Accepting request 684313 from GNOME:Factory

OBS-URL: https://build.opensuse.org/request/show/684313
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gvfs?expand=0&rev=155
This commit is contained in:
Dominique Leuenberger 2019-03-14 13:50:47 +00:00 committed by Git OBS Bridge
commit 9c91b4619d
5 changed files with 18 additions and 142 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ed136a842c996d25c835da405c4775c77106b46470e75bdc242bdd59ec0d61a0
size 1203224

3
gvfs-1.38.2.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:903f08c27c36841adb3e1855e3ad8e64c3c837580d892e4e4ba7018ccbae865b
size 1202808

View File

@ -1,134 +0,0 @@
From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Wed, 2 Jan 2019 17:13:27 +0100
Subject: admin: Prevent access if any authentication agent isn't available
The backend currently allows to access and modify files without prompting
for password if any polkit authentication agent isn't available. This seems
isn't usually problem, because polkit agents are integral parts of
graphical environments / linux distributions. The agents can't be simply
disabled without root permissions and are automatically respawned. However,
this might be a problem in some non-standard cases.
This affects only users which belong to wheel group (i.e. those who are
already allowed to use sudo). It doesn't allow privilege escalation for
users, who don't belong to that group.
Let's return permission denied error also when the subject can't be
authorized by any polkit agent to prevent this behavior.
Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355
---
daemon/gvfsbackendadmin.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
index ec0f2392..0f849008 100644
--- a/daemon/gvfsbackendadmin.c
+++ b/daemon/gvfsbackendadmin.c
@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self,
return FALSE;
}
- is_authorized = polkit_authorization_result_get_is_authorized (result) ||
- polkit_authorization_result_get_is_challenge (result);
+ is_authorized = polkit_authorization_result_get_is_authorized (result);
g_object_unref (result);
--
2.16.4
From 04325119859b9eb41c9db97f1c315f3c9ab3d95b Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Fri, 4 Jan 2019 12:58:27 +0100
Subject: admin: Add comment to .rules file
Add comment to polkit org.gtk.vfs.file-operations.rules file explaining
the rule which allows starting gvfsd-admin without password for users
belonging to wheel group.
---
daemon/org.gtk.vfs.file-operations.rules | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/daemon/org.gtk.vfs.file-operations.rules b/daemon/org.gtk.vfs.file-operations.rules
index fb8d54ae..6e528e93 100644
--- a/daemon/org.gtk.vfs.file-operations.rules
+++ b/daemon/org.gtk.vfs.file-operations.rules
@@ -1,3 +1,8 @@
+// Allows users belonging to wheel group to start gvfsd-admin without
+// authorization. This prevents redundant password prompt when starting
+// gvfsd-admin. The gvfsd-admin causes another password prompts to be shown
+// for each client process using the different action id and for the subject
+// based on the client process.
polkit.addRule(function(action, subject) {
if ((action.id == "org.gtk.vfs.file-operations-helper") &&
subject.local &&
--
2.16.4
From cadb8377a849dfb3a815d05b50a75049095a8d2f Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Mon, 14 Jan 2019 14:02:23 +0100
Subject: admin: Add comments to .policy file
Add comments to polkit org.gtk.vfs.file-operations.policy file explaining
the purpose of the different actions.
---
daemon/org.gtk.vfs.file-operations.policy.in.in | 2 ++
1 file changed, 2 insertions(+)
diff --git a/daemon/org.gtk.vfs.file-operations.policy.in.in b/daemon/org.gtk.vfs.file-operations.policy.in.in
index f48a923b..02a7b2ce 100644
--- a/daemon/org.gtk.vfs.file-operations.policy.in.in
+++ b/daemon/org.gtk.vfs.file-operations.policy.in.in
@@ -8,6 +8,7 @@
<vendor>GVfs</vendor>
<vendor_url>http://git.gnome.org/browse/gvfs</vendor_url>
+ <!-- This action is used when starting gvfsd-admin. -->
<action id="org.gtk.vfs.file-operations-helper">
<description>Perform file operations</description>
<message>Authentication is required to perform file operations</message>
@@ -19,6 +20,7 @@
<annotate key="org.freedesktop.policykit.exec.path">@libexecdir@/gvfsd-admin</annotate>
</action>
+ <!-- This action is used to authorize gvfsd-admin operations. -->
<action id="org.gtk.vfs.file-operations">
<description>Perform file operations</description>
<message>Authentication is required to perform file operations</message>
--
2.16.4
From a0e015cbd76715fbee407557c676a038f164c605 Mon Sep 17 00:00:00 2001
From: Ondrej Holy <oholy@redhat.com>
Date: Mon, 14 Jan 2019 14:04:58 +0100
Subject: admin: Update message in .policy
Update message for org.gtk.vfs.file-operations-helper action in
polkit org.gtk.vfs.file-operations.rules file to be obvious that it is
used when starting gvfsd-admin.
---
daemon/org.gtk.vfs.file-operations.policy.in.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemon/org.gtk.vfs.file-operations.policy.in.in b/daemon/org.gtk.vfs.file-operations.policy.in.in
index 02a7b2ce..7acfbfd5 100644
--- a/daemon/org.gtk.vfs.file-operations.policy.in.in
+++ b/daemon/org.gtk.vfs.file-operations.policy.in.in
@@ -11,7 +11,7 @@
<!-- This action is used when starting gvfsd-admin. -->
<action id="org.gtk.vfs.file-operations-helper">
<description>Perform file operations</description>
- <message>Authentication is required to perform file operations</message>
+ <message>Authentication is required to run gvfsd-admin daemon</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
--
2.16.4

