Hello community, here is the log from the commit of package gvfs for openSUSE:Factory checked in at 2019-02-20 14:07:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gvfs (Old) and /work/SRC/openSUSE:Factory/.gvfs.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gvfs" Wed Feb 20 14:07:19 2019 rev:154 rq:676369 version:1.38.1 Changes: -------- --- /work/SRC/openSUSE:Factory/gvfs/gvfs.changes 2018-10-17 08:16:28.322992892 +0200 +++ /work/SRC/openSUSE:Factory/.gvfs.new.28833/gvfs.changes 2019-02-20 14:07:30.211015668 +0100 @@ -1,0 +2,7 @@ +Thu Feb 14 10:18:27 UTC 2019 - [email protected] + +- Add gvfs-CVE-2019-3827.patch: Prevent access if any authentication + agent isn't available (glgo#GNOME/gvfs#355, bsc#1125084, + CVE-2019-3827). + +------------------------------------------------------------------- New: ---- gvfs-CVE-2019-3827.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gvfs.spec ++++++ --- /var/tmp/diff_new_pack.kp1WAp/_old 2019-02-20 14:07:31.727015167 +0100 +++ /var/tmp/diff_new_pack.kp1WAp/_new 2019-02-20 14:07:31.731015166 +0100 @@ -1,7 +1,7 @@ # # spec file for package gvfs # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # @@ -27,6 +27,8 @@ Source0: https://download.gnome.org/sources/gvfs/1.38/%{name}-%{version}.tar.xz Source99: baselibs.conf +# PATCH-FIX-UPSTREAM gvfs-CVE-2019-3827.patch glgo#GNOME/gvfs#355 bsc#1125084 CVE-2019-3827 [email protected] -- Prevent access if any authentication agent isn't available +Patch1: gvfs-CVE-2019-3827.patch ### NOTE: Please, keep SLE-only patches at bottom (starting on 1000). # PATCH-FEATURE-SLE gvfs-nds.patch [email protected] -- Provides NDS browsing for nautilus Patch1000: gvfs-nds.patch @@ -159,6 +161,7 @@ %prep %setup -q translation-update-upstream po %{name} +%patch1 -p1 %if !0%{?is_opensuse} %patch1000 -p1 %patch1001 -p1 ++++++ gvfs-CVE-2019-3827.patch ++++++ >From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001 From: Ondrej Holy <[email protected]> Date: Wed, 2 Jan 2019 17:13:27 +0100 Subject: admin: Prevent access if any authentication agent isn't available The backend currently allows to access and modify files without prompting for password if any polkit authentication agent isn't available. This seems isn't usually problem, because polkit agents are integral parts of graphical environments / linux distributions. The agents can't be simply disabled without root permissions and are automatically respawned. However, this might be a problem in some non-standard cases. This affects only users which belong to wheel group (i.e. those who are already allowed to use sudo). It doesn't allow privilege escalation for users, who don't belong to that group. Let's return permission denied error also when the subject can't be authorized by any polkit agent to prevent this behavior. Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355 --- daemon/gvfsbackendadmin.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c index ec0f2392..0f849008 100644 --- a/daemon/gvfsbackendadmin.c +++ b/daemon/gvfsbackendadmin.c @@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self, return FALSE; } - is_authorized = polkit_authorization_result_get_is_authorized (result) || - polkit_authorization_result_get_is_challenge (result); + is_authorized = polkit_authorization_result_get_is_authorized (result); g_object_unref (result); -- 2.16.4 >From 04325119859b9eb41c9db97f1c315f3c9ab3d95b Mon Sep 17 00:00:00 2001 From: Ondrej Holy <[email protected]> Date: Fri, 4 Jan 2019 12:58:27 +0100 Subject: admin: Add comment to .rules file Add comment to polkit org.gtk.vfs.file-operations.rules file explaining the rule which allows starting gvfsd-admin without password for users belonging to wheel group. --- daemon/org.gtk.vfs.file-operations.rules | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/daemon/org.gtk.vfs.file-operations.rules b/daemon/org.gtk.vfs.file-operations.rules index fb8d54ae..6e528e93 100644 --- a/daemon/org.gtk.vfs.file-operations.rules +++ b/daemon/org.gtk.vfs.file-operations.rules @@ -1,3 +1,8 @@ +// Allows users belonging to wheel group to start gvfsd-admin without +// authorization. This prevents redundant password prompt when starting +// gvfsd-admin. The gvfsd-admin causes another password prompts to be shown +// for each client process using the different action id and for the subject +// based on the client process. polkit.addRule(function(action, subject) { if ((action.id == "org.gtk.vfs.file-operations-helper") && subject.local && -- 2.16.4 >From cadb8377a849dfb3a815d05b50a75049095a8d2f Mon Sep 17 00:00:00 2001 From: Ondrej Holy <[email protected]> Date: Mon, 14 Jan 2019 14:02:23 +0100 Subject: admin: Add comments to .policy file Add comments to polkit org.gtk.vfs.file-operations.policy file explaining the purpose of the different actions. --- daemon/org.gtk.vfs.file-operations.policy.in.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/daemon/org.gtk.vfs.file-operations.policy.in.in b/daemon/org.gtk.vfs.file-operations.policy.in.in index f48a923b..02a7b2ce 100644 --- a/daemon/org.gtk.vfs.file-operations.policy.in.in +++ b/daemon/org.gtk.vfs.file-operations.policy.in.in @@ -8,6 +8,7 @@ <vendor>GVfs</vendor> <vendor_url>http://git.gnome.org/browse/gvfs</vendor_url> + <!-- This action is used when starting gvfsd-admin. --> <action id="org.gtk.vfs.file-operations-helper"> <description>Perform file operations</description> <message>Authentication is required to perform file operations</message> @@ -19,6 +20,7 @@ <annotate key="org.freedesktop.policykit.exec.path">@libexecdir@/gvfsd-admin</annotate> </action> + <!-- This action is used to authorize gvfsd-admin operations. --> <action id="org.gtk.vfs.file-operations"> <description>Perform file operations</description> <message>Authentication is required to perform file operations</message> -- 2.16.4 >From a0e015cbd76715fbee407557c676a038f164c605 Mon Sep 17 00:00:00 2001 From: Ondrej Holy <[email protected]> Date: Mon, 14 Jan 2019 14:04:58 +0100 Subject: admin: Update message in .policy Update message for org.gtk.vfs.file-operations-helper action in polkit org.gtk.vfs.file-operations.rules file to be obvious that it is used when starting gvfsd-admin. --- daemon/org.gtk.vfs.file-operations.policy.in.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemon/org.gtk.vfs.file-operations.policy.in.in b/daemon/org.gtk.vfs.file-operations.policy.in.in index 02a7b2ce..7acfbfd5 100644 --- a/daemon/org.gtk.vfs.file-operations.policy.in.in +++ b/daemon/org.gtk.vfs.file-operations.policy.in.in @@ -11,7 +11,7 @@ <!-- This action is used when starting gvfsd-admin. --> <action id="org.gtk.vfs.file-operations-helper"> <description>Perform file operations</description> - <message>Authentication is required to perform file operations</message> + <message>Authentication is required to run gvfsd-admin daemon</message> <defaults> <allow_any>no</allow_any> <allow_inactive>no</allow_inactive> -- 2.16.4
