Accepting request 676273 from home:qkzhu:branches:GNOME:Factory

- Add gvfs-CVE-2019-3827.patch: Prevent access if any authentication agent isn't available (glgo#GNOME/gvfs#355, bsc#1125084, CVE-2019-3827). OBS-URL: https://build.opensuse.org/request/show/676273 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gvfs?expand=0&rev=319
2019-02-15 09:56:55 +00:00 · 2019-02-15 09:56:55 +00:00 · 32f1f39609
commit 32f1f39609
parent 7ed982ff8b
3 changed files with 146 additions and 2 deletions
--- a/gvfs-CVE-2019-3827.patch
+++ b/gvfs-CVE-2019-3827.patch
@ -0,0 +1,134 @@
 From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001
 From: Ondrej Holy <oholy@redhat.com>
 Date: Wed, 2 Jan 2019 17:13:27 +0100
 Subject: admin: Prevent access if any authentication agent isn't available
 The backend currently allows to access and modify files without prompting
 for password if any polkit authentication agent isn't available. This seems
 isn't usually problem, because polkit agents are integral parts of
 graphical environments / linux distributions. The agents can't be simply
 disabled without root permissions and are automatically respawned. However,
 this might be a problem in some non-standard cases.
 This affects only users which belong to wheel group (i.e. those who are
 already allowed to use sudo). It doesn't allow privilege escalation for
 users, who don't belong to that group.
 Let's return permission denied error also when the subject can't be
 authorized by any polkit agent to prevent this behavior.
 Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355
 ---
 daemon/gvfsbackendadmin.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
 diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
 index ec0f2392..0f849008 100644
 --- a/daemon/gvfsbackendadmin.c
 +++ b/daemon/gvfsbackendadmin.c
@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self,
       return FALSE;
     }
 -  is_authorized = polkit_authorization_result_get_is_authorized (result) ||
 -    polkit_authorization_result_get_is_challenge (result);
 +  is_authorized = polkit_authorization_result_get_is_authorized (result);
   g_object_unref (result);
 -- 
 2.16.4
 From 04325119859b9eb41c9db97f1c315f3c9ab3d95b Mon Sep 17 00:00:00 2001
 From: Ondrej Holy <oholy@redhat.com>
 Date: Fri, 4 Jan 2019 12:58:27 +0100
 Subject: admin: Add comment to .rules file
 Add comment to polkit org.gtk.vfs.file-operations.rules file explaining
 the rule which allows starting gvfsd-admin without password for users
 belonging to wheel group.
 ---
 daemon/org.gtk.vfs.file-operations.rules | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/daemon/org.gtk.vfs.file-operations.rules b/daemon/org.gtk.vfs.file-operations.rules
 index fb8d54ae..6e528e93 100644
 --- a/daemon/org.gtk.vfs.file-operations.rules
 +++ b/daemon/org.gtk.vfs.file-operations.rules
@@ -1,3 +1,8 @@
 +// Allows users belonging to wheel group to start gvfsd-admin without
 +// authorization. This prevents redundant password prompt when starting
 +// gvfsd-admin. The gvfsd-admin causes another password prompts to be shown
 +// for each client process using the different action id and for the subject
 +// based on the client process.
 polkit.addRule(function(action, subject) {
         if ((action.id == "org.gtk.vfs.file-operations-helper") &&
             subject.local &&
 -- 
 2.16.4
 From cadb8377a849dfb3a815d05b50a75049095a8d2f Mon Sep 17 00:00:00 2001
 From: Ondrej Holy <oholy@redhat.com>
 Date: Mon, 14 Jan 2019 14:02:23 +0100
 Subject: admin: Add comments to .policy file
 Add comments to polkit org.gtk.vfs.file-operations.policy file explaining
 the purpose of the different actions.
