Accepting request 1248339 from GNOME:Factory

OBS-URL: https://build.opensuse.org/request/show/1248339 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gvfs?expand=0&rev=199
2025-02-27 13:50:14 +00:00 · 2025-02-27 13:50:14 +00:00 · db16607e3f
commit db16607e3f
parent c532fc74cf a8dbfcbe2e
3 changed files with 23 additions and 2 deletions
--- a/README.SUSE
+++ b/README.SUSE
@ -0,0 +1,14 @@
+Security of gvfs
+================
+
+gvfs allows to operate on files with root privileges from within
+unprivileged graphical applications. This is for example used in the Nautilus
+file manager via the `admin://` protocol.
+
+There exist some inherent dangers to the design of gvfs that can weaken
+your system's security. Please refer to this blog post [1] from the SUSE
+security team for technical details. The post also contains recommendations
+for users of gvfs [2].
+
+[1]: https://security.opensuse.org/2025/02/21/kio-admin-admittance.html
+[2]: https://security.opensuse.org/2025/02/21/kio-admin-admittance.html#7-recommendations-for-users-of-kio-admin-or-gvfs
--- a/gvfs.changes
+++ b/gvfs.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Feb 24 14:23:44 UTC 2025 - Matthias Gerstner <matthias.gerstner@suse.com>
+
+- add README.SUSE about security concerns in gvfs (bsc#1205607)
+
 -------------------------------------------------------------------
 Wed Dec 11 20:48:16 UTC 2024 - Bjørn Lie <bjorn.lie@gmail.com>

--- a/gvfs.spec
+++ b/gvfs.spec
@ -1,7 +1,7 @@
 #
 # spec file for package gvfs
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -26,6 +26,7 @@ License:        GPL-3.0-only AND LGPL-2.0-or-later
 Group:          Development/Libraries/C and C++
 URL:            https://wiki.gnome.org/Projects/gvfs
 Source0:        %{name}-%{version}.tar.zst
+Source1:        README.SUSE
 Source99:       baselibs.conf

 ### NOTE: Please, keep SLE-only patches at bottom (starting on 1000).
@ -183,6 +184,7 @@ gvfs plugins.
 %patch -P 1000 -p1
 %patch -P 1001 -p1
 %endif
+cp %{SOURCE1} .

 %build
 %meson \
@ -223,7 +225,7 @@ mv daemon/trashlib/COPYING daemon/trashlib/COPYING.trashlib

 %files
 %license COPYING daemon/trashlib/COPYING.trashlib
-%doc NEWS README.md
+%doc NEWS README.md README.SUSE
 %doc CONTRIBUTING.md NEWS.pre-1-2
 %doc daemon/org.gtk.vfs.file-operations.rules.in
 %dir %{_datadir}/%{name}