Hello community, here is the log from the commit of package cinnamon for openSUSE:Factory checked in at 2018-07-09 13:29:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cinnamon (Old) and /work/SRC/openSUSE:Factory/.cinnamon.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cinnamon" Mon Jul 9 13:29:15 2018 rev:31 rq:621349 version:3.8.7 Changes: -------- --- /work/SRC/openSUSE:Factory/cinnamon/cinnamon.changes 2018-07-03 23:34:13.420419755 +0200 +++ /work/SRC/openSUSE:Factory/.cinnamon.new/cinnamon.changes 2018-07-09 13:30:52.222547503 +0200 @@ -1,0 +2,12 @@ +Thu Jul 5 13:05:25 UTC 2018 - [email protected] + +- Update to version 3.8.7: + * spices: Remove support for installing/removing system-wide + gsettings schemas. + * cinnamon-settings-users.py: Fix symlink attack vulnerability. +- Remove cinnamon-3.8.6-drop-global-gschema.patch, + cinnamon-settings-fix-symlink-vuln.patch: merged upstream. +- Rebase cinnamon-wheel-and-sbin-path.patch. +- Do not require xdg-utils: no longer required. + +------------------------------------------------------------------- Old: ---- Cinnamon-3.8.6.tar.gz cinnamon-3.8.6-drop-global-gschema.patch cinnamon-settings-fix-symlink-vuln.patch New: ---- Cinnamon-3.8.7.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cinnamon.spec ++++++ --- /var/tmp/diff_new_pack.VYEfoV/_old 2018-07-09 13:30:53.210545510 +0200 +++ /var/tmp/diff_new_pack.VYEfoV/_new 2018-07-09 13:30:53.214545502 +0200 @@ -21,7 +21,7 @@ %define _name Cinnamon %define _version 3.8.0 Name: cinnamon -Version: 3.8.6 +Version: 3.8.7 Release: 0 Summary: GNU/Linux Desktop featuring a traditional layout License: GPL-2.0-or-later AND LGPL-2.1-only @@ -46,12 +46,8 @@ Patch6: %{name}-fix-cogl.patch # PATCH-FEATURE-OPENSUSE cinnamon-fallback-icewm.patch [email protected] -- Use IceWM as fallback. Patch7: %{name}-fallback-icewm.patch -# PATCH-FIX-UPSTREAM cinnamon-settings-fix-symlink-vuln.patch CVE-2018-13054 bsc#1083067 [email protected] -- Fix symlink attack vulnerability (https://github.com/linuxmint/Cinnamon/pull/7683). -Patch8: %{name}-settings-fix-symlink-vuln.patch # PATCH-FIX-OPENSUSE cinnamon-use-libnm.patch [email protected] -- Use libnm, libnma instead of libnm-glib, libnm-gtk. -Patch9: %{name}-use-libnm.patch -# PATCH-FIX-UPSTREAM cinnamon-3.8.6-drop-global-gschema.patch boo#1091701 -- Remove support for installing/removing system-wide gschemas (commit 34043b7). -Patch10: %{name}-3.8.6-drop-global-gschema.patch +Patch8: %{name}-use-libnm.patch BuildRequires: autoconf BuildRequires: autoconf-archive BuildRequires: automake @@ -106,8 +102,6 @@ Requires: python3-python-pam Requires: v4l-tools Requires: wget -# For cinnamon-no-polkit-policy.patch. -Requires: xdg-utils Requires(post): update-alternatives Requires(postun): update-alternatives Recommends: %{name}-lang @@ -185,11 +179,9 @@ %patch5 -p1 %patch6 -p1 %patch7 -p1 -%patch8 -p1 %if 0%{?suse_version} >= 1500 -%patch9 -p1 +%patch8 -p1 %endif -%patch10 -p1 cp -a %{SOURCE1} . %build ++++++ Cinnamon-3.8.6.tar.gz -> Cinnamon-3.8.7.