 ---
 daemon/org.gtk.vfs.file-operations.policy.in.in | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/daemon/org.gtk.vfs.file-operations.policy.in.in b/daemon/org.gtk.vfs.file-operations.policy.in.in
 index f48a923b..02a7b2ce 100644
 --- a/daemon/org.gtk.vfs.file-operations.policy.in.in
 +++ b/daemon/org.gtk.vfs.file-operations.policy.in.in
@@ -8,6 +8,7 @@
   <vendor>GVfs</vendor>
   <vendor_url>http://git.gnome.org/browse/gvfs</vendor_url>
 +  <!-- This action is used when starting gvfsd-admin. -->
   <action id="org.gtk.vfs.file-operations-helper">
     <description>Perform file operations</description>
     <message>Authentication is required to perform file operations</message>
@@ -19,6 +20,7 @@
     <annotate key="org.freedesktop.policykit.exec.path">@libexecdir@/gvfsd-admin</annotate>
   </action>
 +  <!-- This action is used to authorize gvfsd-admin operations. -->
   <action id="org.gtk.vfs.file-operations">
     <description>Perform file operations</description>
     <message>Authentication is required to perform file operations</message>
 -- 
 2.16.4
 From a0e015cbd76715fbee407557c676a038f164c605 Mon Sep 17 00:00:00 2001
 From: Ondrej Holy <oholy@redhat.com>
 Date: Mon, 14 Jan 2019 14:04:58 +0100
 Subject: admin: Update message in .policy
 Update message for org.gtk.vfs.file-operations-helper action in
 polkit org.gtk.vfs.file-operations.rules file to be obvious that it is
 used when starting gvfsd-admin.
 ---
 daemon/org.gtk.vfs.file-operations.policy.in.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/daemon/org.gtk.vfs.file-operations.policy.in.in b/daemon/org.gtk.vfs.file-operations.policy.in.in
 index 02a7b2ce..7acfbfd5 100644
 --- a/daemon/org.gtk.vfs.file-operations.policy.in.in
 +++ b/daemon/org.gtk.vfs.file-operations.policy.in.in
@@ -11,7 +11,7 @@
   <!-- This action is used when starting gvfsd-admin. -->
   <action id="org.gtk.vfs.file-operations-helper">
     <description>Perform file operations</description>
 -    <message>Authentication is required to perform file operations</message>
 +    <message>Authentication is required to run gvfsd-admin daemon</message>
     <defaults>
       <allow_any>no</allow_any>
       <allow_inactive>no</allow_inactive>
 -- 
 2.16.4
--- a/gvfs.changes
+++ b/gvfs.changes
@ -1,3 +1,10 @@
 -------------------------------------------------------------------
 Thu Feb 14 10:18:27 UTC 2019 - qkzhu@suse.com
 - Add gvfs-CVE-2019-3827.patch: Prevent access if any authentication
  agent isn't available (glgo#GNOME/gvfs#355, bsc#1125084, 
  CVE-2019-3827). 
 -------------------------------------------------------------------
 Wed Sep 26 16:31:00 UTC 2018 - bjorn.lie@gmail.com
--- a/gvfs.spec
+++ b/gvfs.spec
@ -1,7 +1,7 @@
 #
 # spec file for package gvfs
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
-# Please submit bugfixes or comments via https://bugs.opensuse.org/
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
@ -27,6 +27,8 @@ URL:            https://wiki.gnome.org/Projects/gvfs
 Source0:        https://download.gnome.org/sources/gvfs/1.38/%{name}-%{version}.tar.xz
 Source99:       baselibs.conf
 # PATCH-FIX-UPSTREAM gvfs-CVE-2019-3827.patch glgo#GNOME/gvfs#355 bsc#1125084 CVE-2019-3827 qkzhu@suse.com -- Prevent access if any authentication agent isn't available
 Patch1:         gvfs-CVE-2019-3827.patch
 ### NOTE: Please, keep SLE-only patches at bottom (starting on 1000).
 # PATCH-FEATURE-SLE gvfs-nds.patch ksamrat@novell.com -- Provides NDS browsing for nautilus
 Patch1000:      gvfs-nds.patch
@ -159,6 +161,7 @@ gvfs plugins.
 %prep
 %setup -q
 translation-update-upstream po %{name}
 %patch1 -p1
 %if !0%{?is_opensuse}
 %patch1000 -p1
 %patch1001 -p1