it might work for non-empty strings if the caller is sufficiently privileged.</para>"/>
++      <annotation name="org.gtk.EggDBus.DocString" value="<para>Register an authentication agent.</para><para>Note that this should be called by the same effective UID which will be passed to org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse2().</para>"/>
+ 
+       <arg name="subject" direction="in" type="(sa{sv})">
+         <annotation name="org.gtk.EggDBus.Type" value="Subject"/>
+@@ -315,7 +315,8 @@
+     <method name="AuthenticationAgentResponse">
+       <annotation name="org.gtk.EggDBus.DocString" value="Method for authentication agents to invoke on successful
+ authentication, intended only for use by a privileged helper process
+-internal to polkit."/>
++internal to polkit. This method will fail unless a sufficiently privileged
++caller invokes it. Deprecated in favor of org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse2."/>
+ 
+       <arg name="cookie" direction="in" type="s">
+         <annotation name="org.gtk.EggDBus.DocString" value="The cookie identifying the authentication request that was passed to the authentication agent."/>
+@@ -330,11 +331,13 @@ internal to polkit."/>
+     <method name="AuthenticationAgentResponse2">
+       <annotation name="org.gtk.EggDBus.DocString" value="Method for authentication agents to invoke on successful
+ authentication, intended only for use by a privileged helper process
+-internal to polkit.   Note this method was added in 0.114, and should be preferred over AuthenticationAgentResponse
++internal to polkit. This method will fail unless a sufficiently privileged
++caller invokes it. Note this method was added in 0.114, and should be preferred over org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse()
+ as it fixes a security issue."/>
+ 
+       <arg name="uid" direction="in" type="u">
+-        <annotation name="org.gtk.EggDBus.DocString" value="The real uid of the agent.  Normally set by the setuid helper program."/>
++        <annotation name="org.gtk.EggDBus.DocString" value="The real uid of the agent.  Normally set by the setuid helper program.
++Must match the effective UID of the caller of org.freedesktop.PolicyKit1.Authority.RegisterAuthenticationAgent()."/>
+       </arg>
+ 
+       <arg name="cookie" direction="in" type="s">
+diff --git a/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.AuthenticationAgent.xml b/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.AuthenticationAgent.xml
+index ec59626..ab27b2f 100644
+--- a/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.AuthenticationAgent.xml
++++ b/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.AuthenticationAgent.xml
+@@ -47,10 +47,13 @@ BeginAuthentication (IN  String               action_id,
+         identifier <parameter>action_id</parameter>.</para><para>Upon
+         succesful authentication, the authentication agent must invoke
+         the <link
+-        linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse">AuthenticationAgentResponse()</link>
++        linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse2">AuthenticationAgentResponse2()</link>
+         method on the <link
+         linkend="eggdbus-interface-org.freedesktop.PolicyKit1.Authority">org.freedesktop.PolicyKit1.Authority</link>
+-        interface of the PolicyKit daemon before returning.
++        interface of the PolicyKit daemon before returning. This is normally
++        achieved via the <link linkend="PolkitAgentSession">PolkitAgentSession</link>
++        API, which invokes a private setuid helper process to verify the
++        authentication.
+       </para>
+       <para>
+         The authentication agent should not return until after authentication is complete.
+diff --git a/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml b/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml
+index e66bf53..f2eed63 100644
+--- a/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml
++++ b/docs/polkit/docbook-interface-org.freedesktop.PolicyKit1.Authority.xml
+@@ -42,7 +42,7 @@ Structure    <link linkend="eggdbus-struct-TemporaryAuthorization">TemporaryAuth
+                                   IN  String                         object_path)
+ <link linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse">AuthenticationAgentResponse</link>      (IN  String                         cookie,
+                                   IN  <link linkend="eggdbus-struct-Identity">Identity</link>                       identity)
+-<link linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse">AuthenticationAgentResponse2</link>      (IN uint32 uid, IN  String                         cookie,
++<link linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse2">AuthenticationAgentResponse2</link>      (IN uint32 uid, IN  String                         cookie,
+                                   IN  <link linkend="eggdbus-struct-Identity">Identity</link>                       identity)
+ <link linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.EnumerateTemporaryAuthorizations">EnumerateTemporaryAuthorizations</link> (IN  <link linkend="eggdbus-struct-Subject">Subject</link>                        subject,
+                                   OUT Array&lt;<link linkend="eggdbus-struct-TemporaryAuthorization">TemporaryAuthorization</link>&gt;  temporary_authorizations)
+@@ -701,7 +701,7 @@ RegisterAuthenticationAgent (IN  <link linkend="eggdbus-struct-Subject">Subject<
+                              IN  String   object_path)
+     </programlisting>
+     <para>
+-<para>Register an authentication agent.</para><para>Note that current versions of PolicyKit will only work if <parameter>session_id</parameter> is set to the empty string. In the future it might work for non-empty strings if the caller is sufficiently privileged.</para>
++<para>Register an authentication agent.</para><para>Note that this should be called by same effective UID which will be passed to <link linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse2">AuthenticationAgentResponse2()</link>.</para>
+     </para>
+ <variablelist role="params">
+   <varlistentry>
+@@ -781,7 +781,8 @@ AuthenticationAgentResponse (IN  String    cookie,
+     <para>
+ Method for authentication agents to invoke on successful
+ authentication, intended only for use by a privileged helper process
+-internal to polkit.  Deprecated in favor of AuthenticationAgentResponse2.
++internal to polkit. This method will fail unless a sufficiently privileged
+++caller invokes it. Deprecated in favor of <link linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse2">AuthenticationAgentResponse2()</link>.
+     </para>
+ <variablelist role="params">
+   <varlistentry>
+@@ -812,7 +813,10 @@ AuthenticationAgentResponse2 (IN  uint32 uid,
+     <para>
+ Method for authentication agents to invoke on successful
+ authentication, intended only for use by a privileged helper process
+-internal to polkit.  Note this method was introduced in 0.114 to fix a security issue.
++internal to polkit. This method will fail unless a sufficiently privileged
++caller invokes it. Note this method was introduced in 0.114 and should be
++preferred over <link linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse">AuthenticationAgentResponse()</link>
++as it fixes a security issue.
+     </para>
+ <variablelist role="params">
+   <varlistentry>
+diff --git a/docs/polkit/overview.xml b/docs/polkit/overview.xml
+index c29d8da..8ddb34c 100644
+--- a/docs/polkit/overview.xml
++++ b/docs/polkit/overview.xml
+@@ -73,11 +73,11 @@
+       linkend="eggdbus-interface-org.freedesktop.PolicyKit1.AuthenticationAgent">org.freedesktop.PolicyKit1.AuthenticationAgent</link>
+       D-Bus interface. Once the user is authenticated, (a privileged
+       part of) the agent invokes the <link
+-      linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse">AuthenticationAgentResponse()</link>
++      linkend="eggdbus-method-org.freedesktop.PolicyKit1.Authority.AuthenticationAgentResponse2">AuthenticationAgentResponse2()</link>
+       method.  This method should be treated as an internal
+-      implementation detail, and callers should use the public shared
+-      library API to invoke it, which currently uses a setuid helper
+-      program.
++      implementation detail, and callers should use the
++      <link linkend="PolkitAgentSession">PolkitAgentSession</link> API to invoke
++      it, which currently uses a setuid helper program.
+     </para>
+     <para>
+       The <link linkend="ref-authentication-agent-api">libpolkit-agent-1</link>
+diff --git a/src/polkit/polkitauthority.c b/src/polkit/polkitauthority.c
+index f45abc4..4e882e6 100644
+--- a/src/polkit/polkitauthority.c
++++ b/src/polkit/polkitauthority.c
+@@ -1038,6 +1038,10 @@ polkit_authority_check_authorization_sync (PolkitAuthority               *author
+  *
+  * Asynchronously registers an authentication agent.
+  *
++ * Note that this should be called by the same effective UID which will be
++ * the real UID using the #PolkitAgentSession API or otherwise calling
++ * polkit_authority_authentication_agent_response().
++ *
+  * When the operation is finished, @callback will be invoked in the
+  * <link linkend="g-main-context-push-thread-default">thread-default
+  * main loop</link> of the thread you are calling this method
+@@ -1129,7 +1133,13 @@ polkit_authority_register_authentication_agent_finish (PolkitAuthority *authorit
+  * @cancellable: (allow-none): A #GCancellable or %NULL.
+  * @error: (allow-none): Return location for error or %NULL.
+  *
+- * Registers an authentication agent. The calling thread is blocked
++ * Registers an authentication agent.
++ *
++ * Note that this should be called by the same effective UID which will be
++ * the real UID using the #PolkitAgentSession API or otherwise calling
++ * polkit_authority_authentication_agent_response().
++ *
++ * The calling thread is blocked
+  * until a reply is received. See
+  * polkit_authority_register_authentication_agent() for the
+  * asynchronous version.
+@@ -1178,6 +1188,10 @@ polkit_authority_register_authentication_agent_sync (PolkitAuthority     *author
+  *
+  * Asynchronously registers an authentication agent.
+  *
++ * Note that this should be called by the same effective UID which will be
++ * the real UID using the #PolkitAgentSession API or otherwise calling
++ * polkit_authority_authentication_agent_response().
++ *
+  * When the operation is finished, @callback will be invoked in the
+  * <link linkend="g-main-context-push-thread-default">thread-default
+  * main loop</link> of the thread you are calling this method
+@@ -1292,7 +1306,13 @@ polkit_authority_register_authentication_agent_with_options_finish (PolkitAuthor
+  * @cancellable: (allow-none): A #GCancellable or %NULL.
+  * @error: (allow-none): Return location for error or %NULL.
+  *
+- * Registers an authentication agent. The calling thread is blocked
++ * Registers an authentication agent.
++ *
++ * Note that this should be called by the same effective UID which will be
++ * the real UID using the #PolkitAgentSession API or otherwise calling
++ * polkit_authority_authentication_agent_response().
++ *
++ * The calling thread is blocked
+  * until a reply is received. See
+  * polkit_authority_register_authentication_agent_with_options() for the
+  * asynchronous version.
+diff --git a/src/polkitagent/polkitagentlistener.c b/src/polkitagent/polkitagentlistener.c
+index 0d97501..10dbfb9 100644
+--- a/src/polkitagent/polkitagentlistener.c
++++ b/src/polkitagent/polkitagentlistener.c
+@@ -37,10 +37,7 @@
+  *
+  * Typically authentication agents use #PolkitAgentSession to
+  * authenticate users (via passwords) and communicate back the
+- * authentication result to the PolicyKit daemon.  This is however not
+- * requirement. Depending on the system an authentication agent may
+- * use other means (such as a Yes/No dialog) to obtain sufficient
+- * evidence that the user is one of the requested identities.
++ * authentication result to the PolicyKit daemon.
+  *
+  * To register a #PolkitAgentListener with the PolicyKit daemon, use
+  * polkit_agent_listener_register() or
+diff --git a/src/polkitbackend/polkitbackendauthority.c b/src/polkitbackend/polkitbackendauthority.c
+index d1b1a25..10b8af3 100644
+--- a/src/polkitbackend/polkitbackendauthority.c
++++ b/src/polkitbackend/polkitbackendauthority.c
+@@ -343,6 +343,7 @@ polkit_backend_authority_unregister_authentication_agent (PolkitBackendAuthority
+  * polkit_backend_authority_authentication_agent_response:
+  * @authority: A #PolkitBackendAuthority.
+  * @caller: The system bus name that initiated the query.
++ * @uid: The real UID of the registered agent, or (uid_t)-1 if unknown.
+  * @cookie: The cookie passed to the authentication agent from the authority.
+  * @identity: The identity that was authenticated.
+  * @error: Return location for error or %NULL.
diff --git a/debian/patches/0.113/pkexec-Work-around-systemd-injecting-broken-XDG_RUNT.patch b/debian/patches/0.113/pkexec-Work-around-systemd-injecting-broken-XDG_RUNT.patch
new file mode 100644
index 0000000..e8e9b6b
--- /dev/null
+++ b/debian/patches/0.113/pkexec-Work-around-systemd-injecting-broken-XDG_RUNT.patch
@@ -0,0 +1,76 @@
+From: Colin Walters <walters@???>
+Date: Thu, 21 Nov 2013 17:39:37 -0500
+Subject: pkexec: Work around systemd injecting broken XDG_RUNTIME_DIR
+
+This workaround isn't too much code, and it's often better to fix bugs
+in two places anyways.
+
+For more information:
+
+See https://bugzilla.redhat.com/show_bug.cgi?id=753882
+See http://lists.freedesktop.org/archives/systemd-devel/2013-November/014370.html
+
+Origin: upstream, 0.113, commit:8635ffc16aeff6a07d675f861fe0dea03ea81d7e
+---
+ src/programs/pkexec.c | 33 ++++++++++++++++++++++++++++++---
+ 1 file changed, 30 insertions(+), 3 deletions(-)
+
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index 9a0570a..5e99044 100644
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -139,8 +139,22 @@ pam_conversation_function (int n,
+   return PAM_CONV_ERR;
+ }
+ 
++/* A work around for:
++ * https://bugzilla.redhat.com/show_bug.cgi?id=753882
++ */
++static gboolean
++xdg_runtime_dir_is_owned_by (const char *path,
++                 uid_t       target_uid)
++{
++  struct stat stbuf;
++
++  return stat (path, &stbuf) == 0 &&
++    stbuf.st_uid == target_uid;
++}
++
+ static gboolean
+-open_session (const gchar *user_to_auth)
++open_session (const gchar *user_to_auth,
++          uid_t        target_uid)
+ {
+   gboolean ret;
+   gint rc;
+@@ -182,7 +196,19 @@ open_session (const gchar *user_to_auth)
+     {
+       guint n;
+       for (n = 0; envlist[n]; n++)
+-        putenv (envlist[n]);
++    {
++      const char *envitem = envlist[n];
++      
++      if (g_str_has_prefix (envitem, "XDG_RUNTIME_DIR="))
++        {
++          const char *eq = strchr (envitem, '=');
++          g_assert (eq);
++          if (!xdg_runtime_dir_is_owned_by (eq + 1, target_uid))
++        continue;
++        }
++
++      putenv (envlist[n]);
++    }
+       free (envlist);
+     }
+ 
+@@ -892,7 +918,8 @@ main (int argc, char *argv[])
+    * As evident above, neither su(1) (and, for that matter, nor sudo(8)) does this.
+    */
+ #ifdef POLKIT_AUTHFW_PAM
+-  if (!open_session (pw->pw_name))
++  if (!open_session (pw->pw_name,
++             pw->pw_uid))
+     {
+       goto out;
+     }
diff --git a/debian/patches/0.113/polkitd-Fix-problem-with-removing-non-existent-sourc.patch b/debian/patches/0.113/polkitd-Fix-problem-with-removing-non-existent-sourc.patch
new file mode 100644
index 0000000..1737020
--- /dev/null
+++ b/debian/patches/0.113/polkitd-Fix-problem-with-removing-non-existent-sourc.patch
@@ -0,0 +1,23 @@
+From: Lukasz Skalski <l.skalski@???>
+Date: Tue, 22 Apr 2014 11:11:20 +0200
+Subject: polkitd: Fix problem with removing non-existent source
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=77167
+Applied-upstream: 0.113, commit:3ca4e00c7e003ea80aa96b499bc7cd83246d7108
+---
+ src/polkitd/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/polkitd/main.c b/src/polkitd/main.c
+index b21723f..f18fb91 100644
+--- a/src/polkitd/main.c
++++ b/src/polkitd/main.c
+@@ -93,7 +93,7 @@ on_sigint (gpointer user_data)
+ {
+   g_print ("Handling SIGINT\n");
+   g_main_loop_quit (loop);
+-  return FALSE;
++  return TRUE;
+ }
+ 
+ int
diff --git a/debian/patches/0.113/sessionmonitor-systemd-Deduplicate-code-paths.patch b/debian/patches/0.113/sessionmonitor-systemd-Deduplicate-code-paths.patch
new file mode 100644
index 0000000..e7d0a4b
--- /dev/null
+++ b/debian/patches/0.113/sessionmonitor-systemd-Deduplicate-code-paths.patch
@@ -0,0 +1,104 @@
+From: Colin Walters <walters@???>
+Date: Thu, 7 Nov 2013 15:57:50 -0500
+Subject: sessionmonitor-systemd: Deduplicate code paths
+
+We had the code to go from pid -> session duplicated.  If we have a
+PolkitSystemBusName, convert it to a PolkitUnixProcess.
+Then we can do PolkitUnixProcess -> pid -> session in one place.
+
+This is just a code cleanup.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69538
+Origin: upstream, 0.113, commit:26d0c0578211fb96fc8fe75572aa11ad6ecbf9b8
+---
+ .../polkitbackendsessionmonitor-systemd.c          | 63 ++++++++--------------
+ 1 file changed, 22 insertions(+), 41 deletions(-)
+
+diff --git a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
+index 0185310..756b728 100644
+--- a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
++++ b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
+@@ -313,61 +313,42 @@ polkit_backend_session_monitor_get_session_for_subject (PolkitBackendSessionMoni
+                                                         PolkitSubject               *subject,
+                                                         GError                     **error)
+ {
+-  PolkitSubject *session;
+-
+-  session = NULL;
++  PolkitUnixProcess *tmp_process = NULL;
++  PolkitUnixProcess *process = NULL;
++  PolkitSubject *session = NULL;
++  char *session_id = NULL;
++  pid_t pid;
+ 
+   if (POLKIT_IS_UNIX_PROCESS (subject))
+-    {
+-      gchar *session_id;
+-      pid_t pid;
+-
+-      pid = polkit_unix_process_get_pid (POLKIT_UNIX_PROCESS (subject));
+-      if (sd_pid_get_session (pid, &session_id) < 0)
+-        goto out;
+-
+-      session = polkit_unix_session_new (session_id);
+-      free (session_id);
+-    }
++    process = POLKIT_UNIX_PROCESS (subject); /* We already have a process */
+   else if (POLKIT_IS_SYSTEM_BUS_NAME (subject))
+     {
+-      guint32 pid;
+-      gchar *session_id;
+-      GVariant *result;
+-
+-      result = g_dbus_connection_call_sync (monitor->system_bus,
+-                                            "org.freedesktop.DBus",
+-                                            "/org/freedesktop/DBus",
+-                                            "org.freedesktop.DBus",
+-                                            "GetConnectionUnixProcessID",
+-                                            g_variant_new ("(s)", polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (subject))),
+-                                            G_VARIANT_TYPE ("(u)"),
+-                                            G_DBUS_CALL_FLAGS_NONE,
+-                                            -1, /* timeout_msec */
+-                                            NULL, /* GCancellable */
+-                                            error);
+-      if (result == NULL)
+-        goto out;
+-      g_variant_get (result, "(u)", &pid);
+-      g_variant_unref (result);
+-
+-      if (sd_pid_get_session (pid, &session_id) < 0)
+-        goto out;
+-
+-      session = polkit_unix_session_new (session_id);
+-      free (session_id);
++      /* Convert bus name to process */
++      tmp_process = (PolkitUnixProcess*)polkit_system_bus_name_get_process_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error);
++      if (!tmp_process)
++    goto out;
++      process = tmp_process;
+     }
+   else
+     {
+       g_set_error (error,
+                    POLKIT_ERROR,
+                    POLKIT_ERROR_NOT_SUPPORTED,
+-                   "Cannot get user for subject of type %s",
++                   "Cannot get session for subject of type %s",
+                    g_type_name (G_TYPE_FROM_INSTANCE (subject)));
+     }
+ 
+- out:
++  /* Now do process -> pid -> session */
++  g_assert (process != NULL);
++  pid = polkit_unix_process_get_pid (process);
+ 
++  if (sd_pid_get_session (pid, &session_id) < 0)
++    goto out;
++  
++  session = polkit_unix_session_new (session_id);
++  free (session_id);
++ out:
++  if (tmp_process) g_object_unref (tmp_process);
+   return session;
+ }
+ 
diff --git a/debian/patches/0.113/sessionmonitor-systemd-Use-sd_uid_get_state-to-check.patch b/debian/patches/0.113/sessionmonitor-systemd-Use-sd_uid_get_state-to-check.patch
new file mode 100644
index 0000000..7c0ca4b
--- /dev/null
+++ b/debian/patches/0.113/sessionmonitor-systemd-Use-sd_uid_get_state-to-check.patch
@@ -0,0 +1,73 @@
+From: Philip Withnall <philip.withnall@???>
+Date: Tue, 2 Jun 2015 16:19:51 +0100
+Subject: sessionmonitor-systemd: Use sd_uid_get_state() to check session
+ activity
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Instead of using sd_pid_get_session() then sd_session_is_active() to
+determine whether the user is active, use sd_uid_get_state() directly.
+This gets the maximum of the states of all the user’s sessions, rather
+than the state of the session containing the subject process. Since the
+user is the security boundary, this is fine.
+
+This change is necessary for `systemd --user` sessions, where most user
+code will be forked off user@.service, rather than running inside the
+logind session (whether that be a foreground/active or background/online
+session).
+
+Policy-wise, the change is from checking whether the subject process is
+in an active session; to checking whether the subject process is owned
+by a user with at least one active session.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=76358
+Applied-upstream: 0.113, commit:a29653ffa99e0809e15aa34afcd7b2df8593871c
+Bug-Debian: https://bugs.debian.org/779988
+---
+ .../polkitbackendsessionmonitor-systemd.c          | 33 +++++++++++++++++++++-
+ 1 file changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
+index ebd05ce..6bd517a 100644
+--- a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
++++ b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
+@@ -391,6 +391,37 @@ gboolean
+ polkit_backend_session_monitor_is_session_active (PolkitBackendSessionMonitor *monitor,
+                                                   PolkitSubject               *session)
+ {
+-  return sd_session_is_active (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (session)));
++  const char *session_id;
++  char *state;
++  uid_t uid;
++  gboolean is_active = FALSE;
++
++  session_id = polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (session));
++
++  g_debug ("Checking whether session %s is active.", session_id);
++
++  /* Check whether *any* of the user's current sessions are active. */
++  if (sd_session_get_uid (session_id, &uid) < 0)
++    goto fallback;
++
++  g_debug ("Session %s has UID %u.", session_id, uid);
++
++  if (sd_uid_get_state (uid, &state) < 0)
++    goto fallback;
++
++  g_debug ("UID %u has state %s.", uid, state);
++
++  is_active = (g_strcmp0 (state, "active") == 0);
++  free (state);
++
++  return is_active;
++
++fallback:
++  /* Fall back to checking the session. This is not ideal, since the user
++   * might have multiple sessions, and we cannot guarantee to have chosen
++   * the active one.
++   *
++   * See: https://bugs.freedesktop.org/show_bug.cgi?id=76358. */
++  return sd_session_is_active (session_id);
+ }
+ 
diff --git a/debian/patches/0.113/sessionmonitor-systemd-prepare-for-D-Bus-user-bus-mo.patch b/debian/patches/0.113/sessionmonitor-systemd-prepare-for-D-Bus-user-bus-mo.patch
new file mode 100644
index 0000000..a722170
--- /dev/null
+++ b/debian/patches/0.113/sessionmonitor-systemd-prepare-for-D-Bus-user-bus-mo.patch
@@ -0,0 +1,89 @@
+From: Kay Sievers <kay@???>
+Date: Mon, 19 May 2014 10:19:49 +0900
+Subject: sessionmonitor-systemd: prepare for D-Bus "user bus" model
+
+In the D-Bus "user bus" model, all sessions of a user share the same
+D-Bus instance, a polkit requesting process might live outside the
+login session which registered the user's polkit agent.
+
+In case a polkit requesting process is not part of the user's login
+session, we ask systemd-logind for the the user's "display" session
+instead.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=78905
+Bug-Debian: https://bugs.debian.org/779988
+Applied-upstream: 0.113, commit:a68f5dfd7662767b7b9822090b70bc5bd145c50c
+[smcv: backport configure.ac changes; fail with #error if the required
+API is not found]
+---
+ configure.ac                                       |  4 +++
+ .../polkitbackendsessionmonitor-systemd.c          | 29 ++++++++++++++++++----
+ 2 files changed, 28 insertions(+), 5 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index f4a0c41..aa2760f 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -165,6 +165,10 @@ if test "$enable_systemd" != "no"; then
+                     have_systemd=no)
+   if test "$have_systemd" = "yes"; then
+     SESSION_TRACKING=systemd
++    save_LIBS=$LIBS
++    LIBS=$SYSTEMD_LIBS
++    AC_CHECK_FUNCS(sd_uid_get_display)
++    LIBS=$save_LIBS
+   else
+     if test "$enable_systemd" = "yes"; then
+       AC_MSG_ERROR([systemd support requested but libsystemd-login1 library not found])
+diff --git a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
+index 756b728..ebd05ce 100644
+--- a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
++++ b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
+@@ -318,6 +318,9 @@ polkit_backend_session_monitor_get_session_for_subject (PolkitBackendSessionMoni
+   PolkitSubject *session = NULL;
+   char *session_id = NULL;
+   pid_t pid;
++#if HAVE_SD_UID_GET_DISPLAY
++  uid_t uid;
++#endif
+ 
+   if (POLKIT_IS_UNIX_PROCESS (subject))
+     process = POLKIT_UNIX_PROCESS (subject); /* We already have a process */
+@@ -338,16 +341,32 @@ polkit_backend_session_monitor_get_session_for_subject (PolkitBackendSessionMoni
+                    g_type_name (G_TYPE_FROM_INSTANCE (subject)));
+     }
+ 
+-  /* Now do process -> pid -> session */
++  /* Now do process -> pid -> same session */
+   g_assert (process != NULL);
+   pid = polkit_unix_process_get_pid (process);
+ 
+-  if (sd_pid_get_session (pid, &session_id) < 0)
++  if (sd_pid_get_session (pid, &session_id) >= 0)
++    {
++      session = polkit_unix_session_new (session_id);
++      goto out;
++    }
++
++#if HAVE_SD_UID_GET_DISPLAY
++  /* Now do process -> uid -> graphical session (systemd version 213)*/
++  if (sd_pid_get_owner_uid (pid, &uid) < 0)
+     goto out;
+-  
+-  session = polkit_unix_session_new (session_id);
+-  free (session_id);
++
++  if (sd_uid_get_display (uid, &session_id) >= 0)
++    {
++      session = polkit_unix_session_new (session_id);
++      goto out;
++    }
++#else
++#error Debian should have sd_uid_get_display()
++#endif
++
+  out:
++  free (session_id);
+   if (tmp_process) g_object_unref (tmp_process);
+   return session;
+ }
diff --git a/debian/patches/01_pam_polkit.patch b/debian/patches/01_pam_polkit.patch
index 17cbb3b..1da6a83 100644
--- a/debian/patches/01_pam_polkit.patch
+++ b/debian/patches/01_pam_polkit.patch
@@ -1,7 +1,16 @@
-Index: trunk/data/polkit-1.in
-===================================================================
---- trunk.orig/data/polkit-1.in
-+++ trunk/data/polkit-1.in
+From: Michael Biebl <biebl@???>
+Date: Tue, 2 Oct 2007 22:38:04 +0200
+Subject: Use Debian's common-* PAM infrastructure, plus pam_env
+
+Forwarded: no, Debian-specific
+---
+ data/polkit-1.in | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/data/polkit-1.in b/data/polkit-1.in
+index 142dadd..b890276 100644
+--- a/data/polkit-1.in
++++ b/data/polkit-1.in
 @@ -1,6 +1,8 @@
  #%PAM-1.0


