Accepting request 676369 from GNOME:Factory

- Add gvfs-CVE-2019-3827.patch: Prevent access if any authentication agent isn't available (glgo#GNOME/gvfs#355, bsc#1125084, CVE-2019-3827). (forwarded request 676273 from qkzhu) OBS-URL: https://build.opensuse.org/request/show/676369 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gvfs?expand=0&rev=154
2019-02-20 13:07:19 +00:00 · 2019-02-20 13:07:19 +00:00 · d27a265f71
commit d27a265f71
parent 277c778c1a 32f1f39609
3 changed files with 146 additions and 2 deletions
--- a/gvfs-CVE-2019-3827.patch
+++ b/gvfs-CVE-2019-3827.patch
@ -0,0 +1,134 @@
+From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Wed, 2 Jan 2019 17:13:27 +0100
+Subject: admin: Prevent access if any authentication agent isn't available
+
+The backend currently allows to access and modify files without prompting
+for password if any polkit authentication agent isn't available. This seems
+isn't usually problem, because polkit agents are integral parts of
+graphical environments / linux distributions. The agents can't be simply
+disabled without root permissions and are automatically respawned. However,
+this might be a problem in some non-standard cases.
+
+This affects only users which belong to wheel group (i.e. those who are
+already allowed to use sudo). It doesn't allow privilege escalation for
+users, who don't belong to that group.
+
+Let's return permission denied error also when the subject can't be
+authorized by any polkit agent to prevent this behavior.
+
+Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355
+---
+ daemon/gvfsbackendadmin.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
+index ec0f2392..0f849008 100644
+--- a/daemon/gvfsbackendadmin.c
+++ b/daemon/gvfsbackendadmin.c
+@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self,
+       return FALSE;
+     }
+ 
+-  is_authorized = polkit_authorization_result_get_is_authorized (result) ||
+-    polkit_authorization_result_get_is_challenge (result);
+  is_authorized = polkit_authorization_result_get_is_authorized (result);
+ 
+   g_object_unref (result);
+ 
+-- 
+2.16.4
+
+
+From 04325119859b9eb41c9db97f1c315f3c9ab3d95b Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Fri, 4 Jan 2019 12:58:27 +0100
+Subject: admin: Add comment to .rules file
+
+Add comment to polkit org.gtk.vfs.file-operations.rules file explaining
+the rule which allows starting gvfsd-admin without password for users
+belonging to wheel group.
+---
+ daemon/org.gtk.vfs.file-operations.rules | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/daemon/org.gtk.vfs.file-operations.rules b/daemon/org.gtk.vfs.file-operations.rules
+index fb8d54ae..6e528e93 100644
+--- a/daemon/org.gtk.vfs.file-operations.rules
+++ b/daemon/org.gtk.vfs.file-operations.rules
+@@ -1,3 +1,8 @@
+// Allows users belonging to wheel group to start gvfsd-admin without
+// authorization. This prevents redundant password prompt when starting
+// gvfsd-admin. The gvfsd-admin causes another password prompts to be shown
+// for each client process using the different action id and for the subject
+// based on the client process.
+ polkit.addRule(function(action, subject) {
+         if ((action.id == "org.gtk.vfs.file-operations-helper") &&
+             subject.local &&
+-- 
+2.16.4
+
+
+From cadb8377a849dfb3a815d05b50a75049095a8d2f Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Mon, 14 Jan 2019 14:02:23 +0100
+Subject: admin: Add comments to .policy file
+
+Add comments to polkit org.gtk.vfs.file-operations.policy file explaining
+the purpose of the different actions.
+---
+ daemon/org.gtk.vfs.file-operations.policy.in.in | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/daemon/org.gtk.vfs.file-operations.policy.in.in b/daemon/org.gtk.vfs.file-operations.policy.in.in
+index f48a923b..02a7b2ce 100644
+--- a/daemon/org.gtk.vfs.file-operations.policy.in.in
+++ b/daemon/org.gtk.vfs.file-operations.policy.in.in
+@@ -8,6 +8,7 @@
+   <vendor>GVfs</vendor>
+   <vendor_url>http://git.gnome.org/browse/gvfs</vendor_url>
+ 
+  <!-- This action is used when starting gvfsd-admin. -->
+   <action id="org.gtk.vfs.file-operations-helper">
+     <description>Perform file operations</description>
+     <message>Authentication is required to perform file operations</message>
+@@ -19,6 +20,7 @@
+     <annotate key="org.freedesktop.policykit.exec.path">@libexecdir@/gvfsd-admin</annotate>
+   </action>
+ 
+  <!-- This action is used to authorize gvfsd-admin operations. -->
+   <action id="org.gtk.vfs.file-operations">
+     <description>Perform file operations</description>
+     <message>Authentication is required to perform file operations</message>
+-- 
+2.16.4
+
+
+From a0e015cbd76715fbee407557c676a038f164c605 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Mon, 14 Jan 2019 14:04:58 +0100
+Subject: admin: Update message in .policy
+
+Update message for org.gtk.vfs.file-operations-helper action in
+polkit org.gtk.vfs.file-operations.rules file to be obvious that it is
+used when starting gvfsd-admin.
+---
+ daemon/org.gtk.vfs.file-operations.policy.in.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/daemon/org.gtk.vfs.file-operations.policy.in.in b/daemon/org.gtk.vfs.file-operations.policy.in.in
+index 02a7b2ce..7acfbfd5 100644
+--- a/daemon/org.gtk.vfs.file-operations.policy.in.in
+++ b/daemon/org.gtk.vfs.file-operations.policy.in.in
+@@ -11,7 +11,7 @@
+   <!-- This action is used when starting gvfsd-admin. -->
+   <action id="org.gtk.vfs.file-operations-helper">
+     <description>Perform file operations</description>
+-    <message>Authentication is required to perform file operations</message>
+    <message>Authentication is required to run gvfsd-admin daemon</message>
+     <defaults>
+       <allow_any>no</allow_any>
+       <allow_inactive>no</allow_inactive>
+-- 
+2.16.4
+
--- a/gvfs.changes
+++ b/gvfs.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Feb 14 10:18:27 UTC 2019 - qkzhu@suse.com
+
+- Add gvfs-CVE-2019-3827.patch: Prevent access if any authentication
+  agent isn't available (glgo#GNOME/gvfs#355, bsc#1125084, 
+  CVE-2019-3827). 
+
 -------------------------------------------------------------------
 Wed Sep 26 16:31:00 UTC 2018 - bjorn.lie@gmail.com

