From 796e9d1d3d0eb4dac5d0ccf9583f9b5879ca30f3 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 24 2018 17:23:56 +0000 Subject: import PackageKit-1.1.5-2.el7_5 --- diff --git a/SOURCES/0001-Do-not-set-JUST_REINSTALL-on-any-kind-of-auth-failur.patch b/SOURCES/0001-Do-not-set-JUST_REINSTALL-on-any-kind-of-auth-failur.patch new file mode 100644 index 0000000..cb98d62 --- /dev/null +++ b/SOURCES/0001-Do-not-set-JUST_REINSTALL-on-any-kind-of-auth-failur.patch @@ -0,0 +1,55 @@ +From bb9f9a8fb451d7a2d81f7390993db75491224729 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Mon, 9 Apr 2018 16:39:56 +0100 +Subject: [PATCH] Do not set JUST_REINSTALL on any kind of auth failure + +If we try to continue the auth queue when it has been cancelled (or failed) +then we fall upon the obscure JUST_REINSTALL transaction flag which only the +DNF backend actually verifies. + +Many thanks to Matthias Gerstner for spotting the problem. +--- + src/pk-transaction.c | 27 ++++++++------------------- + 1 file changed, 8 insertions(+), 19 deletions(-) + +diff --git a/src/pk-transaction.c b/src/pk-transaction.c +index 1d006c782..ffee29f6f 100644 +--- a/src/pk-transaction.c ++++ b/src/pk-transaction.c +@@ -2351,25 +2351,14 @@ pk_transaction_authorize_actions_finished_cb (GObject *source_object, + + /* did not auth */ + if (!polkit_authorization_result_get_is_authorized (result)) { +- if (g_strcmp0 (action_id, "org.freedesktop.packagekit.package-install") == 0 && +- pk_bitfield_contain (priv->cached_transaction_flags, +- PK_TRANSACTION_FLAG_ENUM_ALLOW_REINSTALL)) { +- g_debug ("allowing just reinstallation"); +- pk_bitfield_add (priv->cached_transaction_flags, +- PK_TRANSACTION_FLAG_ENUM_JUST_REINSTALL); +- } else { +- priv->waiting_for_auth = FALSE; +- /* emit an ::StatusChanged, ::ErrorCode() and then ::Finished() */ +- pk_transaction_status_changed_emit (data->transaction, PK_STATUS_ENUM_FINISHED); +- pk_transaction_error_code_emit (data->transaction, PK_ERROR_ENUM_NOT_AUTHORIZED, +- "Failed to obtain authentication."); +- pk_transaction_finished_emit (data->transaction, PK_EXIT_ENUM_FAILED, 0); +- +- syslog (LOG_AUTH | LOG_NOTICE, +- "uid %i failed to obtain auth", +- priv->uid); +- goto out; +- } ++ priv->waiting_for_auth = FALSE; ++ /* emit an ::StatusChanged, ::ErrorCode() and then ::Finished() */ ++ pk_transaction_status_changed_emit (data->transaction, PK_STATUS_ENUM_FINISHED); ++ pk_transaction_error_code_emit (data->transaction, PK_ERROR_ENUM_NOT_AUTHORIZED, ++ "Failed to obtain authentication."); ++ pk_transaction_finished_emit (data->transaction, PK_EXIT_ENUM_FAILED, 0); ++ syslog (LOG_AUTH | LOG_NOTICE, "uid %i failed to obtain auth", priv->uid); ++ goto out; + } + + if (data->actions->len <= 1) { +-- +2.17.0 + diff --git a/SOURCES/CentOS-Vendor-Branding.patch b/SOURCES/CentOS-Vendor-Branding.patch deleted file mode 100644 index 8573a7d..0000000 --- a/SOURCES/CentOS-Vendor-Branding.patch +++ /dev/null @@ -1,10 +0,0 @@ -diff -uNrp PackageKit-1.0.7.orig/etc/Vendor.conf PackageKit-1.0.7/etc/Vendor.conf ---- PackageKit-1.0.7.orig/etc/Vendor.conf 2015-04-22 04:54:56.000000000 -0500 -+++ PackageKit-1.0.7/etc/Vendor.conf 2015-11-22 11:03:41.134500772 -0600 -@@ -48,3 +48,6 @@ FontUrl=none - # - # default=none - MimeUrl=none -+#added by CentOS -+VendorName=CentOS -+VendorIcon=fedora-logo-small diff --git a/SPECS/PackageKit.spec b/SPECS/PackageKit.spec index a770bd6..efe2d61 100644 --- a/SPECS/PackageKit.spec +++ b/SPECS/PackageKit.spec @@ -6,13 +6,16 @@ Summary: Package management service Name: PackageKit Version: 1.1.5 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ and LGPLv2+ URL: http://www.freedesktop.org/software/PackageKit/ Source0: http://www.freedesktop.org/software/PackageKit/releases/%{name}-%{version}.tar.xz -Patch0: CentOS-Vendor-Branding.patch # Fedora-specific: set Vendor.conf up for Fedora. +Patch0: PackageKit-0.3.8-Fedora-Vendor.conf.patch + +# CVE-2018-1106 +Patch1: 0001-Do-not-set-JUST_REINSTALL-on-any-kind-of-auth-failur.patch Requires: %{name}-glib%{?_isa} = %{version}-%{release} Requires: PackageKit-backend @@ -157,7 +160,8 @@ using PackageKit. %prep %setup -q -%patch0 -p1 +%patch0 -p1 -b .fedora +%patch1 -p1 -b .CVE-2018-1106 %build %configure \ @@ -300,9 +304,9 @@ systemctl disable packagekit-offline-update.service > /dev/null 2>&1 || : %{_datadir}/vala/vapi/packagekit-glib2.vapi %changelog -* Mon Jul 31 2017 CentOS Sources - 1.1.5-1.el7.centos -- remove old branding patch -- Update Vendor patch to reference CentOS +* Tue Apr 17 2018 Richard Hughes - 1.1.5-2 +- Fixes CVE-2018-1106 +- Resolves: rhbz#1566425 * Tue Feb 28 2017 Richard Hughes - 1.1.5-1 - Update to 1.1.5