@@ -14,4 +23,4 @@ Index: trunk/data/polkit-1.in
 +@include common-password
 +session       required   pam_env.so readenv=1 user_readenv=0
 +session       required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
-+@include common-session
++@include common-session-noninteractive
diff --git a/debian/patches/02_gettext.patch b/debian/patches/02_gettext.patch
index 8079481..7b2f07b 100644
--- a/debian/patches/02_gettext.patch
+++ b/debian/patches/02_gettext.patch
@@ -1,18 +1,17 @@
-From c28ef44e1ba82e1a3419c740ac0bbb8aaa591bcd Mon Sep 17 00:00:00 2001
 From: Robert Ancell <robert.ancell@???>
 Date: Wed, 18 Aug 2010 16:26:15 +1000
-Subject: [PATCH] Use gettext for translations in .policy files
+Subject: Use gettext for translations in .policy files
+
 Bug: http://bugs.freedesktop.org/show_bug.cgi?id=29639
 Bug-Ubuntu: https://launchpad.net/bugs/619632
-
 ---
- src/polkitbackend/polkitbackendactionpool.c |   48 +++++++++++++++++++++++++++
- 1 files changed, 48 insertions(+), 0 deletions(-)
+ src/polkitbackend/polkitbackendactionpool.c | 49 +++++++++++++++++++++++++++++
+ 1 file changed, 49 insertions(+)


-Index: policykit/src/polkitbackend/polkitbackendactionpool.c
-===================================================================
---- policykit.orig/src/polkitbackend/polkitbackendactionpool.c    2011-04-20 12:02:27.366174916 +0200
-+++ policykit/src/polkitbackend/polkitbackendactionpool.c    2011-08-08 14:14:31.713738052 +0200
+diff --git a/src/polkitbackend/polkitbackendactionpool.c b/src/polkitbackend/polkitbackendactionpool.c
+index 4270d4e..e2dbf9e 100644
+--- a/src/polkitbackend/polkitbackendactionpool.c
++++ b/src/polkitbackend/polkitbackendactionpool.c
 @@ -24,6 +24,8 @@
  #include <pwd.h>
  #include <string.h>
@@ -22,7 +21,7 @@ Index: policykit/src/polkitbackend/polkitbackendactionpool.c


  #include <polkit/polkit.h>
  #include <polkit/polkitprivate.h>
-@@ -45,7 +47,9 @@
+@@ -44,7 +46,9 @@ typedef struct
    gchar *vendor_url;
    gchar *icon_name;
    gchar *description;
@@ -32,7 +31,7 @@ Index: policykit/src/polkitbackend/polkitbackendactionpool.c