View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Mon Mar 11 15:19:51 UTC 2019 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version 1.38.2:
+ mtp: Don't retry reading an event after failure.
+ admin: Prevent access if any authentication agent isn't
available (CVE-2019-3827).
+ udisks2: Restore support of comment=x-gvfs-* option.
+ common: Prevent crashes on invalid autorun file.
+ Several smaller bugfixes.
+ Updated translations.
- Drop gvfs-CVE-2019-3827.patch: Fixed upstream.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Feb 14 10:18:27 UTC 2019 - qkzhu@suse.com Thu Feb 14 10:18:27 UTC 2019 - qkzhu@suse.com

View File

@ -12,13 +12,13 @@
# license that conforms to the Open Source Definition (Version 1.9) # license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative. # published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/ # Please submit bugfixes or comments via https://bugs.opensuse.org/
# #
%bcond_without cdda %bcond_without cdda
Name: gvfs Name: gvfs
Version: 1.38.1 Version: 1.38.2
Release: 0 Release: 0
Summary: Virtual File System functionality for GLib Summary: Virtual File System functionality for GLib
License: LGPL-2.0-or-later AND GPL-3.0-only License: LGPL-2.0-or-later AND GPL-3.0-only
@ -27,8 +27,6 @@ URL: https://wiki.gnome.org/Projects/gvfs
Source0: https://download.gnome.org/sources/gvfs/1.38/%{name}-%{version}.tar.xz Source0: https://download.gnome.org/sources/gvfs/1.38/%{name}-%{version}.tar.xz
Source99: baselibs.conf Source99: baselibs.conf
# PATCH-FIX-UPSTREAM gvfs-CVE-2019-3827.patch glgo#GNOME/gvfs#355 bsc#1125084 CVE-2019-3827 qkzhu@suse.com -- Prevent access if any authentication agent isn't available
Patch1: gvfs-CVE-2019-3827.patch
### NOTE: Please, keep SLE-only patches at bottom (starting on 1000). ### NOTE: Please, keep SLE-only patches at bottom (starting on 1000).
# PATCH-FEATURE-SLE gvfs-nds.patch ksamrat@novell.com -- Provides NDS browsing for nautilus # PATCH-FEATURE-SLE gvfs-nds.patch ksamrat@novell.com -- Provides NDS browsing for nautilus
Patch1000: gvfs-nds.patch Patch1000: gvfs-nds.patch
@ -161,7 +159,6 @@ gvfs plugins.
%prep %prep
%setup -q %setup -q
translation-update-upstream po %{name} translation-update-upstream po %{name}
%patch1 -p1
%if !0%{?is_opensuse} %if !0%{?is_opensuse}
%patch1000 -p1 %patch1000 -p1
%patch1001 -p1 %patch1001 -p1