diff --git a/gvfs-1.38.1.tar.xz b/gvfs-1.38.1.tar.xz deleted file mode 100644 index a2bb4d5..0000000 --- a/gvfs-1.38.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ed136a842c996d25c835da405c4775c77106b46470e75bdc242bdd59ec0d61a0 -size 1203224 diff --git a/gvfs-1.38.2.tar.xz b/gvfs-1.38.2.tar.xz new file mode 100644 index 0000000..cb762f8 --- /dev/null +++ b/gvfs-1.38.2.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:903f08c27c36841adb3e1855e3ad8e64c3c837580d892e4e4ba7018ccbae865b +size 1202808 diff --git a/gvfs-CVE-2019-3827.patch b/gvfs-CVE-2019-3827.patch deleted file mode 100644 index 57ac71c..0000000 --- a/gvfs-CVE-2019-3827.patch +++ /dev/null @@ -1,134 +0,0 @@ -From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001 -From: Ondrej Holy -Date: Wed, 2 Jan 2019 17:13:27 +0100 -Subject: admin: Prevent access if any authentication agent isn't available - -The backend currently allows to access and modify files without prompting -for password if any polkit authentication agent isn't available. This seems -isn't usually problem, because polkit agents are integral parts of -graphical environments / linux distributions. The agents can't be simply -disabled without root permissions and are automatically respawned. However, -this might be a problem in some non-standard cases. - -This affects only users which belong to wheel group (i.e. those who are -already allowed to use sudo). It doesn't allow privilege escalation for -users, who don't belong to that group. - -Let's return permission denied error also when the subject can't be -authorized by any polkit agent to prevent this behavior. - -Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355 ---- - daemon/gvfsbackendadmin.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c -index ec0f2392..0f849008 100644 ---- a/daemon/gvfsbackendadmin.c -+++ b/daemon/gvfsbackendadmin.c -@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self, - return FALSE; - } - -- is_authorized = polkit_authorization_result_get_is_authorized (result) || -- polkit_authorization_result_get_is_challenge (result); -+ is_authorized = polkit_authorization_result_get_is_authorized (result); - - g_object_unref (result); - --- -2.16.4 - - -From 04325119859b9eb41c9db97f1c315f3c9ab3d95b Mon Sep 17 00:00:00 2001 -From: Ondrej Holy -Date: Fri, 4 Jan 2019 12:58:27 +0100 -Subject: admin: Add comment to .rules file - -Add comment to polkit org.gtk.vfs.file-operations.rules file explaining -the rule which allows starting gvfsd-admin without password for users -belonging to wheel group. ---- - daemon/org.gtk.vfs.file-operations.rules | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/daemon/org.gtk.vfs.file-operations.rules b/daemon/org.gtk.vfs.file-operations.rules -index fb8d54ae..6e528e93 100644 ---- a/daemon/org.gtk.vfs.file-operations.rules -+++ b/daemon/org.gtk.vfs.file-operations.rules -@@ -1,3 +1,8 @@ -+// Allows users belonging to wheel group to start gvfsd-admin without -+// authorization. This prevents redundant password prompt when starting -+// gvfsd-admin. The gvfsd-admin causes another password prompts to be shown -+// for each client process using the different action id and for the subject -+// based on the client process. - polkit.addRule(function(action, subject) { - if ((action.id == "org.gtk.vfs.file-operations-helper") && - subject.local && --- -2.16.4 - - -From cadb8377a849dfb3a815d05b50a75049095a8d2f Mon Sep 17 00:00:00 2001 -From: Ondrej Holy -Date: Mon, 14 Jan 2019 14:02:23 +0100 -Subject: admin: Add comments to .policy file - -Add comments to polkit org.gtk.vfs.file-operations.policy file explaining -the purpose of the different actions. ---- - daemon/org.gtk.vfs.file-operations.policy.in.in | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/daemon/org.gtk.vfs.file-operations.policy.in.in b/daemon/org.gtk.vfs.file-operations.policy.in.in -index f48a923b..02a7b2ce 100644 ---- a/daemon/org.gtk.vfs.file-operations.policy.in.in -+++ b/daemon/org.gtk.vfs.file-operations.policy.in.in -@@ -8,6 +8,7 @@ - GVfs - http://git.gnome.org/browse/gvfs - -+ - - Perform file operations - Authentication is required to perform file operations -@@ -19,6 +20,7 @@ - @libexecdir@/gvfsd-admin - - -+ - - Perform file operations - Authentication is required to perform file operations --- -2.16.4 - - -From a0e015cbd76715fbee407557c676a038f164c605 Mon Sep 17 00:00:00 2001 -From: Ondrej Holy -Date: Mon, 14 Jan 2019 14:04:58 +0100 -Subject: admin: Update message in .policy - -Update message for org.gtk.vfs.file-operations-helper action in -polkit org.gtk.vfs.file-operations.rules file to be obvious that it is -used when starting gvfsd-admin. ---- - daemon/org.gtk.vfs.file-operations.policy.in.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/daemon/org.gtk.vfs.file-operations.policy.in.in b/daemon/org.gtk.vfs.file-operations.policy.in.in -index 02a7b2ce..7acfbfd5 100644 ---- a/daemon/org.gtk.vfs.file-operations.policy.in.in -+++ b/daemon/org.gtk.vfs.file-operations.policy.in.in -@@ -11,7 +11,7 @@ - - - Perform file operations -- Authentication is required to perform file operations -+ Authentication is required to run gvfsd-admin daemon - - no - no --- -2.16.4 - diff --git a/gvfs.changes b/gvfs.changes index d616ea1..c317368 100644 --- a/gvfs.changes +++ b/gvfs.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Mon Mar 11 15:19:51 UTC 2019 - Bjørn Lie + +- Update to version 1.38.2: + + mtp: Don't retry reading an event after failure. + + admin: Prevent access if any authentication agent isn't + available (CVE-2019-3827). + + udisks2: Restore support of comment=x-gvfs-* option. + + common: Prevent crashes on invalid autorun file. + + Several smaller bugfixes. + + Updated translations. +- Drop gvfs-CVE-2019-3827.patch: Fixed upstream. + ------------------------------------------------------------------- Thu Feb 14 10:18:27 UTC 2019 - qkzhu@suse.com diff --git a/gvfs.spec b/gvfs.spec index 0cf5b2c..96bb80c 100644 --- a/gvfs.spec +++ b/gvfs.spec @@ -12,13 +12,13 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # %bcond_without cdda Name: gvfs -Version: 1.38.1 +Version: 1.38.2 Release: 0 Summary: Virtual File System functionality for GLib License: LGPL-2.0-or-later AND GPL-3.0-only @@ -27,8 +27,6 @@ URL: https://wiki.gnome.org/Projects/gvfs Source0: https://download.gnome.org/sources/gvfs/1.38/%{name}-%{version}.tar.xz Source99: baselibs.conf -# PATCH-FIX-UPSTREAM gvfs-CVE-2019-3827.patch glgo#GNOME/gvfs#355 bsc#1125084 CVE-2019-3827 qkzhu@suse.com -- Prevent access if any authentication agent isn't available -Patch1: gvfs-CVE-2019-3827.patch ### NOTE: Please, keep SLE-only patches at bottom (starting on 1000). # PATCH-FEATURE-SLE gvfs-nds.patch ksamrat@novell.com -- Provides NDS browsing for nautilus Patch1000: gvfs-nds.patch @@ -161,7 +159,6 @@ gvfs plugins. %prep %setup -q translation-update-upstream po %{name} -%patch1 -p1 %if !0%{?is_opensuse} %patch1000 -p1 %patch1001 -p1