    PolkitImplicitAuthorization implicit_authorization_any;
    PolkitImplicitAuthorization implicit_authorization_inactive;
-@@ -67,7 +71,9 @@
+@@ -65,7 +69,9 @@ parsed_action_free (ParsedAction *action)
    g_free (action->vendor_url);
    g_free (action->icon_name);
    g_free (action->description);
@@ -42,7 +41,7 @@ Index: policykit/src/polkitbackend/polkitbackendactionpool.c


    g_hash_table_unref (action->localized_description);
    g_hash_table_unref (action->localized_message);
-@@ -87,6 +93,7 @@
+@@ -85,6 +91,7 @@ static void ensure_all_files (PolkitBackendActionPool *pool);


  static const gchar *_localize (GHashTable *translations,
                                 const gchar *untranslated,
@@ -50,7 +49,7 @@ Index: policykit/src/polkitbackend/polkitbackendactionpool.c
                                 const gchar *lang);


typedef struct
-@@ -387,9 +394,11 @@
+@@ -385,9 +392,11 @@ polkit_backend_action_pool_get_action (PolkitBackendActionPool *pool,

    description = _localize (parsed_action->localized_description,
                             parsed_action->description,
@@ -62,7 +61,7 @@ Index: policykit/src/polkitbackend/polkitbackendactionpool.c
                         locale);


    ret = polkit_action_description_new (action_id,
-@@ -605,11 +614,16 @@
+@@ -603,11 +612,16 @@ typedef struct {
    GHashTable *policy_messages;


    char *policy_description_nolang;
@@ -79,7 +78,7 @@ Index: policykit/src/polkitbackend/polkitbackendactionpool.c
    char *annotate_key;
    GHashTable *annotations;


-@@ -631,8 +645,12 @@
+@@ -629,8 +643,12 @@ pd_unref_action_data (ParserData *pd)

    g_free (pd->policy_description_nolang);
    pd->policy_description_nolang = NULL;
@@ -92,7 +91,7 @@ Index: policykit/src/polkitbackend/polkitbackendactionpool.c
    if (pd->policy_descriptions != NULL)
      {
        g_hash_table_unref (pd->policy_descriptions);
-@@ -652,6 +670,8 @@
+@@ -650,6 +668,8 @@ pd_unref_action_data (ParserData *pd)
      }
    g_free (pd->elem_lang);
    pd->elem_lang = NULL;
@@ -101,7 +100,7 @@ Index: policykit/src/polkitbackend/polkitbackendactionpool.c
  }


  static void
-@@ -739,6 +759,10 @@
+@@ -737,6 +757,10 @@ _start (void *data, const char *el, const char **attr)
              {
                pd->elem_lang = g_strdup (attr[1]);
              }
@@ -112,7 +111,7 @@ Index: policykit/src/polkitbackend/polkitbackendactionpool.c
            state = STATE_IN_ACTION_DESCRIPTION;
          }
        else if (strcmp (el, "message") == 0)
-@@ -747,6 +771,10 @@
+@@ -745,6 +769,10 @@ _start (void *data, const char *el, const char **attr)
              {
                pd->elem_lang = g_strdup (attr[1]);
              }
@@ -123,7 +122,7 @@ Index: policykit/src/polkitbackend/polkitbackendactionpool.c
            state = STATE_IN_ACTION_MESSAGE;
          }
        else if (strcmp (el, "vendor") == 0 && num_attr == 0)
-@@ -849,6 +877,7 @@
+@@ -847,6 +875,7 @@ _cdata (void *data, const char *s, int len)
          {
            g_free (pd->policy_description_nolang);
            pd->policy_description_nolang = str;
@@ -131,7 +130,7 @@ Index: policykit/src/polkitbackend/polkitbackendactionpool.c
            str = NULL;
          }
        else
-@@ -865,6 +894,7 @@
+@@ -863,6 +892,7 @@ _cdata (void *data, const char *s, int len)
          {
            g_free (pd->policy_message_nolang);
            pd->policy_message_nolang = str;
@@ -139,7 +138,7 @@ Index: policykit/src/polkitbackend/polkitbackendactionpool.c
            str = NULL;
          }
        else
-@@ -962,6 +992,8 @@
+@@ -960,6 +990,8 @@ _end (void *data, const char *el)


    g_free (pd->elem_lang);
    pd->elem_lang = NULL;
@@ -148,7 +147,7 @@ Index: policykit/src/polkitbackend/polkitbackendactionpool.c


    switch (pd->state)
      {
-@@ -993,7 +1025,9 @@
+@@ -990,7 +1022,9 @@ _end (void *data, const char *el)
          action->vendor_url = g_strdup (vendor_url);
          action->icon_name = g_strdup (icon_name);
          action->description = g_strdup (pd->policy_description_nolang);
@@ -158,7 +157,7 @@ Index: policykit/src/polkitbackend/polkitbackendactionpool.c


          action->localized_description = pd->policy_descriptions;
          action->localized_message     = pd->policy_messages;
-@@ -1095,6 +1129,7 @@
+@@ -1093,6 +1127,7 @@ error:
   * _localize:
   * @translations: a mapping from xml:lang to the value, e.g. 'da' -> 'Smadre', 'en_CA' -> 'Punch, Aye!'
   * @untranslated: the untranslated value, e.g. 'Punch'
@@ -166,7 +165,7 @@ Index: policykit/src/polkitbackend/polkitbackendactionpool.c
   * @lang: the locale we're interested in, e.g. 'da_DK', 'da', 'en_CA', 'en_US'; basically just $LANG
   * with the encoding cut off. Maybe be NULL.
   *
-@@ -1105,11 +1140,25 @@
+@@ -1103,11 +1138,25 @@ error:
  static const gchar *
  _localize (GHashTable *translations,
             const gchar *untranslated,
diff --git a/debian/patches/03_complete_session.patch b/debian/patches/03_complete_session.patch
deleted file mode 100644
index 7984313..0000000
--- a/debian/patches/03_complete_session.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From: James Westby <james.westby@???>
-Date: Thu, 28 Oct 2010 09:14:26 -0400
-Subject: Fix the race that leads to the password box disappearing, but the dialog remaining.
-Bug: http://bugs.freedesktop.org/show_bug.cgi?id=30515
-Bug-Ubuntu: https://launchpad.net/bugs/649939
-Bug-Ubuntu: https://launchpad.net/bugs/445303
-
-Index: policykit-1/src/polkitagent/polkitagentsession.c
-===================================================================
---- policykit-1.orig/src/polkitagent/polkitagentsession.c    2012-04-24 19:44:21.195751945 +0200
-+++ policykit-1/src/polkitagent/polkitagentsession.c    2012-04-24 21:03:20.487887522 +0200
-@@ -435,6 +435,7 @@
-                   gpointer user_data)
- {
-   PolkitAgentSession *session = POLKIT_AGENT_SESSION (user_data);
-+  GMainContext *context = g_main_context_default();
- 
-   if (G_UNLIKELY (_show_debug ()))
-     {
-@@ -446,6 +447,11 @@
- 
-   /* kill all the watches we have set up, except for the child since it has exited already */
-   session->child_pid = 0;
-+  /* Allow the stdout of the child to be processed if we haven't finished yet */
-+  while (g_main_context_pending(context))
-+    {
-+      g_main_context_iteration(context, FALSE);
-+    }
-   complete_session (session, FALSE);
- }
- 
-@@ -650,15 +656,15 @@
-   if (G_UNLIKELY (_show_debug ()))
-     g_print ("PolkitAgentSession: spawned helper with pid %d\n", (gint) session->child_pid);
- 
--  session->child_watch_source = g_child_watch_source_new (session->child_pid);
--  g_source_set_callback (session->child_watch_source, (GSourceFunc) child_watch_func, session, NULL);
--  g_source_attach (session->child_watch_source, g_main_context_get_thread_default ());
--
-   session->child_stdout_channel = g_io_channel_unix_new (session->child_stdout);
-   session->child_stdout_watch_source = g_io_create_watch (session->child_stdout_channel, G_IO_IN);
-   g_source_set_callback (session->child_stdout_watch_source, (GSourceFunc) io_watch_have_data, session, NULL);
-   g_source_attach (session->child_stdout_watch_source, g_main_context_get_thread_default ());
- 
-+  session->child_watch_source = g_child_watch_source_new (session->child_pid);
-+  g_source_set_callback (session->child_watch_source, (GSourceFunc) child_watch_func, session, NULL);
-+  g_source_attach (session->child_watch_source, g_main_context_get_thread_default ());
-+
- 
-   session->success = FALSE;
- 
diff --git a/debian/patches/03_polkitunixsession_sessionid_from_display.patch b/debian/patches/03_polkitunixsession_sessionid_from_display.patch
new file mode 100644
index 0000000..247e15f
--- /dev/null
+++ b/debian/patches/03_polkitunixsession_sessionid_from_display.patch
@@ -0,0 +1,37 @@
+Author: Sebastien Bacher <seb128@???>
+Description: Add fallback if agent is not running in a logind session
+ This fixes polkit with dbus-user-session.
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=96977
+
+Index: policykit-1/src/polkit/polkitunixsession-systemd.c
+===================================================================
+--- policykit-1.orig/src/polkit/polkitunixsession-systemd.c
++++ policykit-1/src/polkit/polkitunixsession-systemd.c
+@@ -451,6 +451,7 @@ polkit_unix_session_initable_init (GInit
+   PolkitUnixSession *session = POLKIT_UNIX_SESSION (initable);
+   gboolean ret = FALSE;
+   char *s;
++  uid_t uid;
+ 
+   if (session->session_id != NULL)
+     {
+@@ -467,6 +468,19 @@ polkit_unix_session_initable_init (GInit
+       goto out;
+     }
+ 
++  /* Now do process -> uid -> graphical session (systemd version 213)*/
++  if (sd_pid_get_owner_uid (session->pid, &uid) < 0)
++    goto error;
++
++  if (sd_uid_get_display (uid, &s) >= 0)
++    {
++      session->session_id =  g_strdup (s);
++      free (s);
++      ret = TRUE;
++      goto out;
++    }
++
++error:
+   g_set_error (error,
+                POLKIT_ERROR,
+                POLKIT_ERROR_FAILED,
diff --git a/debian/patches/05_revert-admin-identities-unix-group-wheel.patch b/debian/patches/05_revert-admin-identities-unix-group-wheel.patch
index 1562e69..bd6e9b9 100644
--- a/debian/patches/05_revert-admin-identities-unix-group-wheel.patch
+++ b/debian/patches/05_revert-admin-identities-unix-group-wheel.patch
@@ -1,36 +1,32 @@
-From 1892aeb9c13841335a4ac383e8a787a3c2728c45 Mon Sep 17 00:00:00 2001
 From: Michael Biebl <biebl@???>
 Date: Fri, 9 Dec 2011 00:31:21 +0100
-Subject: [PATCH] Revert "Default to AdminIdentities=unix-group:wheel for
- local authority"
+Subject: Revert "Default to AdminIdentities=unix-group:wheel for local
+ authority"


 This reverts commit 763faf434b445c20ae9529100d3ef5290976d0c9.
+
+On Red Hat derivatives, every member of group 'wheel' is necessarily
+privileged. On Debian derivatives, there is no wheel group, and gid 0
+(root) is not used in this way. Change the default rule to consider
+uid 0 to be privileged, instead.
+
+On Red Hat derivatives, 50-default.rules is not preserved by upgrades;
+on dpkg-based systems, it is a proper conffile and may be edited
+(at the sysadmin's own risk), so the comment about not editing it is
+misleading.
+
+[smcv: added longer explanation of why we make this change;
+remove unrelated cosmetic change to a man page]
+
+Forwarded: no, Debian-specific
 ---
- docs/man/pklocalauthority.xml            |    4 ++--
- src/polkitbackend/50-localauthority.conf |    2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
+ src/polkitbackend/50-localauthority.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)


-Index: policykit/docs/man/pklocalauthority.xml
-===================================================================
---- policykit.orig/docs/man/pklocalauthority.xml    2012-01-06 10:34:01.830221577 +0100
-+++ policykit/docs/man/pklocalauthority.xml    2012-01-06 10:39:24.206237179 +0100
-@@ -385,10 +385,10 @@
-     </para>
-     <programlisting>
- [Configuration]
--AdminIdentities=unix-group:staff
-+AdminIdentities=unix-group:desktop_admin_r
-     </programlisting>
-     <para>
--      specifies that any user in the <literal>staff</literal> UNIX
-+      that any user in the <literal>desktop_admin_r</literal> UNIX
-       group can be used for authentication when administrator
-       authentication is needed. This file would typically be installed
-       in the <filename>/etc/polkit-1/localauthority.conf.d</filename>
-Index: policykit/src/polkitbackend/50-localauthority.conf
-===================================================================
---- policykit.orig/src/polkitbackend/50-localauthority.conf    2012-01-06 10:33:58.254221404 +0100
-+++ policykit/src/polkitbackend/50-localauthority.conf    2012-01-06 10:39:24.210237180 +0100
+diff --git a/src/polkitbackend/50-localauthority.conf b/src/polkitbackend/50-localauthority.conf
+index 5e44bde..20e0ba3 100644
+--- a/src/polkitbackend/50-localauthority.conf
++++ b/src/polkitbackend/50-localauthority.conf
 @@ -7,4 +7,4 @@
  #