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Cinnamon-3.8.6/configure.ac new/Cinnamon-3.8.7/configure.ac --- old/Cinnamon-3.8.6/configure.ac 2018-06-24 17:20:18.000000000 +0200 +++ new/Cinnamon-3.8.7/configure.ac 2018-07-05 11:46:19.000000000 +0200 @@ -1,5 +1,5 @@ AC_PREREQ(2.63) -AC_INIT([cinnamon],[3.8.6],[https://github.com/linuxmint/Cinnamon/issues],[cinnamon]) +AC_INIT([cinnamon],[3.8.7],[https://github.com/linuxmint/Cinnamon/issues],[cinnamon]) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_SRCDIR([src/cinnamon-global.c]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Cinnamon-3.8.6/debian/changelog new/Cinnamon-3.8.7/debian/changelog --- old/Cinnamon-3.8.6/debian/changelog 2018-06-24 17:20:18.000000000 +0200 +++ new/Cinnamon-3.8.7/debian/changelog 2018-07-05 11:46:19.000000000 +0200 @@ -1,3 +1,13 @@ +cinnamon (3.8.7) tara; urgency=medium + + [ Michael Webster ] + * spices: Remove support for installing/removing system-wide gsettings schemas. + + [ Matthias Gerstner ] + * cinnamon-settings-users.py: fix symlink attack vulnerability + + -- Clement Lefebvre <[email protected]> Thu, 05 Jul 2018 11:45:59 +0200 + cinnamon (3.8.6) tara; urgency=medium * Revert "network applet: Fix typo with showing access points in certain instances -" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Cinnamon-3.8.6/files/usr/bin/cinnamon-schema-install new/Cinnamon-3.8.7/files/usr/bin/cinnamon-schema-install --- old/Cinnamon-3.8.6/files/usr/bin/cinnamon-schema-install 2018-06-24 17:20:18.000000000 +0200 +++ new/Cinnamon-3.8.7/files/usr/bin/cinnamon-schema-install 1970-01-01 01:00:00.000000000 +0100 @@ -1,7 +0,0 @@ -#!/usr/bin/python3 - -import os -import sys - -os.system("cp %s /usr/share/glib-2.0/schemas/" % (sys.argv[1])) -os.system("glib-compile-schemas /usr/share/glib-2.0/schemas/") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Cinnamon-3.8.6/files/usr/bin/cinnamon-schema-remove new/Cinnamon-3.8.7/files/usr/bin/cinnamon-schema-remove --- old/Cinnamon-3.8.6/files/usr/bin/cinnamon-schema-remove 2018-06-24 17:20:18.000000000 +0200 +++ new/Cinnamon-3.8.7/files/usr/bin/cinnamon-schema-remove 1970-01-01 01:00:00.000000000 +0100 @@ -1,7 +0,0 @@ -#!/usr/bin/python3 - -import os -import sys - -os.system("rm /usr/share/glib-2.0/schemas/%s" % (sys.argv[1])) -os.system("glib-compile-schemas /usr/share/glib-2.0/schemas/") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Cinnamon-3.8.6/files/usr/share/cinnamon/cinnamon-settings/bin/Spices.py new/Cinnamon-3.8.7/files/usr/share/cinnamon/cinnamon-settings/bin/Spices.py --- old/Cinnamon-3.8.6/files/usr/share/cinnamon/cinnamon-settings/bin/Spices.py 2018-06-24 17:20:18.000000000 +0200 +++ new/Cinnamon-3.8.7/files/usr/share/cinnamon/cinnamon-settings/bin/Spices.py 2018-07-05 11:46:19.000000000 +0200 @@ -643,12 +643,6 @@ os.makedirs(locale_dir, mode=0o755, exist_ok=True) subprocess.call(['msgfmt', '-c', os.path.join(po_dir, file), '-o', os.path.join(locale_dir, '%s.mo' % uuid)]) - # Install spice schema file, if any - schema = [filename for filename in contents if 'gschema.xml' in filename] - for filename in schema: - path = os.path.join(folder, filename) - subprocess.call(['pkexec', 'cinnamon-schema-install', path]) - dest = os.path.join(self.install_folder, uuid) if os.path.exists(dest): shutil.rmtree(dest) @@ -663,8 +657,6 @@ file.close() md = json.loads(raw_meta) - if not self.themes and len(schema) > 0: - md['schema-file'] = ','.join(schema) if from_spices and uuid in self.index_cache: md['last-edited'] = self.index_cache[uuid]['last_edited'] else: @@ -690,11 +682,6 @@ try: uuid = job['uuid'] if not self.themes: - # Uninstall spice schema files, if any - if 'schema-file' in self.meta_map[uuid]: - for path in self.meta_map[uuid]['schema-file'].split(','): - subprocess.call(['pkexec', 'cinnamon-schema-remove', path]) - # Uninstall spice localization files, if any if (os.path.exists(locale_inst)): i19_folders = os.listdir(locale_inst) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Cinnamon-3.8.6/files/usr/share/cinnamon/cinnamon-settings-users/cinnamon-settings-users.py new/Cinnamon-3.8.7/files/usr/share/cinnamon/cinnamon-settings-users/cinnamon-settings-users.py --- old/Cinnamon-3.8.6/files/usr/share/cinnamon/cinnamon-settings-users/cinnamon-settings-users.py 2018-06-24 17:20:18.000000000 +0200 +++ new/Cinnamon-3.8.7/files/usr/share/cinnamon/cinnamon-settings-users/cinnamon-settings-users.py 2018-07-05 11:46:19.000000000 +0200 @@ -19,6 +19,35 @@ gettext.install("cinnamon", "/usr/share/locale") +class PrivHelper(object): + """A helper for performing temporary privilege drops. Necessary for + security when accessing user controlled files as root.""" + + def __init__(self): + + self.orig_uid = os.getuid() + self.orig_gid = os.getgid() + self.orig_groups = os.getgroups() + + def drop_privs(self, user): + + uid = user.get_uid() + # the user's main group id + gid = pwd.getpwuid(uid).pw_gid + + # initialize the user's supplemental groups and main group + os.initgroups(user.get_user_name(), gid) + os.setegid(gid) + os.seteuid(uid) + + def restore_privs(self): + + os.seteuid(self.orig_uid) + os.setegid(self.orig_gid) + os.setgroups(self.orig_groups) + +priv_helper = PrivHelper() + (INDEX_USER_OBJECT, INDEX_USER_PICTURE, INDEX_USER_DESCRIPTION) = range(3) (INDEX_GID, INDEX_GROUPNAME) = range(2) @@ -642,7 +671,11 @@ image = PIL.Image.open(path) image.thumbnail((96, 96), Image.ANTIALIAS) face_path = os.path.join(user.get_home_dir(), ".face") - image.save(face_path, "png") + try: + priv_helper.drop_privs(user) + image.save(face_path, "png") + finally: + priv_helper.restore_privs() user.set_icon_file(face_path) self.face_image.set_from_file(face_path) model.set_value(treeiter, INDEX_USER_PICTURE, GdkPixbuf.Pixbuf.new_from_file_at_size(face_path, 48, 48)) @@ -675,7 +708,11 @@ user = model[treeiter][INDEX_USER_OBJECT] user.set_icon_file(path) self.face_image.set_from_file(path) - shutil.copy(path, os.path.join(user.get_home_dir(), ".face")) + try: + priv_helper.drop_privs(user) + shutil.copy(path, os.path.join(user.get_home_dir(), ".face")) + finally: + priv_helper.restore_privs() model.set_value(treeiter, INDEX_USER_PICTURE, GdkPixbuf.Pixbuf.new_from_file_at_size(path, 48, 48)) model.row_changed(model.get_path(treeiter), treeiter) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Cinnamon-3.8.6/files/usr/share/polkit-1/actions/org.cinnamon.schema-install.policy new/Cinnamon-3.8.7/files/usr/share/polkit-1/actions/org.cinnamon.schema-install.policy --- old/Cinnamon-3.8.6/files/usr/share/polkit-1/actions/org.cinnamon.schema-install.policy 2018-06-24 17:20:18.000000000 +0200 +++ new/Cinnamon-3.8.7/files/usr/share/polkit-1/actions/org.cinnamon.schema-install.policy 1970-01-01 01:00:00.000000000 +0100 @@ -1,20 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE policyconfig PUBLIC - "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" - "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd";> -<policyconfig> - - <vendor>Cinnamon</vendor> - <vendor_url>https://github.com/linuxmint/cinnamon</vendor_url> - - <action id="org.cinnamon.schema-install"> - <icon_name>system-run</icon_name> - <defaults> - <allow_any>no</allow_any> - <allow_inactive>no</allow_inactive> - <allow_active>auth_admin_keep</allow_active> - </defaults> - <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/cinnamon-schema-install</annotate> - </action> - -</policyconfig> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Cinnamon-3.8.6/files/usr/share/polkit-1/actions/org.cinnamon.schema-remove.policy