--- a/gvfs.spec
+++ b/gvfs.spec
@ -1,7 +1,7 @@
 #
 # spec file for package gvfs
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.

-# Please submit bugfixes or comments via https://bugs.opensuse.org/
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
 #


@ -27,6 +27,8 @@ URL:            https://wiki.gnome.org/Projects/gvfs
 Source0:        https://download.gnome.org/sources/gvfs/1.38/%{name}-%{version}.tar.xz
 Source99:       baselibs.conf

+# PATCH-FIX-UPSTREAM gvfs-CVE-2019-3827.patch glgo#GNOME/gvfs#355 bsc#1125084 CVE-2019-3827 qkzhu@suse.com -- Prevent access if any authentication agent isn't available
+Patch1:         gvfs-CVE-2019-3827.patch
 ### NOTE: Please, keep SLE-only patches at bottom (starting on 1000).
 # PATCH-FEATURE-SLE gvfs-nds.patch ksamrat@novell.com -- Provides NDS browsing for nautilus
 Patch1000:      gvfs-nds.patch
@ -159,6 +161,7 @@ gvfs plugins.
 %prep
 %setup -q
 translation-update-upstream po %{name}
+%patch1 -p1
 %if !0%{?is_opensuse}
 %patch1000 -p1
 %patch1001 -p1