diff --git a/debian/patches/06_systemd-service.patch b/debian/patches/06_systemd-service.patch
index f8e9a63..de0ce00 100644
--- a/debian/patches/06_systemd-service.patch
+++ b/debian/patches/06_systemd-service.patch
@@ -1,9 +1,18 @@
-Index: policykit-1/data/org.freedesktop.PolicyKit1.service.in
-===================================================================
---- policykit-1.orig/data/org.freedesktop.PolicyKit1.service.in    2012-02-01 01:54:58.291191682 +0100
-+++ policykit-1/data/org.freedesktop.PolicyKit1.service.in    2012-02-11 23:45:15.946856853 +0100
+From: Michael Biebl <biebl@???>
+Date: Sat, 11 Feb 2012 23:48:29 +0100
+Subject: Install systemd service file for polkitd.
+
+Forwarded: no, obsoleted by an upstream commit in 0.106
+---
+ data/org.freedesktop.PolicyKit1.service.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/data/org.freedesktop.PolicyKit1.service.in b/data/org.freedesktop.PolicyKit1.service.in
+index b6cd02b..ba3a1b6 100644
+--- a/data/org.freedesktop.PolicyKit1.service.in
++++ b/data/org.freedesktop.PolicyKit1.service.in
 @@ -2,3 +2,4 @@
  Name=org.freedesktop.PolicyKit1
  Exec=@libexecdir@/polkitd --no-debug
  User=root
-+SystemdService=polkitd.service
++SystemdService=polkit.service
diff --git a/debian/patches/09_pam_environment.patch b/debian/patches/09_pam_environment.patch
deleted file mode 100644
index f0e137c..0000000
--- a/debian/patches/09_pam_environment.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-Author: Steve Langasek <steve.langasek@???>
-Description: set process environment from pam_getenvlist()
- Various pam modules provide environment variables that are intended to be
- set in the environment of the pam session.  pkexec needs to process the
- output of pam_getenvlist() to get these.
-Bug-Ubuntu: https://bugs.launchpad.net/bugs/982684
-Index: trunk/src/programs/pkexec.c
-===================================================================
---- trunk.orig/src/programs/pkexec.c
-+++ trunk/src/programs/pkexec.c
-@@ -145,6 +145,7 @@
-   gboolean ret;
-   gint rc;
-   pam_handle_t *pam_h;
-+  char **envlist;
-   struct pam_conv conversation;
- 
-   ret = FALSE;
-@@ -176,6 +177,14 @@
- 
-   ret = TRUE;
- 
-+  envlist = pam_getenvlist (pam_h);
-+  if (envlist != NULL) {
-+    int i;
-+    for (i = 0; envlist[i]; i++)
-+      putenv(envlist[i]);
-+    free (envlist);
-+  }
-+
- out:
-   if (pam_h != NULL)
-     pam_end (pam_h, rc);
diff --git a/debian/patches/10_build-against-libsystemd.patch b/debian/patches/10_build-against-libsystemd.patch
new file mode 100644
index 0000000..6230a63
--- /dev/null
+++ b/debian/patches/10_build-against-libsystemd.patch
@@ -0,0 +1,32 @@
+From: Michael Biebl <biebl@???>
+Date: Wed, 8 Jul 2015 02:08:33 +0200
+Subject: Build against libsystemd
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779756
+Forwarded: no, obsoleted by upstream commit 2291767a014f5a04a92ca6f0eb472794f212ca67 in 0.113
+---
+ configure.ac | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 388605d..f55ddb7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -160,7 +160,7 @@ AC_ARG_ENABLE([systemd],
+               [enable_systemd=auto])
+ if test "$enable_systemd" != "no"; then
+   PKG_CHECK_MODULES(SYSTEMD,
+-                    [libsystemd-login],
++                    [libsystemd],
+                     have_systemd=yes,
+                     have_systemd=no)
+   if test "$have_systemd" = "yes"; then
+@@ -171,7 +171,7 @@ if test "$enable_systemd" != "no"; then
+     LIBS=$save_LIBS
+   else
+     if test "$enable_systemd" = "yes"; then
+-      AC_MSG_ERROR([systemd support requested but libsystemd-login1 library not found])
++      AC_MSG_ERROR([systemd support requested but libsystemd library not found])
+     fi
+   fi
+ fi
diff --git a/debian/patches/master/Add-gettext-support-for-.policy-files.patch b/debian/patches/master/Add-gettext-support-for-.policy-files.patch
new file mode 100644
index 0000000..e2603b3
--- /dev/null
+++ b/debian/patches/master/Add-gettext-support-for-.policy-files.patch
@@ -0,0 +1,88 @@
+From 7eef6482fd3831bfae73a3576230af5341aaf53f Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@???>
+Date: Fri, 15 Jul 2016 11:12:35 -0400
+Subject: [PATCH] Add gettext support for .policy files
+
+gettext can extract strings from and merge them back into xml
+file formats, with the help of .its files.
+
+https://bugs.freedesktop.org/show_bug.cgi?id=96940
+
+---
+
+Author: Peter Hutterer <peter.hutterer@???>
+Date:   Thu Oct 20 10:50:58 2016 +1000
+gettext: switch to default-translate "no"
+
+The default appears to be to translate all entries. This rule never takes
+effect, the path to /action/message and /action/description is wrong (/action
+is not a root node). Since we wanted them to be translated, it doesn't matter.
+
+But it also translates all other tags (vendor, allow_any, etc.) and that
+causes polkit to be unhappy, it can't handle the various language versions of
+"no"
+
+** (polkitd:27434): WARNING **: Unknown PolkitImplicitAuthorization string
+'tidak'
+
+Switch to a default of "no" and explicitly include the message and description
+strings to be translated.
+
+The patch was modified for PolicyKit by Ondrej Holy <oholy@???>.
+
+https://bugs.freedesktop.org/show_bug.cgi?id=98366
+
+Origin: upstream, commit:c78819245ff8a270f97c9f800773e727918be838 commit:32e9a69c335324a53a2c0ba4e0b513fb044be0fd
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863207
+
+---
+ data/Makefile.am | 3 +++
+ data/polkit.its  | 8 ++++++++
+ data/polkit.loc  | 6 ++++++
+ 3 files changed, 17 insertions(+)
+ create mode 100644 data/polkit.its
+ create mode 100644 data/polkit.loc
+
+diff --git a/data/Makefile.am b/data/Makefile.am
+index f0beeba..7ea361d 100644
+--- a/data/Makefile.am
++++ b/data/Makefile.am
+@@ -20,6 +20,9 @@ endif
+ pkgconfigdir = $(libdir)/pkgconfig
+ pkgconfig_DATA = polkit-gobject-1.pc polkit-backend-1.pc polkit-agent-1.pc
+ 
++itsdir = $(datadir)/gettext/its
++its_DATA = polkit.loc polkit.its
++
+ CLEANFILES = $(BUILT_SOURCES)
+ 
+ EXTRA_DIST =                             \
+diff --git a/data/polkit.its b/data/polkit.its
+new file mode 100644
+index 0000000..1c37e6b
+--- /dev/null
++++ b/data/polkit.its
+@@ -0,0 +1,8 @@
++<?xml version="1.0"?>
++<its:rules xmlns:its="http://www.w3.org/2005/11/its"
++           version="2.0">
++  <its:translateRule selector="//*" translate="no"/>
++  <its:translateRule selector="//action/description |
++                               //action/message"
++                     translate="yes"/>
++</its:rules>
+diff --git a/data/polkit.loc b/data/polkit.loc
+new file mode 100644
+index 0000000..c7427ec
+--- /dev/null
++++ b/data/polkit.loc
+@@ -0,0 +1,6 @@
++<?xml version="1.0"?>
++<locatingRules>
++  <locatingRule name="polkit policy" pattern="*.policy">
++    <documentRule localName="policyconfig" target="polkit.its"/>
++  </locatingRule>
++</locatingRules>
+-- 
+2.11.0
+
diff --git a/debian/patches/master/Fix-multi-line-pam-text-info.patch b/debian/patches/master/Fix-multi-line-pam-text-info.patch
new file mode 100644
index 0000000..3717ff4
--- /dev/null
+++ b/debian/patches/master/Fix-multi-line-pam-text-info.patch
@@ -0,0 +1,134 @@
+Description: Escape helper output to handle multiline messages
+ Some pam modules produce multiline messages which caused errors in
+ PolkitAgentSession as the subsequent lines were interpreted as separate
+ messages unrecognized by the authenticator. Escaping every message allows
+ to avoid such behaviour.
+Author: Dariusz Gadomski <dariusz.gadomski@???>
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1510824
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=92886
+Origin: upstream
+
+--- policykit-1-0.105.orig/src/polkitagent/polkitagenthelper-pam.c
++++ policykit-1-0.105/src/polkitagent/polkitagenthelper-pam.c
+@@ -39,25 +39,35 @@ static void
+ send_to_helper (const gchar *str1,
+                 const gchar *str2)
+ {
++  char *escaped;
++  char *tmp2;
++  size_t len2;
++
++  tmp2 = g_strdup(str2);
++  len2 = strlen(tmp2);
+ #ifdef PAH_DEBUG
+-  fprintf (stderr, "polkit-agent-helper-1: writing `%s' to stdout\n", str1);
++  fprintf (stderr, "polkit-agent-helper-1: writing `%s ' to stdout\n", str1);
+ #endif /* PAH_DEBUG */
+-  fprintf (stdout, "%s", str1);
++  fprintf (stdout, "%s ", str1);
++
++  if (len2 > 0 && tmp2[len2 - 1] == '\n')
++    tmp2[len2 - 1] = '\0';
++  escaped = g_strescape (tmp2, NULL);
+ #ifdef PAH_DEBUG
+-  fprintf (stderr, "polkit-agent-helper-1: writing `%s' to stdout\n", str2);
++  fprintf (stderr, "polkit-agent-helper-1: writing `%s' to stdout\n", escaped);
+ #endif /* PAH_DEBUG */
+-  fprintf (stdout, "%s", str2);
+-  if (strlen (str2) > 0 && str2[strlen (str2) - 1] != '\n')
+-    {
++  fprintf (stdout, "%s", escaped);
+ #ifdef PAH_DEBUG
+-      fprintf (stderr, "polkit-agent-helper-1: writing newline to stdout\n");
++  fprintf (stderr, "polkit-agent-helper-1: writing newline to stdout\n");
+ #endif /* PAH_DEBUG */
+-      fputc ('\n', stdout);
+-    }
++  fputc ('\n', stdout);
+ #ifdef PAH_DEBUG
+   fprintf (stderr, "polkit-agent-helper-1: flushing stdout\n");
+ #endif /* PAH_DEBUG */
+   fflush (stdout);
++
++  g_free (escaped);
++  g_free (tmp2);
+ }
+ 
+ int
+@@ -89,7 +99,7 @@ main (int argc, char *argv[])
+ 
+       /* Special-case a very common error triggered in jhbuild setups */
+       s = g_strdup_printf ("Incorrect permissions on %s (needs to be setuid root)", argv[0]);
+-      send_to_helper ("PAM_ERROR_MSG ", s);
++      send_to_helper ("PAM_ERROR_MSG", s);
+       g_free (s);
+       goto error;
+     }
+@@ -232,7 +242,6 @@ conversation_function (int n, const stru
+   struct pam_response *aresp;
+   char buf[PAM_MAX_RESP_SIZE];
+   int i;
+-  gchar *escaped = NULL;
+ 
+   data = data;
+   if (n <= 0 || n > PAM_MAX_NUM_MSG)
+@@ -249,35 +258,13 @@ conversation_function (int n, const stru
+         {
+ 
+         case PAM_PROMPT_ECHO_OFF:
+-#ifdef PAH_DEBUG
+-          fprintf (stderr, "polkit-agent-helper-1: writing `PAM_PROMPT_ECHO_OFF ' to stdout\n");
+-#endif /* PAH_DEBUG */
+-          fprintf (stdout, "PAM_PROMPT_ECHO_OFF ");
++          send_to_helper ("PAM_PROMPT_ECHO_OFF", msg[i]->msg);
+           goto conv1;
+ 
+         case PAM_PROMPT_ECHO_ON:
+-#ifdef PAH_DEBUG
+-          fprintf (stderr, "polkit-agent-helper-1: writing `PAM_PROMPT_ECHO_ON ' to stdout\n");
+-#endif /* PAH_DEBUG */
+-          fprintf (stdout, "PAM_PROMPT_ECHO_ON ");
+-        conv1:
+-#ifdef PAH_DEBUG
+-          fprintf (stderr, "polkit-agent-helper-1: writing `%s' to stdout\n", msg[i]->msg);
+-#endif /* PAH_DEBUG */
+-          if (strlen (msg[i]->msg) > 0 && msg[i]->msg[strlen (msg[i]->msg) - 1] == '\n')
+-            msg[i]->msg[strlen (msg[i]->msg) - 1] == '\0';
+-          escaped = g_strescape (msg[i]->msg, NULL);
+-          fputs (escaped, stdout);
+-          g_free (escaped);
+-#ifdef PAH_DEBUG
+-          fprintf (stderr, "polkit-agent-helper-1: writing newline to stdout\n");
+-#endif /* PAH_DEBUG */
+-          fputc ('\n', stdout);
+-#ifdef PAH_DEBUG
+-          fprintf (stderr, "polkit-agent-helper-1: flushing stdout\n");
+-#endif /* PAH_DEBUG */
+-          fflush (stdout);
++          send_to_helper ("PAM_PROMPT_ECHO_ON", msg[i]->msg);
+ 
++        conv1:
+           if (fgets (buf, sizeof buf, stdin) == NULL)
+             goto error;
+ 
+@@ -291,17 +278,11 @@ conversation_function (int n, const stru
+           break;
+ 
+         case PAM_ERROR_MSG:
+-          fprintf (stdout, "PAM_ERROR_MSG ");
+-          goto conv2;
++          send_to_helper ("PAM_ERROR_MSG", msg[i]->msg);
++          break;
+ 
+         case PAM_TEXT_INFO:
+-          fprintf (stdout, "PAM_TEXT_INFO ");
+-        conv2:
+-          fputs (msg[i]->msg, stdout);
+-          if (strlen (msg[i]->msg) > 0 &&
+-              msg[i]->msg[strlen (msg[i]->msg) - 1] != '\n')
+-            fputc ('\n', stdout);
+-          fflush (stdout);
++          send_to_helper ("PAM_TEXT_INFO", msg[i]->msg);
+           break;
+ 
+         default:
diff --git a/debian/patches/series b/debian/patches/series
index 144357d..a769c52 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,11 +1,37 @@
 00_devuan-fix-builds.patch
+0.110/07_set-XAUTHORITY-environment-variable-if-unset.patch
+0.110/04_get_cwd.patch
+0.111/09_pam_environment.patch
+0.112/00git_type_registration.patch
+0.112/08_deprecate_racy_APIs.patch
+0.112/cve-2013-4288.patch
+0.113/Port-internals-non-deprecated-PolkitProcess-API-wher.patch
+0.113/pkexec-Work-around-systemd-injecting-broken-XDG_RUNT.patch
+0.113/03_PolkitAgentSession-fix-race-between-child-and-io-wat.patch
+0.113/polkitd-Fix-problem-with-removing-non-existent-sourc.patch
+0.113/PolkitSystemBusName-Add-public-API-to-retrieve-Unix-.patch
+0.113/Fixed-compilation-problem-in-the-backend.patch
+0.113/Don-t-discard-error-data-returned-by-polkit_system_b.patch
+0.113/sessionmonitor-systemd-Deduplicate-code-paths.patch
+0.113/sessionmonitor-systemd-prepare-for-D-Bus-user-bus-mo.patch
+0.113/Refuse-duplicate-user-arguments-to-pkexec.patch
+0.113/00git_fix_memleak.patch
+0.113/00git_invalid_object_paths.patch
+0.113/sessionmonitor-systemd-Use-sd_uid_get_state-to-check.patch
+0.113/Fix-a-possible-NULL-dereference.patch
+0.113/Fix-duplicate-GError-use-when-uid-is-missing.patch
+0.113/Fix-a-crash-when-two-authentication-requests-are-in-.patch
+0.113/CVE-2015-4625-Use-unpredictable-cookie-values-keep-t.patch
+0.113/CVE-2015-4625-Bind-use-of-cookies-to-specific-uids.patch
+0.113/docs-Update-for-changes-to-uid-binding-Authenticatio.patch
+0.113/Fix-a-per-authorization-memory-leak.patch
+0.113/Fix-a-memory-leak-when-registering-an-authentication.patch
+0.113/CVE-2015-3255-Fix-GHashTable-usage.patch
+0.113/Fix-use-after-free-in-polkitagentsession.c.patch
+0.113/README-Note-to-send-security-reports-via-DBus-s-mech.patch
+master/Fix-multi-line-pam-text-info.patch
+master/Add-gettext-support-for-.policy-files.patch
 01_pam_polkit.patch
 02_gettext.patch
-03_complete_session.patch
-04_get_cwd.patch
+03_polkitunixsession_sessionid_from_display.patch
 05_revert-admin-identities-unix-group-wheel.patch
-#06_systemd-service.patch
-07_set-XAUTHORITY-environment-variable-if-unset.patch
-08_deprecate_racy_APIs.patch
-cve-2013-4288.patch
-09_pam_environment.patch
diff --git a/debian/policykit-1.install b/debian/policykit-1.install
index 9a927b3..ed9a935 100644
--- a/debian/policykit-1.install
+++ b/debian/policykit-1.install
@@ -1,11 +1,13 @@
-etc/pam.d/
+debian/polkit.service lib/systemd/system/
 etc/dbus-1/
+etc/pam.d/
 etc/polkit-1/
 usr/bin/
 usr/lib/*/polkit-1/extensions/*.so
 usr/lib/policykit-1/
-usr/share/man/
-usr/share/polkit-1/
 usr/share/dbus-1/
+usr/share/gettext/
 usr/share/locale/
+usr/share/man/
+usr/share/polkit-1/
 var/lib/polkit-1/
diff --git a/debian/policykit-1.postinst b/debian/policykit-1.postinst
index c6a39de..1f4dba2 100644
--- a/debian/policykit-1.postinst
+++ b/debian/policykit-1.postinst
@@ -44,6 +44,13 @@ case "$1" in
     set_perms root root 4755 /usr/lib/policykit-1/polkit-agent-helper-1
     set_perms root root 4755 /usr/bin/pkexec