new/Cinnamon-3.8.7/files/usr/share/polkit-1/actions/org.cinnamon.schema-remove.policy --- old/Cinnamon-3.8.6/files/usr/share/polkit-1/actions/org.cinnamon.schema-remove.policy 2018-06-24 17:20:18.000000000 +0200 +++ new/Cinnamon-3.8.7/files/usr/share/polkit-1/actions/org.cinnamon.schema-remove.policy 1970-01-01 01:00:00.000000000 +0100 @@ -1,20 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE policyconfig PUBLIC - "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" - "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd";> -<policyconfig> - - <vendor>Cinnamon</vendor> - <vendor_url>https://github.com/linuxmint/cinnamon</vendor_url> - - <action id="org.cinnamon.schema-remove"> - <icon_name>system-run</icon_name> - <defaults> - <allow_any>no</allow_any> - <allow_inactive>no</allow_inactive> - <allow_active>auth_admin_keep</allow_active> - </defaults> - <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/cinnamon-schema-remove</annotate> - </action> - -</policyconfig> ++++++ cinnamon-wheel-and-sbin-path.patch ++++++ --- /var/tmp/diff_new_pack.VYEfoV/_old 2018-07-09 13:30:53.554544816 +0200 +++ /var/tmp/diff_new_pack.VYEfoV/_new 2018-07-09 13:30:53.558544808 +0200 @@ -17,7 +17,7 @@ --- a/files/usr/share/cinnamon/cinnamon-settings-users/cinnamon-settings-users.py +++ b/files/usr/share/cinnamon/cinnamon-settings-users/cinnamon-settings-users.py -@@ -153,12 +153,11 @@ class EditableEntry (Gtk.Notebook): +@@ -182,12 +182,11 @@ class EditableEntry (Gtk.Notebook): class PasswordDialog(Gtk.Dialog): @@ -31,7 +31,7 @@ self.set_modal(True) self.set_skip_taskbar_hint(True) -@@ -224,14 +223,7 @@ class PasswordDialog(Gtk.Dialog): +@@ -253,14 +252,7 @@ class PasswordDialog(Gtk.Dialog): def change_password(self): newpass = self.new_password.get_text() self.user.set_password(newpass, "") @@ -47,7 +47,7 @@ self.destroy() def set_passwords_visibility(self): -@@ -570,7 +562,7 @@ class Module: +@@ -599,7 +591,7 @@ class Module: model, treeiter = self.users_treeview.get_selection().get_selected() if treeiter != None: user = model[treeiter][INDEX_USER_OBJECT] @@ -56,7 +56,7 @@ response = dialog.run() def _on_groups_button_clicked(self, widget): -@@ -581,7 +573,7 @@ class Module: +@@ -610,7 +602,7 @@ class Module: response = dialog.run() if response == Gtk.ResponseType.OK: groups = dialog.get_selected_groups() @@ -65,7 +65,7 @@ groups.sort() self.groups_label.set_text(", ".join(groups)) dialog.destroy() -@@ -839,11 +831,11 @@ class Module: +@@ -876,11 +868,11 @@ class Module: pixbuf = GdkPixbuf.Pixbuf.new_from_file_at_size("/usr/share/cinnamon/faces/user-generic.png", 48, 48) description = "<b>%s</b>\n%s" % (fullname, username) piter = self.users.append(None, [new_user, pixbuf, description]) @@ -80,7 +80,7 @@ self.load_groups() dialog.destroy() -@@ -888,7 +880,7 @@ class Module: +@@ -925,7 +917,7 @@ class Module: d.set_default_response(Gtk.ResponseType.NO) r = d.run() if r == Gtk.ResponseType.YES: @@ -89,7 +89,7 @@ self.load_groups() d.destroy() -@@ -896,7 +888,7 @@ class Module: +@@ -933,7 +925,7 @@ class Module: dialog = GroupDialog(_("Group Name"), "", self.window) response = dialog.run() if response == Gtk.ResponseType.OK: @@ -98,7 +98,7 @@ self.load_groups() dialog.destroy() -@@ -907,7 +899,7 @@ class Module: +@@ -944,7 +936,7 @@ class Module: dialog = GroupDialog(_("Group Name"), group, self.window) response = dialog.run() if response == Gtk.ResponseType.OK:
