Description [1]:

> JS is Mozilla's JavaScript engine written in C.

```
$ bee init -o js-38.2.1-0.bee http://anduin.linuxfromscratch.org/BLFS/mozjs/mozjs-38.2.1.rc0.tar.bz2
creating js-38.2.1-0.bee from template '/etc/default/bee/templates/fallback'
```

[1]: http://www.linuxfromscratch.org/blfs/view/stable-systemd/general/js38.html

Recreate the bee file with the command below, and add customizations
back.

```
$ bee init -f -o polkit-0.104-1.bee http://hal.freedesktop.org/releases/polkit-0.104.tar.gz
```

Use HTTPS to securely download the source archive.

The [announcement][1] is available online.

> Hello,
> polkit-0.113 is now available at
> http://www.freedesktop.org/software/polkit/releases/polkit-0.113.tar.gz
> http://www.freedesktop.org/software/polkit/releases/polkit-0.113.tar.gz.sign
>
> --------------
> polkit 0.113
> --------------
>
> NOTE: This release is an important security update, see below.
>
> WARNING WARNING WARNING: This is a prerelease on the road to polkit
> 1.0. Public API might change and certain parts of the code still needs
> some security review. Use at your own risk.
>
> This is polkit 0.113.
>
> Highlights:
> Fixes CVE-2015-4625, a local privilege escalation due to predictable
> authentication session cookie values. Thanks to Tavis Ormandy, Google Project
> Zero for reporting this issue. For the future, authentication agents are
> encouraged to use PolkitAgentSession instead of using the D-Bus agent response
> API directly.
>
> Fixes CVE-2015-3256, various memory corruption vulnerabilities in use of the
> JavaScript interpreter, possibly leading to local privilege escalation.
>
> Fixes CVE-2015-3255, a memory corruption vulnerability in handling duplicate
> action IDs, possibly leading to local privilege escalation. Thanks to
> Laurent Bigonville for reporting this issue.
>
> Fixes CVE-2015-3218, which allowed any local user to crash polkitd. Thanks to
> Tavis Ormandy, Google Project Zero, for reporting this issue.
>
> On systemd-213 and later, the “active” state is shared across all sessions of
> an user, instead of being tracked separately.
>
> (pkexec), when not given a program to execute, runs the users’ shell by
> default.
>
> Build requirements
>
> glib, gobject, gio >= 2.30
> mozjs185 or mozjs-17.0
> gobject-introspection >= 0.6.2 (optional)
> pam (optional)
> ConsoleKit OR systemd
>
> Changes since polkit 0.112:
>
> Colin Walters (17):
> PolkitSystemBusName: Add public API to retrieve Unix user
> examples/cancel: Fix to securely lookup subject
> sessionmonitor-systemd: Deduplicate code paths
> PolkitSystemBusName: Retrieve both pid and uid
> Port internals non-deprecated PolkitProcess API where possible
> Use G_GNUC_BEGIN_IGNORE_DEPRECATIONS to avoid warning spam
> pkexec: Work around systemd injecting broken XDG_RUNTIME_DIR
> pkexec: Support just plain "pkexec" to run shell
> .dir-locals: Style for Emacs - we don't use tabs
> authority: Avoid cookie wrapping by using u64 counter
> CVE-2015-3218: backend: Handle invalid object paths in RegisterAuthenticationAgent
> build: Start using git.mk
> Revert "authority: Avoid cookie wrapping by using u64 counter"
> authority: Add a helper method for checking whether an identity is root
> CVE-2015-4625: Use unpredictable cookie values, keep them secret
> CVE-2015-4625: Bind use of cookies to specific uids
> README: Note to send security reports via DBus's mechanism
>
> Kay Sievers (1):
> sessionmonitor-systemd: prepare for D-Bus "user bus" model
>
> Lukasz Skalski (1):
> polkitd: Fix problem with removing non-existent source
>
> Max A. Dednev (1):
> authority: Fix memory leak in EnumerateActions call results handler
>
> Miloslav Trmač (24):
> Post-release version bump to 0.113
> Don't discard error data returned by polkit_system_bus_name_get_user_sync
> Fix a memory leak
> Refuse duplicate --user arguments to pkexec
> Fix a possible NULL dereference.
> Remove a redundant assignment.
> Simplify forced error domain registration
> Fix a typo, s/Evaluting/Evaluating/g
> s/INCLUDES/AM_CPPFLAGS/g
> Fix duplicate GError use when "uid" is missing
> Fix a crash when two authentication requests are in flight.
> docs: Update for changes to uid binding/AuthenticationAgentResponse2
> Don't pass an uninitialized JS parameter
> Don't add extra NULL group to subject.groups
> Don't store unrooted jsvals on heap
> Fix a per-authorization memory leak
> Fix a memory leak when registering an authentication agent
> Wrap all JS usage within “requests”
> Register heap-based JSObject pointers to GC
> Prevent builds against SpiderMonkey with exact stack rooting
> Clear the JS operation callback before invoking JS in the callback
> Fix spurious timeout exceptions on GC
> Fix GHashTable usage.
> Fix use-after-free in polkitagentsession.c
>
> Philip Withnall (1):
> sessionmonitor-systemd: Use sd_uid_get_state() to check session activity
>
> Rui Matos (1):
> PolkitAgentSession: fix race between child and io watches
>
> Simon McVittie (1):
> Use libsystemd instead of older libsystemd-login if possible
>
> Ting-Wei Lan (1):
> build: Fix several issues on FreeBSD
>
> Xabier Rodriguez Calvar (1):
> Fixed compilation problem in the backend
>
> Thanks to our contributors.
>
> Colin Walters and Miloslav Trmač,
> July 2, 2015

[1]: https://lists.freedesktop.org/archives/polkit-devel/2015-July/000432.html
     "polkit-0.113 released"

From BLFS with systemd [1]:

>  Due to lack of releases, a tarball has been generated for use by
>  BLFS, which includes a git checkout at ref 2919920, and a pending
>  patch to use js38. The patch is included in the tarball for review.

Use systemd-logind for session tracking.

```
                  polkit 0.114
                =================

        prefix:                     /usr
        libdir:                     /usr/lib
        libexecdir:                 /usr/lib/polkit-1
        bindir:                     /usr/bin
        sbindir:                    /usr/sbin
        datadir:                    /usr/share
        sysconfdir:                 /etc
        localstatedir:              /var
        docdir:                     /usr/share/doc/polkit

        compiler:                   gcc
        cflags:                     -g -O2
        cppflags:
        xsltproc:                   /usr/bin/xsltproc
	introspection:		    yes

        Distribution/OS:            unknown
        Authentication framework:   pam
        Session tracking:           libsystemd-login
        PAM support:                yes
        systemdsystemunitdir:       /lib/systemd/system
        polkitd user:               polkitd

        PAM file auth:              system-auth
        PAM file account:           system-auth
        PAM file password:          system-auth
        PAM file session:           system-auth

        Maintainer mode:            no
        Building api docs:          no
        Building man pages:         yes
        Building examples:          yes
```

[1]: http://www.linuxfromscratch.org/blfs/view/stable-systemd/postlfs/polkit.html

The current option name is `polkitd`, and we set the default value.