+    # The service file was renamed to polkit.service to match the upstream name.
+    # Stop the old polkitd.service on upgrades.
+    if [ -d /run/systemd/system ] && dpkg --compare-versions "$2" lt-nl 0.105-17; then
+        systemctl daemon-reload
+        deb-systemd-invoke stop polkitd.service || true
+    fi
+
     # Kill the old polkitd daemon on upgrade, to ensure that the new
     # version will be used at the next occasion.
     kill $(get_pid org.freedesktop.PolicyKit1) 2>/dev/null || true
diff --git a/debian/policykit-1.preinst b/debian/policykit-1.preinst
new file mode 100644
index 0000000..4017cc9
--- /dev/null
+++ b/debian/policykit-1.preinst
@@ -0,0 +1,20 @@
+#!/bin/sh
+set -e
+
+case "$1" in
+    install|upgrade)
+        # avoid attempts to start polkit.service while we are unconfigured and
+        # might not yet have our D-Bus policy in /etc
+        if [ -d /run/systemd/system ]; then
+            systemctl mask --runtime polkit.service
+        fi
+        ;;
+
+    abort-upgrade)
+        if [ -d /run/systemd/system ]; then
+            systemctl unmask --runtime polkit.service
+        fi
+        ;;
+esac
+
+#DEBHELPER#
diff --git a/debian/polkitd.service b/debian/polkit.service
similarity index 62%
rename from debian/polkitd.service
rename to debian/polkit.service
index d3f192d..e132621 100644
--- a/debian/polkitd.service
+++ b/debian/polkit.service
@@ -1,5 +1,6 @@
 [Unit]
-Description=Authenticate and Authorize Users to Run Privileged Tasks
+Description=Authorization Manager
+Documentation=man:polkit(8)


[Service]
Type=dbus
diff --git a/debian/rules b/debian/rules
index 59e289b..dc91c82 100755
--- a/debian/rules
+++ b/debian/rules
@@ -4,7 +4,7 @@
DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)

 %:
-    dh $@ --with autoreconf
+    dh $@ --with autoreconf,gir


 DPKG_GENSYMBOLS_CHECK_LEVEL=4
 export DPKG_GENSYMBOLS_CHECK_LEVEL
@@ -21,19 +21,14 @@ override_dh_auto_configure:
         --libexecdir=\$${prefix}/lib/policykit-1


 override_dh_auto_test:
-    # the system D-BUS tests can't work on the buildds, so don't let a
-    # failed test fail the build
-    make check || true
+    # on buildds we can't rely on actually having a system bus
+    dbus-run-session -- sh -c 'DBUS_SYSTEM_BUS_ADDRESS=$$DBUS_SESSION_BUS_ADDRESS make check'


 override_dh_makeshlibs:
     dh_makeshlibs -Xusr/lib/$(DEB_HOST_MULTIARCH)/polkit-1/


-override_dh_shlibdeps:
-    dh_shlibdeps
-    dh_girepository
-
-override_dh_install:
-    dh_install
+override_dh_install-arch:
+    dh_install -a
     # on Debian use sudo group; on Ubuntu, also allow the admin group for
     # historical reasons
     if dpkg-vendor --is ubuntu; then \
diff --git a/debian/shlibs.local b/debian/shlibs.local
new file mode 100644
index 0000000..0fbda1e
--- /dev/null
+++ b/debian/shlibs.local
@@ -0,0 +1,3 @@
+libpolkit-agent-1 0 libpolkit-agent-1-0 (= ${binary:Version})
+libpolkit-backend-1 0 libpolkit-backend-1-0 (= ${binary:Version})
+libpolkit-gobject-1 0 libpolkit-gobject-1-0 (= ${binary:Version})

From 2cab449c206ce64254af2cde04af0b83043ee037 Mon Sep 17 00:00:00 2001
From: Svante Signell <svante.signell@???>
Date: Tue, 19 Dec 2017 15:54:43 +0100
Subject: [PATCH 2/4] Fix Uploaders, Build-Depends, Pre-Depends and Depends
fields in debian/control. Remove systemd patches and debian/polkit.service.
Remove systemd stuff in policykit-1.{install,postinst}.

---
 debian/control                                     |   2 +-
 ...-around-systemd-injecting-broken-XDG_RUNT.patch |  76 ---------------
 ...ionmonitor-systemd-Deduplicate-code-paths.patch | 104 ---------------------
 ...tor-systemd-Use-sd_uid_get_state-to-check.patch |  73 ---------------
 ...tor-systemd-prepare-for-D-Bus-user-bus-mo.patch |  89 ------------------
 debian/patches/06_systemd-service.patch            |  18 ----
 debian/patches/10_build-against-libsystemd.patch   |  32 -------
 debian/patches/series                              |   4 -
 debian/policykit-1.install                         |   1 -
 debian/policykit-1.postinst                        |   7 --
 debian/polkit.service                              |   8 --
 11 files changed, 1 insertion(+), 413 deletions(-)
 delete mode 100644 debian/patches/0.113/pkexec-Work-around-systemd-injecting-broken-XDG_RUNT.patch
 delete mode 100644 debian/patches/0.113/sessionmonitor-systemd-Deduplicate-code-paths.patch
 delete mode 100644 debian/patches/0.113/sessionmonitor-systemd-Use-sd_uid_get_state-to-check.patch
 delete mode 100644 debian/patches/0.113/sessionmonitor-systemd-prepare-for-D-Bus-user-bus-mo.patch
 delete mode 100644 debian/patches/06_systemd-service.patch
 delete mode 100644 debian/patches/10_build-against-libsystemd.patch
 delete mode 100644 debian/polkit.service


diff --git a/debian/control b/debian/control
index 7404ba1..7c1bb15 100644
--- a/debian/control
+++ b/debian/control
@@ -21,7 +21,7 @@ Build-Depends:
  libpam0g-dev,
  libselinux1-dev [linux-any],
  pkg-config,
- xsltproc,
+ xsltproc
 Standards-Version: 3.9.8
 Vcs-Git: https://git.devuan.org/packages-base/policykit-1.git
 Vcs-Browser: https://git.devuan.org/packages-base/policykit-1/
diff --git a/debian/patches/0.113/pkexec-Work-around-systemd-injecting-broken-XDG_RUNT.patch b/debian/patches/0.113/pkexec-Work-around-systemd-injecting-broken-XDG_RUNT.patch
deleted file mode 100644
index e8e9b6b..0000000
--- a/debian/patches/0.113/pkexec-Work-around-systemd-injecting-broken-XDG_RUNT.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From: Colin Walters <walters@???>
-Date: Thu, 21 Nov 2013 17:39:37 -0500
-Subject: pkexec: Work around systemd injecting broken XDG_RUNTIME_DIR
-
-This workaround isn't too much code, and it's often better to fix bugs
-in two places anyways.
-
-For more information:
-
-See https://bugzilla.redhat.com/show_bug.cgi?id=753882
-See http://lists.freedesktop.org/archives/systemd-devel/2013-November/014370.html
-
-Origin: upstream, 0.113, commit:8635ffc16aeff6a07d675f861fe0dea03ea81d7e
----
- src/programs/pkexec.c | 33 ++++++++++++++++++++++++++++++---
- 1 file changed, 30 insertions(+), 3 deletions(-)
-
-diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
-index 9a0570a..5e99044 100644
---- a/src/programs/pkexec.c
-+++ b/src/programs/pkexec.c
-@@ -139,8 +139,22 @@ pam_conversation_function (int n,
-   return PAM_CONV_ERR;
- }
- 
-+/* A work around for:
-+ * https://bugzilla.redhat.com/show_bug.cgi?id=753882
-+ */
-+static gboolean
-+xdg_runtime_dir_is_owned_by (const char *path,
-+                 uid_t       target_uid)
-+{
-+  struct stat stbuf;
-+
-+  return stat (path, &stbuf) == 0 &&
-+    stbuf.st_uid == target_uid;
-+}
-+
- static gboolean
--open_session (const gchar *user_to_auth)
-+open_session (const gchar *user_to_auth,
-+          uid_t        target_uid)
- {
-   gboolean ret;
-   gint rc;
-@@ -182,7 +196,19 @@ open_session (const gchar *user_to_auth)
-     {
-       guint n;
-       for (n = 0; envlist[n]; n++)
--        putenv (envlist[n]);
-+    {
-+      const char *envitem = envlist[n];
-+      
-+      if (g_str_has_prefix (envitem, "XDG_RUNTIME_DIR="))
-+        {
-+          const char *eq = strchr (envitem, '=');
-+          g_assert (eq);
-+          if (!xdg_runtime_dir_is_owned_by (eq + 1, target_uid))
-+        continue;
-+        }
-+
-+      putenv (envlist[n]);
-+    }
-       free (envlist);
-     }
- 
-@@ -892,7 +918,8 @@ main (int argc, char *argv[])
-    * As evident above, neither su(1) (and, for that matter, nor sudo(8)) does this.
-    */
- #ifdef POLKIT_AUTHFW_PAM
--  if (!open_session (pw->pw_name))
-+  if (!open_session (pw->pw_name,
-+             pw->pw_uid))
-     {
-       goto out;
-     }
diff --git a/debian/patches/0.113/sessionmonitor-systemd-Deduplicate-code-paths.patch b/debian/patches/0.113/sessionmonitor-systemd-Deduplicate-code-paths.patch
deleted file mode 100644
index e7d0a4b..0000000
--- a/debian/patches/0.113/sessionmonitor-systemd-Deduplicate-code-paths.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From: Colin Walters <walters@???>
-Date: Thu, 7 Nov 2013 15:57:50 -0500
-Subject: sessionmonitor-systemd: Deduplicate code paths
-
-We had the code to go from pid -> session duplicated.  If we have a
-PolkitSystemBusName, convert it to a PolkitUnixProcess.
-Then we can do PolkitUnixProcess -> pid -> session in one place.
-
-This is just a code cleanup.
-
-Bug: https://bugs.freedesktop.org/show_bug.cgi?id=69538
-Origin: upstream, 0.113, commit:26d0c0578211fb96fc8fe75572aa11ad6ecbf9b8
----
- .../polkitbackendsessionmonitor-systemd.c          | 63 ++++++++--------------
- 1 file changed, 22 insertions(+), 41 deletions(-)
-
-diff --git a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
-index 0185310..756b728 100644
---- a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
-+++ b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
-@@ -313,61 +313,42 @@ polkit_backend_session_monitor_get_session_for_subject (PolkitBackendSessionMoni
-                                                         PolkitSubject               *subject,
-                                                         GError                     **error)
- {
--  PolkitSubject *session;
--
--  session = NULL;
-+  PolkitUnixProcess *tmp_process = NULL;
-+  PolkitUnixProcess *process = NULL;
-+  PolkitSubject *session = NULL;
-+  char *session_id = NULL;
-+  pid_t pid;
- 
-   if (POLKIT_IS_UNIX_PROCESS (subject))
--    {
--      gchar *session_id;
--      pid_t pid;
--
--      pid = polkit_unix_process_get_pid (POLKIT_UNIX_PROCESS (subject));
--      if (sd_pid_get_session (pid, &session_id) < 0)
--        goto out;
--
--      session = polkit_unix_session_new (session_id);
--      free (session_id);
--    }
-+    process = POLKIT_UNIX_PROCESS (subject); /* We already have a process */
-   else if (POLKIT_IS_SYSTEM_BUS_NAME (subject))
-     {
--      guint32 pid;
--      gchar *session_id;
--      GVariant *result;
--
--      result = g_dbus_connection_call_sync (monitor->system_bus,
--                                            "org.freedesktop.DBus",
--                                            "/org/freedesktop/DBus",
--                                            "org.freedesktop.DBus",
--                                            "GetConnectionUnixProcessID",
--                                            g_variant_new ("(s)", polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (subject))),
--                                            G_VARIANT_TYPE ("(u)"),
--                                            G_DBUS_CALL_FLAGS_NONE,
--                                            -1, /* timeout_msec */
--                                            NULL, /* GCancellable */
--                                            error);
--      if (result == NULL)
--        goto out;
--      g_variant_get (result, "(u)", &pid);
--      g_variant_unref (result);
--
--      if (sd_pid_get_session (pid, &session_id) < 0)
--        goto out;
--
--      session = polkit_unix_session_new (session_id);
--      free (session_id);
-+      /* Convert bus name to process */
-+      tmp_process = (PolkitUnixProcess*)polkit_system_bus_name_get_process_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error);
-+      if (!tmp_process)
-+    goto out;
-+      process = tmp_process;
-     }
-   else
-     {
-       g_set_error (error,
-                    POLKIT_ERROR,
-                    POLKIT_ERROR_NOT_SUPPORTED,
--                   "Cannot get user for subject of type %s",
-+                   "Cannot get session for subject of type %s",
-                    g_type_name (G_TYPE_FROM_INSTANCE (subject)));
-     }
- 
-- out:
-+  /* Now do process -> pid -> session */
-+  g_assert (process != NULL);
-+  pid = polkit_unix_process_get_pid (process);
- 
-+  if (sd_pid_get_session (pid, &session_id) < 0)
-+    goto out;
-+  
-+  session = polkit_unix_session_new (session_id);
-+  free (session_id);
-+ out:
-+  if (tmp_process) g_object_unref (tmp_process);
-   return session;
- }
- 
diff --git a/debian/patches/0.113/sessionmonitor-systemd-Use-sd_uid_get_state-to-check.patch b/debian/patches/0.113/sessionmonitor-systemd-Use-sd_uid_get_state-to-check.patch
deleted file mode 100644
index 7c0ca4b..0000000
--- a/debian/patches/0.113/sessionmonitor-systemd-Use-sd_uid_get_state-to-check.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From: Philip Withnall <philip.withnall@???>
-Date: Tue, 2 Jun 2015 16:19:51 +0100
-Subject: sessionmonitor-systemd: Use sd_uid_get_state() to check session
- activity
-MIME-Version: 1.0
-Content-Type: text/plain; charset="utf-8"
-Content-Transfer-Encoding: 8bit
-
-Instead of using sd_pid_get_session() then sd_session_is_active() to
-determine whether the user is active, use sd_uid_get_state() directly.
-This gets the maximum of the states of all the user’s sessions, rather
-than the state of the session containing the subject process. Since the
-user is the security boundary, this is fine.
-
-This change is necessary for `systemd --user` sessions, where most user
-code will be forked off user@.service, rather than running inside the
-logind session (whether that be a foreground/active or background/online
-session).
-
-Policy-wise, the change is from checking whether the subject process is
-in an active session; to checking whether the subject process is owned
-by a user with at least one active session.
-
-Bug: https://bugs.freedesktop.org/show_bug.cgi?id=76358
-Applied-upstream: 0.113, commit:a29653ffa99e0809e15aa34afcd7b2df8593871c
-Bug-Debian: https://bugs.debian.org/779988
----
- .../polkitbackendsessionmonitor-systemd.c          | 33 +++++++++++++++++++++-
- 1 file changed, 32 insertions(+), 1 deletion(-)
-
-diff --git a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
-index ebd05ce..6bd517a 100644
---- a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
-+++ b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
-@@ -391,6 +391,37 @@ gboolean
- polkit_backend_session_monitor_is_session_active (PolkitBackendSessionMonitor *monitor,
-                                                   PolkitSubject               *session)
- {
--  return sd_session_is_active (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (session)));
-+  const char *session_id;
-+  char *state;
-+  uid_t uid;
-+  gboolean is_active = FALSE;
-+
-+  session_id = polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (session));
-+
-+  g_debug ("Checking whether session %s is active.", session_id);
-+
-+  /* Check whether *any* of the user's current sessions are active. */
-+  if (sd_session_get_uid (session_id, &uid) < 0)
-+    goto fallback;
-+
-+  g_debug ("Session %s has UID %u.", session_id, uid);
-+
-+  if (sd_uid_get_state (uid, &state) < 0)
-+    goto fallback;
-+
-+  g_debug ("UID %u has state %s.", uid, state);
-+
-+  is_active = (g_strcmp0 (state, "active") == 0);
-+  free (state);
-+
-+  return is_active;
-+
-+fallback:
-+  /* Fall back to checking the session. This is not ideal, since the user
-+   * might have multiple sessions, and we cannot guarantee to have chosen
-+   * the active one.
-+   *
-+   * See: https://bugs.freedesktop.org/show_bug.cgi?id=76358. */
-+  return sd_session_is_active (session_id);
- }
- 
diff --git a/debian/patches/0.113/sessionmonitor-systemd-prepare-for-D-Bus-user-bus-mo.patch b/debian/patches/0.113/sessionmonitor-systemd-prepare-for-D-Bus-user-bus-mo.patch
deleted file mode 100644
index a722170..0000000
--- a/debian/patches/0.113/sessionmonitor-systemd-prepare-for-D-Bus-user-bus-mo.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From: Kay Sievers <kay@???>
-Date: Mon, 19 May 2014 10:19:49 +0900
-Subject: sessionmonitor-systemd: prepare for D-Bus "user bus" model
-
-In the D-Bus "user bus" model, all sessions of a user share the same
-D-Bus instance, a polkit requesting process might live outside the
-login session which registered the user's polkit agent.
-
-In case a polkit requesting process is not part of the user's login
-session, we ask systemd-logind for the the user's "display" session
-instead.
-
-Bug: https://bugs.freedesktop.org/show_bug.cgi?id=78905
-Bug-Debian: https://bugs.debian.org/779988
-Applied-upstream: 0.113, commit:a68f5dfd7662767b7b9822090b70bc5bd145c50c
-[smcv: backport configure.ac changes; fail with #error if the required
-API is not found]
----
- configure.ac                                       |  4 +++
- .../polkitbackendsessionmonitor-systemd.c          | 29 ++++++++++++++++++----
- 2 files changed, 28 insertions(+), 5 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index f4a0c41..aa2760f 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -165,6 +165,10 @@ if test "$enable_systemd" != "no"; then
-                     have_systemd=no)
-   if test "$have_systemd" = "yes"; then
-     SESSION_TRACKING=systemd
-+    save_LIBS=$LIBS
-+    LIBS=$SYSTEMD_LIBS
-+    AC_CHECK_FUNCS(sd_uid_get_display)
-+    LIBS=$save_LIBS
-   else
-     if test "$enable_systemd" = "yes"; then
-       AC_MSG_ERROR([systemd support requested but libsystemd-login1 library not found])
-diff --git a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
-index 756b728..ebd05ce 100644
---- a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
-+++ b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
-@@ -318,6 +318,9 @@ polkit_backend_session_monitor_get_session_for_subject (PolkitBackendSessionMoni
-   PolkitSubject *session = NULL;
-   char *session_id = NULL;
-   pid_t pid;
-+#if HAVE_SD_UID_GET_DISPLAY
-+  uid_t uid;
-+#endif
- 
-   if (POLKIT_IS_UNIX_PROCESS (subject))
-     process = POLKIT_UNIX_PROCESS (subject); /* We already have a process */
-@@ -338,16 +341,32 @@ polkit_backend_session_monitor_get_session_for_subject (PolkitBackendSessionMoni
-                    g_type_name (G_TYPE_FROM_INSTANCE (subject)));
-     }
- 
--  /* Now do process -> pid -> session */
-+  /* Now do process -> pid -> same session */
-   g_assert (process != NULL);
-   pid = polkit_unix_process_get_pid (process);
- 
--  if (sd_pid_get_session (pid, &session_id) < 0)
-+  if (sd_pid_get_session (pid, &session_id) >= 0)
-+    {
-+      session = polkit_unix_session_new (session_id);
-+      goto out;
-+    }
-+
-+#if HAVE_SD_UID_GET_DISPLAY
-+  /* Now do process -> uid -> graphical session (systemd version 213)*/
-+  if (sd_pid_get_owner_uid (pid, &uid) < 0)
-     goto out;
--  
--  session = polkit_unix_session_new (session_id);
--  free (session_id);
-+
-+  if (sd_uid_get_display (uid, &session_id) >= 0)
-+    {
-+      session = polkit_unix_session_new (session_id);
-+      goto out;
-+    }
-+#else
-+#error Debian should have sd_uid_get_display()
-+#endif
-+
-  out:
-+  free (session_id);
-   if (tmp_process) g_object_unref (tmp_process);
-   return session;
- }
diff --git a/debian/patches/06_systemd-service.patch b/debian/patches/06_systemd-service.patch
deleted file mode 100644
index de0ce00..0000000
--- a/debian/patches/06_systemd-service.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-From: Michael Biebl <biebl@???>
-Date: Sat, 11 Feb 2012 23:48:29 +0100
-Subject: Install systemd service file for polkitd.
-
-Forwarded: no, obsoleted by an upstream commit in 0.106
----
- data/org.freedesktop.PolicyKit1.service.in | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/data/org.freedesktop.PolicyKit1.service.in b/data/org.freedesktop.PolicyKit1.service.in
-index b6cd02b..ba3a1b6 100644
---- a/data/org.freedesktop.PolicyKit1.service.in
-+++ b/data/org.freedesktop.PolicyKit1.service.in
-@@ -2,3 +2,4 @@
- Name=org.freedesktop.PolicyKit1
- Exec=@libexecdir@/polkitd --no-debug
- User=root
-+SystemdService=polkit.service
diff --git a/debian/patches/10_build-against-libsystemd.patch b/debian/patches/10_build-against-libsystemd.patch
deleted file mode 100644
index 6230a63..0000000
--- a/debian/patches/10_build-against-libsystemd.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From: Michael Biebl <biebl@???>
-Date: Wed, 8 Jul 2015 02:08:33 +0200
-Subject: Build against libsystemd
-
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779756
-Forwarded: no, obsoleted by upstream commit 2291767a014f5a04a92ca6f0eb472794f212ca67 in 0.113
----
- configure.ac | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 388605d..f55ddb7 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -160,7 +160,7 @@ AC_ARG_ENABLE([systemd],
-               [enable_systemd=auto])
- if test "$enable_systemd" != "no"; then
-   PKG_CHECK_MODULES(SYSTEMD,
--                    [libsystemd-login],
-+                    [libsystemd],
-                     have_systemd=yes,
-                     have_systemd=no)
-   if test "$have_systemd" = "yes"; then
-@@ -171,7 +171,7 @@ if test "$enable_systemd" != "no"; then
-     LIBS=$save_LIBS
-   else
-     if test "$enable_systemd" = "yes"; then
--      AC_MSG_ERROR([systemd support requested but libsystemd-login1 library not found])
-+      AC_MSG_ERROR([systemd support requested but libsystemd library not found])
-     fi
-   fi
- fi
diff --git a/debian/patches/series b/debian/patches/series
index a769c52..a69547b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,18 +6,14 @@
 0.112/08_deprecate_racy_APIs.patch
 0.112/cve-2013-4288.patch
 0.113/Port-internals-non-deprecated-PolkitProcess-API-wher.patch
-0.113/pkexec-Work-around-systemd-injecting-broken-XDG_RUNT.patch
 0.113/03_PolkitAgentSession-fix-race-between-child-and-io-wat.patch
 0.113/polkitd-Fix-problem-with-removing-non-existent-sourc.patch
 0.113/PolkitSystemBusName-Add-public-API-to-retrieve-Unix-.patch
 0.113/Fixed-compilation-problem-in-the-backend.patch
 0.113/Don-t-discard-error-data-returned-by-polkit_system_b.patch
-0.113/sessionmonitor-systemd-Deduplicate-code-paths.patch
-0.113/sessionmonitor-systemd-prepare-for-D-Bus-user-bus-mo.patch
 0.113/Refuse-duplicate-user-arguments-to-pkexec.patch
 0.113/00git_fix_memleak.patch
 0.113/00git_invalid_object_paths.patch
-0.113/sessionmonitor-systemd-Use-sd_uid_get_state-to-check.patch
 0.113/Fix-a-possible-NULL-dereference.patch
 0.113/Fix-duplicate-GError-use-when-uid-is-missing.patch
 0.113/Fix-a-crash-when-two-authentication-requests-are-in-.patch
diff --git a/debian/policykit-1.install b/debian/policykit-1.install
index ed9a935..d44919a 100644
--- a/debian/policykit-1.install
+++ b/debian/policykit-1.install
@@ -1,4 +1,3 @@
-debian/polkit.service lib/systemd/system/
 etc/dbus-1/
 etc/pam.d/
 etc/polkit-1/
diff --git a/debian/policykit-1.postinst b/debian/policykit-1.postinst
index 1f4dba2..c6a39de 100644
--- a/debian/policykit-1.postinst
+++ b/debian/policykit-1.postinst
@@ -44,13 +44,6 @@ case "$1" in
     set_perms root root 4755 /usr/lib/policykit-1/polkit-agent-helper-1
     set_perms root root 4755 /usr/bin/pkexec


-    # The service file was renamed to polkit.service to match the upstream name.
-    # Stop the old polkitd.service on upgrades.
-    if [ -d /run/systemd/system ] && dpkg --compare-versions "$2" lt-nl 0.105-17; then
-        systemctl daemon-reload
-        deb-systemd-invoke stop polkitd.service || true
-    fi
-
     # Kill the old polkitd daemon on upgrade, to ensure that the new
     # version will be used at the next occasion.
     kill $(get_pid org.freedesktop.PolicyKit1) 2>/dev/null || true
diff --git a/debian/polkit.service b/debian/polkit.service
deleted file mode 100644
index e132621..0000000
--- a/debian/polkit.service
+++ /dev/null
@@ -1,8 +0,0 @@
-[Unit]
-Description=Authorization Manager
-Documentation=man:polkit(8)
-
-[Service]
-Type=dbus
-BusName=org.freedesktop.PolicyKit1
-ExecStart=/usr/lib/policykit-1/polkitd --no-debug
-- 
2.11.0


From 794bead947be6173ab40292e08c600d5faa93e69 Mon Sep 17 00:00:00 2001
From: Svante Signell <svante.signell@???>
Date: Tue, 19 Dec 2017 16:16:11 +0100
Subject: [PATCH 3/4] Remove debian/policykit-1.preinst, no longer needed.
Remove more systemd patches. Remove: src/polkit/polkitunixsession-systemd.c
src/polkitbackend/polkitbackendsessionmonitor-systemd.c

---
 ...mBusName-Add-public-API-to-retrieve-Unix-.patch |  33 --
 ..._polkitunixsession_sessionid_from_display.patch |  37 --
 debian/policykit-1.preinst                         |  20 -
 src/polkit/polkitunixsession-systemd.c             | 490 ---------------------
 .../polkitbackendsessionmonitor-systemd.c          | 414 -----------------
 5 files changed, 994 deletions(-)
 delete mode 100644 debian/patches/03_polkitunixsession_sessionid_from_display.patch
 delete mode 100644 debian/policykit-1.preinst
 delete mode 100644 src/polkit/polkitunixsession-systemd.c
 delete mode 100644 src/polkitbackend/polkitbackendsessionmonitor-systemd.c


diff --git a/debian/patches/0.113/PolkitSystemBusName-Add-public-API-to-retrieve-Unix-.patch b/debian/patches/0.113/PolkitSystemBusName-Add-public-API-to-retrieve-Unix-.patch
index a162aef..3c6e42a 100644
--- a/debian/patches/0.113/PolkitSystemBusName-Add-public-API-to-retrieve-Unix-.patch
+++ b/debian/patches/0.113/PolkitSystemBusName-Add-public-API-to-retrieve-Unix-.patch
@@ -12,9 +12,7 @@ Origin: upstream, 0.113, commit:904d8404d93dec45fce3b719eb1a626acc6b8a73
 ---
  src/polkit/polkitsystembusname.c                   | 56 ++++++++++++++++++++++
  src/polkit/polkitsystembusname.h                   |  4 ++
- .../polkitbackendsessionmonitor-systemd.c          | 20 +-------
  src/polkitbackend/polkitbackendsessionmonitor.c    | 20 +-------
- 4 files changed, 62 insertions(+), 38 deletions(-)


diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
index 2a297c4..51e4a69 100644
@@ -102,37 +100,6 @@ index 1fc464f..38d31f7 100644
G_END_DECLS

