From 32f1f39609f617468547b17be6b64969772c884e86d3a29f5acf5243f3ca5eb7 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Fri, 15 Feb 2019 09:56:55 +0000 Subject: [PATCH] Accepting request 676273 from home:qkzhu:branches:GNOME:Factory - Add gvfs-CVE-2019-3827.patch: Prevent access if any authentication agent isn't available (glgo#GNOME/gvfs#355, bsc#1125084, CVE-2019-3827). OBS-URL: https://build.opensuse.org/request/show/676273 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gvfs?expand=0&rev=319 --- gvfs-CVE-2019-3827.patch | 134 +++++++++++++++++++++++++++++++++++++++ gvfs.changes | 7 ++ gvfs.spec | 7 +- 3 files changed, 146 insertions(+), 2 deletions(-) create mode 100644 gvfs-CVE-2019-3827.patch diff --git a/gvfs-CVE-2019-3827.patch b/gvfs-CVE-2019-3827.patch new file mode 100644 index 0000000..57ac71c --- /dev/null +++ b/gvfs-CVE-2019-3827.patch @@ -0,0 +1,134 @@ +From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Wed, 2 Jan 2019 17:13:27 +0100 +Subject: admin: Prevent access if any authentication agent isn't available + +The backend currently allows to access and modify files without prompting +for password if any polkit authentication agent isn't available. This seems +isn't usually problem, because polkit agents are integral parts of +graphical environments / linux distributions. The agents can't be simply +disabled without root permissions and are automatically respawned. However, +this might be a problem in some non-standard cases. + +This affects only users which belong to wheel group (i.e. those who are +already allowed to use sudo). It doesn't allow privilege escalation for +users, who don't belong to that group. + +Let's return permission denied error also when the subject can't be +authorized by any polkit agent to prevent this behavior. + +Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355 +--- + daemon/gvfsbackendadmin.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c +index ec0f2392..0f849008 100644 +--- a/daemon/gvfsbackendadmin.c ++++ b/daemon/gvfsbackendadmin.c +@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self, + return FALSE; + } + +- is_authorized = polkit_authorization_result_get_is_authorized (result) || +- polkit_authorization_result_get_is_challenge (result); ++ is_authorized = polkit_authorization_result_get_is_authorized (result); + + g_object_unref (result); + +-- +2.16.4 + + +From 04325119859b9eb41c9db97f1c315f3c9ab3d95b Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Fri, 4 Jan 2019 12:58:27 +0100 +Subject: admin: Add comment to .rules file + +Add comment to polkit org.gtk.vfs.file-operations.rules file explaining +the rule which allows starting gvfsd-admin without password for users +belonging to wheel group. +--- + daemon/org.gtk.vfs.file-operations.rules | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/daemon/org.gtk.vfs.file-operations.rules b/daemon/org.gtk.vfs.file-operations.rules +index fb8d54ae..6e528e93 100644 +--- a/daemon/org.gtk.vfs.file-operations.rules ++++ b/daemon/org.gtk.vfs.file-operations.rules +@@ -1,3 +1,8 @@ ++// Allows users belonging to wheel group to start gvfsd-admin without ++// authorization. This prevents redundant password prompt when starting ++// gvfsd-admin. The gvfsd-admin causes another password prompts to be shown ++// for each client process using the different action id and for the subject ++// based on the client process. + polkit.addRule(function(action, subject) { + if ((action.id == "org.gtk.vfs.file-operations-helper") && + subject.local && +-- +2.16.4 + + +From cadb8377a849dfb3a815d05b50a75049095a8d2f Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Mon, 14 Jan 2019 14:02:23 +0100 +Subject: admin: Add comments to .policy file + +Add comments to polkit org.gtk.vfs.file-operations.policy file explaining +the purpose of the different actions. +--- + daemon/org.gtk.vfs.file-operations.policy.in.in | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/daemon/org.gtk.vfs.file-operations.policy.in.in b/daemon/org.gtk.vfs.file-operations.policy.in.in +index f48a923b..02a7b2ce 100644 +--- a/daemon/org.gtk.vfs.file-operations.policy.in.in ++++ b/daemon/org.gtk.vfs.file-operations.policy.in.in +@@ -8,6 +8,7 @@ + GVfs + http://git.gnome.org/browse/gvfs + ++ + + Perform file operations + Authentication is required to perform file operations +@@ -19,6 +20,7 @@ + @libexecdir@/gvfsd-admin + + ++ + + Perform file operations + Authentication is required to perform file operations +-- +2.16.4 + + +From a0e015cbd76715fbee407557c676a038f164c605 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Mon, 14 Jan 2019 14:04:58 +0100 +Subject: admin: Update message in .policy + +Update message for org.gtk.vfs.file-operations-helper action in +polkit org.gtk.vfs.file-operations.rules file to be obvious that it is +used when starting gvfsd-admin. +--- + daemon/org.gtk.vfs.file-operations.policy.in.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/daemon/org.gtk.vfs.file-operations.policy.in.in b/daemon/org.gtk.vfs.file-operations.policy.in.in +index 02a7b2ce..7acfbfd5 100644 +--- a/daemon/org.gtk.vfs.file-operations.policy.in.in ++++ b/daemon/org.gtk.vfs.file-operations.policy.in.in +@@ -11,7 +11,7 @@ + + + Perform file operations +- Authentication is required to perform file operations ++ Authentication is required to run gvfsd-admin daemon + + no + no +-- +2.16.4 + diff --git a/gvfs.changes b/gvfs.changes index 2e0dafa..d616ea1 100644 --- a/gvfs.changes +++ b/gvfs.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Feb 14 10:18:27 UTC 2019 - qkzhu@suse.com + +- Add gvfs-CVE-2019-3827.patch: Prevent access if any authentication + agent isn't available (glgo#GNOME/gvfs#355, bsc#1125084, + CVE-2019-3827). + ------------------------------------------------------------------- Wed Sep 26 16:31:00 UTC 2018 - bjorn.lie@gmail.com diff --git a/gvfs.spec b/gvfs.spec index 00318c2..0cf5b2c 100644 --- a/gvfs.spec +++ b/gvfs.spec @@ -1,7 +1,7 @@ # # spec file for package gvfs # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # @@ -27,6 +27,8 @@ URL: https://wiki.gnome.org/Projects/gvfs Source0: https://download.gnome.org/sources/gvfs/1.38/%{name}-%{version}.tar.xz Source99: baselibs.conf +# PATCH-FIX-UPSTREAM gvfs-CVE-2019-3827.patch glgo#GNOME/gvfs#355 bsc#1125084 CVE-2019-3827 qkzhu@suse.com -- Prevent access if any authentication agent isn't available +Patch1: gvfs-CVE-2019-3827.patch ### NOTE: Please, keep SLE-only patches at bottom (starting on 1000). # PATCH-FEATURE-SLE gvfs-nds.patch ksamrat@novell.com -- Provides NDS browsing for nautilus Patch1000: gvfs-nds.patch @@ -159,6 +161,7 @@ gvfs plugins. %prep %setup -q translation-update-upstream po %{name} +%patch1 -p1 %if !0%{?is_opensuse} %patch1000 -p1 %patch1001 -p1