  #endif /* __POLKIT_SYSTEM_BUS_NAME_H */
-diff --git a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
-index 58593c3..0185310 100644
---- a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
-+++ b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
-@@ -277,25 +277,7 @@ polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor
-     }
-   else if (POLKIT_IS_SYSTEM_BUS_NAME (subject))
-     {
--      GVariant *result;
--
--      result = g_dbus_connection_call_sync (monitor->system_bus,
--                                            "org.freedesktop.DBus",
--                                            "/org/freedesktop/DBus",
--                                            "org.freedesktop.DBus",
--                                            "GetConnectionUnixUser",
--                                            g_variant_new ("(s)", polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (subject))),
--                                            G_VARIANT_TYPE ("(u)"),
--                                            G_DBUS_CALL_FLAGS_NONE,
--                                            -1, /* timeout_msec */
--                                            NULL, /* GCancellable */
--                                            error);
--      if (result == NULL)
--        goto out;
--      g_variant_get (result, "(u)", &uid);
--      g_variant_unref (result);
--
--      ret = polkit_unix_user_new (uid);
-+      ret = (PolkitIdentity*)polkit_system_bus_name_get_user_sync (POLKIT_SYSTEM_BUS_NAME (subject), NULL, error);
-     }
-   else if (POLKIT_IS_UNIX_SESSION (subject))
-     {
 diff --git a/src/polkitbackend/polkitbackendsessionmonitor.c b/src/polkitbackend/polkitbackendsessionmonitor.c
 index 9c331b6..4075d3f 100644
 --- a/src/polkitbackend/polkitbackendsessionmonitor.c
diff --git a/debian/patches/03_polkitunixsession_sessionid_from_display.patch b/debian/patches/03_polkitunixsession_sessionid_from_display.patch
deleted file mode 100644
index 247e15f..0000000
--- a/debian/patches/03_polkitunixsession_sessionid_from_display.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Author: Sebastien Bacher <seb128@???>
-Description: Add fallback if agent is not running in a logind session
- This fixes polkit with dbus-user-session.
-Bug: https://bugs.freedesktop.org/show_bug.cgi?id=96977
-
-Index: policykit-1/src/polkit/polkitunixsession-systemd.c
-===================================================================
---- policykit-1.orig/src/polkit/polkitunixsession-systemd.c
-+++ policykit-1/src/polkit/polkitunixsession-systemd.c
-@@ -451,6 +451,7 @@ polkit_unix_session_initable_init (GInit
-   PolkitUnixSession *session = POLKIT_UNIX_SESSION (initable);
-   gboolean ret = FALSE;
-   char *s;
-+  uid_t uid;
- 
-   if (session->session_id != NULL)
-     {
-@@ -467,6 +468,19 @@ polkit_unix_session_initable_init (GInit
-       goto out;
-     }
- 
-+  /* Now do process -> uid -> graphical session (systemd version 213)*/
-+  if (sd_pid_get_owner_uid (session->pid, &uid) < 0)
-+    goto error;
-+
-+  if (sd_uid_get_display (uid, &s) >= 0)
-+    {
-+      session->session_id =  g_strdup (s);
-+      free (s);
-+      ret = TRUE;
-+      goto out;
-+    }
-+
-+error:
-   g_set_error (error,
-                POLKIT_ERROR,
-                POLKIT_ERROR_FAILED,
diff --git a/debian/policykit-1.preinst b/debian/policykit-1.preinst
deleted file mode 100644
index 4017cc9..0000000
--- a/debian/policykit-1.preinst
+++ /dev/null
@@ -1,20 +0,0 @@
-#!/bin/sh
-set -e
-
-case "$1" in
-    install|upgrade)
-        # avoid attempts to start polkit.service while we are unconfigured and
-        # might not yet have our D-Bus policy in /etc
-        if [ -d /run/systemd/system ]; then
-            systemctl mask --runtime polkit.service
-        fi
-        ;;
-
-    abort-upgrade)
-        if [ -d /run/systemd/system ]; then
-            systemctl unmask --runtime polkit.service
-        fi
-        ;;
-esac
-
-#DEBHELPER#
diff --git a/src/polkit/polkitunixsession-systemd.c b/src/polkit/polkitunixsession-systemd.c
deleted file mode 100644
index 8a8bf65..0000000
--- a/src/polkit/polkitunixsession-systemd.c
+++ /dev/null
@@ -1,490 +0,0 @@
-/*
- * Copyright (C) 2011 Red Hat, Inc.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General
- * Public License along with this library; if not, write to the
- * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
- * Boston, MA 02111-1307, USA.
- *
- * Author: Matthias Clasen
- */
-
-#ifdef HAVE_CONFIG_H
-#  include "config.h"
-#endif
-
-#include <stdlib.h>
-#include <string.h>
-#include "polkitunixsession.h"
-#include "polkitsubject.h"
-#include "polkiterror.h"
-#include "polkitprivate.h"
-
-#include <systemd/sd-login.h>
-
-/**
- * SECTION:polkitunixsession
- * @title: PolkitUnixSession
- * @short_description: Unix sessions
- *
- * An object that represents an user session.
- *
- * The session id is an opaque string obtained from ConsoleKit.
- */
-
-/**
- * PolkitUnixSession:
- *
- * The #PolkitUnixSession struct should not be accessed directly.
- */
-struct _PolkitUnixSession
-{
-  GObject parent_instance;
-
-  gchar *session_id;
-
-  gint pid;
-};
-
-struct _PolkitUnixSessionClass
-{
-  GObjectClass parent_class;
-};
-
-enum
-{
-  PROP_0,
-  PROP_SESSION_ID,
-  PROP_PID,
-};
-
-static void subject_iface_init        (PolkitSubjectIface *subject_iface);
-static void initable_iface_init       (GInitableIface *initable_iface);
-static void async_initable_iface_init (GAsyncInitableIface *async_initable_iface);
-
-G_DEFINE_TYPE_WITH_CODE (PolkitUnixSession, polkit_unix_session, G_TYPE_OBJECT,
-                         G_IMPLEMENT_INTERFACE (POLKIT_TYPE_SUBJECT, subject_iface_init)
-                         G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE, initable_iface_init)
-                         G_IMPLEMENT_INTERFACE (G_TYPE_ASYNC_INITABLE, async_initable_iface_init)
-                         );
-
-static void
-polkit_unix_session_init (PolkitUnixSession *session)
-{
-}
-
-static void
-polkit_unix_session_finalize (GObject *object)
-{
-  PolkitUnixSession *session = POLKIT_UNIX_SESSION (object);
-
-  g_free (session->session_id);
-
-  if (G_OBJECT_CLASS (polkit_unix_session_parent_class)->finalize != NULL)
-    G_OBJECT_CLASS (polkit_unix_session_parent_class)->finalize (object);
-}
-
-static void
-polkit_unix_session_get_property (GObject    *object,
-                                  guint       prop_id,
-                                  GValue     *value,
-                                  GParamSpec *pspec)
-{
-  PolkitUnixSession *session = POLKIT_UNIX_SESSION (object);
-
-  switch (prop_id)
-    {
-    case PROP_SESSION_ID:
-      g_value_set_string (value, session->session_id);
-      break;
-
-    default:
-      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
-      break;
-    }
-}
-
-static void
-polkit_unix_session_set_property (GObject      *object,
-                                  guint         prop_id,
-                                  const GValue *value,
-                                  GParamSpec   *pspec)
-{
-  PolkitUnixSession *session = POLKIT_UNIX_SESSION (object);
-
-  switch (prop_id)
-    {
-    case PROP_SESSION_ID:
-      polkit_unix_session_set_session_id (session, g_value_get_string (value));
-      break;
-
-    case PROP_PID:
-      session->pid = g_value_get_int (value);
-      break;
-
-    default:
-      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
-      break;
-    }
-}
-
-static void
-polkit_unix_session_class_init (PolkitUnixSessionClass *klass)
-{
-  GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
-
-  gobject_class->finalize     = polkit_unix_session_finalize;
-  gobject_class->get_property = polkit_unix_session_get_property;
-  gobject_class->set_property = polkit_unix_session_set_property;
-
-  /**
-   * PolkitUnixSession:session-id:
-   *
-   * The UNIX session id.
-   */
-  g_object_class_install_property (gobject_class,
-                                   PROP_SESSION_ID,
-                                   g_param_spec_string ("session-id",
-                                                        "Session ID",
-                                                        "The UNIX session ID",
-                                                        NULL,
-                                                        G_PARAM_CONSTRUCT |
-                                                        G_PARAM_READWRITE |
-                                                        G_PARAM_STATIC_NAME |
-                                                        G_PARAM_STATIC_BLURB |
-                                                        G_PARAM_STATIC_NICK));
-
-
-  /**
-   * PolkitUnixSession:pid:
-   *
-   * The UNIX process id to look up the session.
-   */
-  g_object_class_install_property (gobject_class,
-                                   PROP_PID,
-                                   g_param_spec_int ("pid",
-                                                     "Process ID",
-                                                     "Process ID to use for looking up the session",
-                                                     0,
-                                                     G_MAXINT,
-                                                     0,
-                                                     G_PARAM_CONSTRUCT_ONLY |
-                                                     G_PARAM_WRITABLE |
-                                                     G_PARAM_STATIC_NAME |
-                                                     G_PARAM_STATIC_BLURB |
-                                                     G_PARAM_STATIC_NICK));
-
-}
-
-/**
- * polkit_unix_session_get_session_id:
- * @session: A #PolkitUnixSession.
- *
- * Gets the session id for @session.
- *
- * Returns: The session id for @session. Do not free this string, it
- * is owned by @session.
- **/
-const gchar *
-polkit_unix_session_get_session_id (PolkitUnixSession *session)
-{
-  g_return_val_if_fail (POLKIT_IS_UNIX_SESSION (session), NULL);
-  return session->session_id;
-}
-
-/**
- * polkit_unix_session_set_session_id:
- * @session: A #PolkitUnixSession.
- * @session_id: The session id.
- *
- * Sets the session id for @session to @session_id.
- **/
-void
-polkit_unix_session_set_session_id (PolkitUnixSession *session,
-                                    const gchar       *session_id)
-{
-  g_return_if_fail (POLKIT_IS_UNIX_SESSION (session));
-  /*g_return_if_fail (session_id != NULL);*/
-  g_free (session->session_id);
-  session->session_id = g_strdup (session_id);
-}
-
-/**
- * polkit_unix_session_new:
- * @session_id: The session id.
- *
- * Creates a new #PolkitUnixSession for @session_id.
- *
- * Returns: (transfer full): A #PolkitUnixSession. Free with g_object_unref().
- **/
-PolkitSubject *
-polkit_unix_session_new (const gchar *session_id)
-{
-  return POLKIT_SUBJECT (g_object_new (POLKIT_TYPE_UNIX_SESSION,
-                                       "session-id", session_id,
-                                       NULL));
-}
-
-/**
- * polkit_unix_session_new_for_process:
- * @pid: The process id of the process to get the session for.
- * @cancellable: (allow-none): A #GCancellable or %NULL.
- * @callback: A #GAsyncReadyCallback to call when the request is satisfied
- * @user_data: The data to pass to @callback.
- *
- * Asynchronously creates a new #PolkitUnixSession object for the
- * process with process id @pid.
- *
- * When the operation is finished, @callback will be invoked in the
- * <link linkend="g-main-context-push-thread-default">thread-default
- * main loop</link> of the thread you are calling this method
- * from. You can then call
- * polkit_unix_session_new_for_process_finish() to get the result of
- * the operation.
- *
- * This method constructs the object asynchronously, for the synchronous and blocking version
- * use polkit_unix_session_new_for_process_sync().
- **/
-void
-polkit_unix_session_new_for_process (gint                pid,
-                                     GCancellable       *cancellable,
-                                     GAsyncReadyCallback callback,
-                                     gpointer            user_data)
-{
-  g_async_initable_new_async (POLKIT_TYPE_UNIX_SESSION,
-                              G_PRIORITY_DEFAULT,
-                              cancellable,
-                              callback,
-                              user_data,
-                              "pid", pid,
-                              NULL);
-}
-
-/**
- * polkit_unix_session_new_for_process_finish:
- * @res: A #GAsyncResult obtained from the #GAsyncReadyCallback passed to polkit_unix_session_new_for_process().
- * @error: (allow-none): Return location for error.
- *
- * Finishes constructing a #PolkitSubject for a process id.
- *
- * Returns: (transfer full) (allow-none): A #PolkitUnixSession for the @pid passed to
- *     polkit_unix_session_new_for_process() or %NULL if @error is
- *     set. Free with g_object_unref().
- **/
-PolkitSubject *
-polkit_unix_session_new_for_process_finish (GAsyncResult   *res,
-                                            GError        **error)
-{
-  GObject *object;
-  GObject *source_object;
-
-  source_object = g_async_result_get_source_object (res);
-  g_assert (source_object != NULL);
-
-  object = g_async_initable_new_finish (G_ASYNC_INITABLE (source_object),
-                                        res,
-                                        error);
-  g_object_unref (source_object);
-
-  if (object != NULL)
-    return POLKIT_SUBJECT (object);
-  else
-    return NULL;
-}
-
-
-/**
- * polkit_unix_session_new_for_process_sync:
- * @pid: The process id of the process to get the session for.
- * @cancellable: (allow-none): A #GCancellable or %NULL.
- * @error: (allow-none): Return location for error.
- *
- * Creates a new #PolkitUnixSession for the process with process id @pid.
- *
- * This is a synchronous call - the calling thread is blocked until a
- * reply is received. For the asynchronous version, see
- * polkit_unix_session_new_for_process().
- *
- * Returns: (allow-none) (transfer full): A #PolkitUnixSession for
- * @pid or %NULL if @error is set. Free with g_object_unref().
- **/
-PolkitSubject *
-polkit_unix_session_new_for_process_sync (gint           pid,
-                                          GCancellable  *cancellable,
-                                          GError       **error)
-{
-  return POLKIT_SUBJECT (g_initable_new (POLKIT_TYPE_UNIX_SESSION,
-                                         cancellable,
-                                         error,
-                                         "pid", pid,
-                                         NULL));
-}
-
-static guint
-polkit_unix_session_hash (PolkitSubject *subject)
-{
-  PolkitUnixSession *session = POLKIT_UNIX_SESSION (subject);
-
-  return g_str_hash (session->session_id);
-}
-
-static gboolean
-polkit_unix_session_equal (PolkitSubject *a,
-                           PolkitSubject *b)
-{
-  PolkitUnixSession *session_a;
-  PolkitUnixSession *session_b;
-
-  session_a = POLKIT_UNIX_SESSION (a);
-  session_b = POLKIT_UNIX_SESSION (b);
-
-  return g_strcmp0 (session_a->session_id, session_b->session_id) == 0;
-}
-
-static gchar *
-polkit_unix_session_to_string (PolkitSubject *subject)
-{
-  PolkitUnixSession *session = POLKIT_UNIX_SESSION (subject);
-
-  return g_strdup_printf ("unix-session:%s", session->session_id);
-}
-
-static gboolean
-polkit_unix_session_exists_sync (PolkitSubject   *subject,
-                                 GCancellable    *cancellable,
-                                 GError         **error)
-{
-  PolkitUnixSession *session = POLKIT_UNIX_SESSION (subject);
-  gboolean ret = FALSE;
-  uid_t uid;
-
-  if (sd_session_get_uid (session->session_id, &uid) == 0)
-    ret = TRUE;
-
-  return ret;
-}
-
-static void
-exists_in_thread_func (GSimpleAsyncResult *res,
-                       GObject            *object,
-                       GCancellable       *cancellable)
-{
-  GError *error;
-  error = NULL;
-  if (!polkit_unix_session_exists_sync (POLKIT_SUBJECT (object),
-                                        cancellable,
-                                        &error))
-    {
-      g_simple_async_result_set_from_error (res, error);
-      g_error_free (error);
-    }
-}
-
-static void
-polkit_unix_session_exists (PolkitSubject       *subject,
-                            GCancellable        *cancellable,
-                            GAsyncReadyCallback  callback,
-                            gpointer             user_data)
-{
-  GSimpleAsyncResult *simple;
-
-  g_return_if_fail (POLKIT_IS_UNIX_SESSION (subject));
-
-  simple = g_simple_async_result_new (G_OBJECT (subject),
-                                      callback,
-                                      user_data,
-                                      polkit_unix_session_exists);
-  g_simple_async_result_run_in_thread (simple,
-                                       exists_in_thread_func,
-                                       G_PRIORITY_DEFAULT,
-                                       cancellable);
-  g_object_unref (simple);
-}
-
-static gboolean
-polkit_unix_session_exists_finish (PolkitSubject  *subject,
-                                      GAsyncResult   *res,
-                                      GError        **error)
-{
-  GSimpleAsyncResult *simple = G_SIMPLE_ASYNC_RESULT (res);
-  gboolean ret;
-
-  g_warn_if_fail (g_simple_async_result_get_source_tag (simple) == polkit_unix_session_exists);
-
-  ret = FALSE;
-
-  if (g_simple_async_result_propagate_error (simple, error))
-    goto out;
-
-  ret = g_simple_async_result_get_op_res_gboolean (simple);
-
- out:
-  return ret;
-}
-
-static void
-subject_iface_init (PolkitSubjectIface *subject_iface)
-{
-  subject_iface->hash          = polkit_unix_session_hash;
-  subject_iface->equal         = polkit_unix_session_equal;
-  subject_iface->to_string     = polkit_unix_session_to_string;
-  subject_iface->exists        = polkit_unix_session_exists;
-  subject_iface->exists_finish = polkit_unix_session_exists_finish;
-  subject_iface->exists_sync   = polkit_unix_session_exists_sync;
-}
-
-static gboolean
-polkit_unix_session_initable_init (GInitable     *initable,
-                                   GCancellable  *cancellable,
-                                   GError       **error)
-{
-  PolkitUnixSession *session = POLKIT_UNIX_SESSION (initable);
-  gboolean ret = FALSE;
-  char *s;
-
-  if (session->session_id != NULL)
-    {
-      /* already set, nothing to do */
-      ret = TRUE;
-      goto out;
-    }
-
-  if (sd_pid_get_session (session->pid, &s) == 0)
-    {
-      session->session_id = g_strdup (s);
-      free (s);
-      ret = TRUE;
-      goto out;
-    }
-
-  g_set_error (error,
-               POLKIT_ERROR,
-               POLKIT_ERROR_FAILED,
-               "No session for pid %d",
-               (gint) session->pid);
-
-out:
-  return ret;
-}
-
-static void
-initable_iface_init (GInitableIface *initable_iface)
-{
-  initable_iface->init = polkit_unix_session_initable_init;
-}
-
-static void
-async_initable_iface_init (GAsyncInitableIface *async_initable_iface)
-{
-  /* use default implementation to run GInitable code in a thread */
-}
diff --git a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c b/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
deleted file mode 100644
index 58593c3..0000000
--- a/src/polkitbackend/polkitbackendsessionmonitor-systemd.c
+++ /dev/null
@@ -1,414 +0,0 @@
-/*
- * Copyright (C) 2011 Red Hat, Inc.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General
- * Public License along with this library; if not, write to the
- * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
- * Boston, MA 02111-1307, USA.
- *
- * Author: Matthias Clasen
- */
-
-#include "config.h"
-#include <errno.h>
-#include <pwd.h>
-#include <grp.h>
-#include <string.h>
-#include <glib/gstdio.h>
-#include <systemd/sd-login.h>
-#include <stdlib.h>
-
-#include <polkit/polkit.h>
-#include "polkitbackendsessionmonitor.h"
-
-/* <internal>
- * SECTION:polkitbackendsessionmonitor
- * @title: PolkitBackendSessionMonitor
- * @short_description: Monitor sessions
- *
- * The #PolkitBackendSessionMonitor class is a utility class to track and monitor sessions.
- */
-
-typedef struct
-{
-  GSource source;
-  GPollFD pollfd;
-  sd_login_monitor *monitor;
-} SdSource;
-
-static gboolean
-sd_source_prepare (GSource *source,
-                   gint    *timeout)
-{
-  *timeout = -1;
-  return FALSE;
-}
-
-static gboolean
-sd_source_check (GSource *source)
-{
-  SdSource *sd_source = (SdSource *)source;
-
-  return sd_source->pollfd.revents != 0;
-}
-
-static gboolean
-sd_source_dispatch (GSource     *source,
-                    GSourceFunc  callback,
-                    gpointer     user_data)
-
-{
-  SdSource *sd_source = (SdSource *)source;
-  gboolean ret;
-
-  g_warn_if_fail (callback != NULL);
-
-  ret = (*callback) (user_data);
-
-  sd_login_monitor_flush (sd_source->monitor);
-
-  return ret;
-}
-
-static void
-sd_source_finalize (GSource *source)
-{
-  SdSource *sd_source = (SdSource*)source;
-
-  sd_login_monitor_unref (sd_source->monitor);
-}
-
-static GSourceFuncs sd_source_funcs = {
-  sd_source_prepare,
-  sd_source_check,
-  sd_source_dispatch,
-  sd_source_finalize
-};
-
-static GSource *
-sd_source_new (void)
-{
-  GSource *source;
-  SdSource *sd_source;
-  int ret;
-
-  source = g_source_new (&sd_source_funcs, sizeof (SdSource));
-  sd_source = (SdSource *)source;
-
-  if ((ret = sd_login_monitor_new (NULL, &sd_source->monitor)) < 0)
-    {
-      g_printerr ("Error getting login monitor: %d", ret);
-    }
-  else
-    {
-      sd_source->pollfd.fd = sd_login_monitor_get_fd (sd_source->monitor);
-      sd_source->pollfd.events = G_IO_IN;
-      g_source_add_poll (source, &sd_source->pollfd);
-    }
-
-  return source;
-}
-
-struct _PolkitBackendSessionMonitor
-{
-  GObject parent_instance;
-
-  GDBusConnection *system_bus;
-
-  GSource *sd_source;
-};
-
-struct _PolkitBackendSessionMonitorClass
-{
-  GObjectClass parent_class;
-
-  void (*changed) (PolkitBackendSessionMonitor *monitor);
-};
-
-
-enum
-{
-  CHANGED_SIGNAL,
-  LAST_SIGNAL,
-};
-
-static guint signals[LAST_SIGNAL] = {0};
-
-G_DEFINE_TYPE (PolkitBackendSessionMonitor, polkit_backend_session_monitor, G_TYPE_OBJECT);
-
-/* ---------------------------------------------------------------------------------------------------- */
-
-static gboolean
-sessions_changed (gpointer user_data)
-{
-  PolkitBackendSessionMonitor *monitor = POLKIT_BACKEND_SESSION_MONITOR (user_data);
-
-  g_signal_emit (monitor, signals[CHANGED_SIGNAL], 0);
-
-  return TRUE;
-}
-
-
-static void
-polkit_backend_session_monitor_init (PolkitBackendSessionMonitor *monitor)
-{
-  GError *error;
-
-  error = NULL;
-  monitor->system_bus = g_bus_get_sync (G_BUS_TYPE_SYSTEM, NULL, &error);
-  if (monitor->system_bus == NULL)
-    {
-      g_printerr ("Error getting system bus: %s", error->message);
-      g_error_free (error);
-    }
-
-  monitor->sd_source = sd_source_new ();
-  g_source_set_callback (monitor->sd_source, sessions_changed, monitor, NULL);
-  g_source_attach (monitor->sd_source, NULL);
-}
-
-static void
-polkit_backend_session_monitor_finalize (GObject *object)
-{
-  PolkitBackendSessionMonitor *monitor = POLKIT_BACKEND_SESSION_MONITOR (object);
-
-  if (monitor->system_bus != NULL)
-    g_object_unref (monitor->system_bus);
-
-  if (monitor->sd_source != NULL)
-    {
-      g_source_destroy (monitor->sd_source);
-      g_source_unref (monitor->sd_source);
-    }
-
-  if (G_OBJECT_CLASS (polkit_backend_session_monitor_parent_class)->finalize != NULL)
-    G_OBJECT_CLASS (polkit_backend_session_monitor_parent_class)->finalize (object);
-}
-
-static void
-polkit_backend_session_monitor_class_init (PolkitBackendSessionMonitorClass *klass)
-{
-  GObjectClass *gobject_class;
-
-  gobject_class = G_OBJECT_CLASS (klass);
-
-  gobject_class->finalize = polkit_backend_session_monitor_finalize;
-
-  /**
-   * PolkitBackendSessionMonitor::changed:
-   * @monitor: A #PolkitBackendSessionMonitor
-   *
-   * Emitted when something changes.
-   */
-  signals[CHANGED_SIGNAL] = g_signal_new ("changed",
-                                          POLKIT_BACKEND_TYPE_SESSION_MONITOR,
-                                          G_SIGNAL_RUN_LAST,
-                                          G_STRUCT_OFFSET (PolkitBackendSessionMonitorClass, changed),
-                                          NULL,                   /* accumulator      */
-                                          NULL,                   /* accumulator data */
-                                          g_cclosure_marshal_VOID__VOID,
-                                          G_TYPE_NONE,
-                                          0);
-}
-
-PolkitBackendSessionMonitor *
-polkit_backend_session_monitor_new (void)
-{
-  PolkitBackendSessionMonitor *monitor;
-
-  monitor = POLKIT_BACKEND_SESSION_MONITOR (g_object_new (POLKIT_BACKEND_TYPE_SESSION_MONITOR, NULL));
-
-  return monitor;
-}
-
-/* ---------------------------------------------------------------------------------------------------- */
-
-GList *
-polkit_backend_session_monitor_get_sessions (PolkitBackendSessionMonitor *monitor)
-{
-  /* TODO */
-  return NULL;
-}
-
-/* ---------------------------------------------------------------------------------------------------- */
-
-/**
- * polkit_backend_session_monitor_get_user:
- * @monitor: A #PolkitBackendSessionMonitor.
- * @subject: A #PolkitSubject.
- * @error: Return location for error.
- *
- * Gets the user corresponding to @subject or %NULL if no user exists.
- *
- * Returns: %NULL if @error is set otherwise a #PolkitUnixUser that should be freed with g_object_unref().
- */
-PolkitIdentity *
-polkit_backend_session_monitor_get_user_for_subject (PolkitBackendSessionMonitor  *monitor,
-                                                     PolkitSubject                *subject,
-                                                     GError                      **error)
-{
-  PolkitIdentity *ret;
-  guint32 uid;
-
-  ret = NULL;
-
-  if (POLKIT_IS_UNIX_PROCESS (subject))
-    {
-      uid = polkit_unix_process_get_uid (POLKIT_UNIX_PROCESS (subject));
-      if ((gint) uid == -1)
-        {
-          g_set_error (error,
-                       POLKIT_ERROR,
-                       POLKIT_ERROR_FAILED,
-                       "Unix process subject does not have uid set");
-          goto out;
-        }
-      ret = polkit_unix_user_new (uid);
-    }
-  else if (POLKIT_IS_SYSTEM_BUS_NAME (subject))
-    {
-      GVariant *result;
-
-      result = g_dbus_connection_call_sync (monitor->system_bus,
-                                            "org.freedesktop.DBus",
-                                            "/org/freedesktop/DBus",
-                                            "org.freedesktop.DBus",
-                                            "GetConnectionUnixUser",
-                                            g_variant_new ("(s)", polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (subject))),
-                                            G_VARIANT_TYPE ("(u)"),
-                                            G_DBUS_CALL_FLAGS_NONE,
-                                            -1, /* timeout_msec */
-                                            NULL, /* GCancellable */
-                                            error);
-      if (result == NULL)
-        goto out;
-      g_variant_get (result, "(u)", &uid);
-      g_variant_unref (result);
-
-      ret = polkit_unix_user_new (uid);
-    }
-  else if (POLKIT_IS_UNIX_SESSION (subject))
-    {
-
-      if (sd_session_get_uid (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (subject)), &uid) < 0)
-        {
-          g_set_error (error,
-                       POLKIT_ERROR,
-                       POLKIT_ERROR_FAILED,
-                       "Error getting uid for session");
-          goto out;
-        }
-
-      ret = polkit_unix_user_new (uid);
-    }
-
- out:
-  return ret;
-}
-
-/**
- * polkit_backend_session_monitor_get_session_for_subject:
- * @monitor: A #PolkitBackendSessionMonitor.
- * @subject: A #PolkitSubject.
- * @error: Return location for error.
- *
- * Gets the session corresponding to @subject or %NULL if no session exists.
- *
- * Returns: %NULL if @error is set otherwise a #PolkitUnixSession that should be freed with g_object_unref().
- */
-PolkitSubject *
-polkit_backend_session_monitor_get_session_for_subject (PolkitBackendSessionMonitor *monitor,
-                                                        PolkitSubject               *subject,
-                                                        GError                     **error)
-{
-  PolkitSubject *session;
-
-  session = NULL;
-
-  if (POLKIT_IS_UNIX_PROCESS (subject))
-    {
-      gchar *session_id;
-      pid_t pid;
-
-      pid = polkit_unix_process_get_pid (POLKIT_UNIX_PROCESS (subject));
-      if (sd_pid_get_session (pid, &session_id) < 0)
-        goto out;
-
-      session = polkit_unix_session_new (session_id);
-      free (session_id);
-    }
-  else if (POLKIT_IS_SYSTEM_BUS_NAME (subject))
-    {
-      guint32 pid;
-      gchar *session_id;
-      GVariant *result;
-
-      result = g_dbus_connection_call_sync (monitor->system_bus,
-                                            "org.freedesktop.DBus",
-                                            "/org/freedesktop/DBus",
-                                            "org.freedesktop.DBus",
-                                            "GetConnectionUnixProcessID",
-                                            g_variant_new ("(s)", polkit_system_bus_name_get_name (POLKIT_SYSTEM_BUS_NAME (subject))),
-                                            G_VARIANT_TYPE ("(u)"),
-                                            G_DBUS_CALL_FLAGS_NONE,
-                                            -1, /* timeout_msec */
-                                            NULL, /* GCancellable */
-                                            error);
-      if (result == NULL)
-        goto out;
-      g_variant_get (result, "(u)", &pid);
-      g_variant_unref (result);
-
-      if (sd_pid_get_session (pid, &session_id) < 0)
-        goto out;
-
-      session = polkit_unix_session_new (session_id);
-      free (session_id);
-    }
-  else
-    {
-      g_set_error (error,
-                   POLKIT_ERROR,
-                   POLKIT_ERROR_NOT_SUPPORTED,
-                   "Cannot get user for subject of type %s",
-                   g_type_name (G_TYPE_FROM_INSTANCE (subject)));
-    }
-
- out:
-
-  return session;
-}
-
-gboolean
-polkit_backend_session_monitor_is_session_local (PolkitBackendSessionMonitor *monitor,
-                                                 PolkitSubject               *session)
-{
-  char *seat;
-
-  if (!sd_session_get_seat (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (session)), &seat))
-    {
-      free (seat);
-      return TRUE;
-    }
-
-  return FALSE;
-}
-
-
-gboolean
-polkit_backend_session_monitor_is_session_active (PolkitBackendSessionMonitor *monitor,
-                                                  PolkitSubject               *session)
-{
-  return sd_session_is_active (polkit_unix_session_get_session_id (POLKIT_UNIX_SESSION (session)));
-}
-
-- 
2.11.0


From acdf482560fd0028f9b43111dbf3b4d61bbaee81 Mon Sep 17 00:00:00 2001
From: Svante Signell <svante.signell@???>
Date: Tue, 19 Dec 2017 18:56:43 +0100
Subject: [PATCH 4/4] Update changelog. Remove already removed patch from
series. Add a lintian-overrides file.

---
 debian/changelog                | 9 ++++++++-
 debian/patches/series           | 1 -
 debian/source/lintian-overrides | 1 +
 3 files changed, 9 insertions(+), 2 deletions(-)
 create mode 100644 debian/source/lintian-overrides


diff --git a/debian/changelog b/debian/changelog
index 9e6f4a7..bece73e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,15 @@
+policykit-1 (0.105-18+devuan2.1) unstable; urgency=medium
+
+ * Devuanise: Remove systemd stuff from debian/ and src/{polkit,polkitbackend}
+ * Fix lintian warning about version number.
+
+ -- Svante Signell <svante.signell@???> Tue, 19 Dec 2017 18:55:36 +0100
+
policykit-1 (0.105-18+devuan2) unstable; urgency=medium

* Merge Devuan repo 0.105-9 to Debian 0.105-18

- -- Svante Signell <svante.signell@???> Mon, 18 Dec 2017 14:26:36 +0100
+ -- Svante Signell <svante.signell@???> Mon, 18 Dec 2017 14:26:36 +0100

policykit-1 (0.105-18) unstable; urgency=medium

diff --git a/debian/patches/series b/debian/patches/series
index a69547b..0f541be 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -29,5 +29,4 @@ master/Fix-multi-line-pam-text-info.patch
master/Add-gettext-support-for-.policy-files.patch
01_pam_polkit.patch
02_gettext.patch
-03_polkitunixsession_sessionid_from_display.patch
05_revert-admin-identities-unix-group-wheel.patch
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
new file mode 100644
index 0000000..4ddb8af
--- /dev/null
+++ b/debian/source/lintian-overrides
@@ -0,0 +1 @@
+policykit-1: maintainer-upload-has-incorrect-version-number 0.105-18+devuan2.1
\ No newline at end of file
--
2.11.0