diff --git a/SOURCES/admin-Prevent-access-if-any-authentication-agent-isn.patch b/SOURCES/admin-Prevent-access-if-any-authentication-agent-isn.patch
new file mode 100644
index 0000000..63b0c74
--- /dev/null
+++ b/SOURCES/admin-Prevent-access-if-any-authentication-agent-isn.patch
@@ -0,0 +1,42 @@
+From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Wed, 2 Jan 2019 17:13:27 +0100
+Subject: [PATCH] admin: Prevent access if any authentication agent isn't
+ available
+
+The backend currently allows to access and modify files without prompting
+for password if any polkit authentication agent isn't available. This seems
+isn't usually problem, because polkit agents are integral parts of
+graphical environments / linux distributions. The agents can't be simply
+disabled without root permissions and are automatically respawned. However,
+this might be a problem in some non-standard cases.
+
+This affects only users which belong to wheel group (i.e. those who are
+already allowed to use sudo). It doesn't allow privilege escalation for
+users, who don't belong to that group.
+
+Let's return permission denied error also when the subject can't be
+authorized by any polkit agent to prevent this behavior.
+
+Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355
+---
+ daemon/gvfsbackendadmin.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
+index ec0f2392..0f849008 100644
+--- a/daemon/gvfsbackendadmin.c
++++ b/daemon/gvfsbackendadmin.c
+@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self,
+ return FALSE;
+ }
+
+- is_authorized = polkit_authorization_result_get_is_authorized (result) ||
+- polkit_authorization_result_get_is_challenge (result);
++ is_authorized = polkit_authorization_result_get_is_authorized (result);
+
+ g_object_unref (result);
+
+--
+2.20.1
+
diff --git a/SOURCES/daemon-Prevent-spawning-new-daemons-if-outgoing-oper.patch b/SOURCES/daemon-Prevent-spawning-new-daemons-if-outgoing-oper.patch
new file mode 100644
index 0000000..305c7e5
--- /dev/null
+++ b/SOURCES/daemon-Prevent-spawning-new-daemons-if-outgoing-oper.patch
@@ -0,0 +1,99 @@
+From 396216f71abf6907efd1383ca0d1a597918cd83d Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 11 Oct 2018 17:47:59 +0200
+Subject: [PATCH] daemon: Prevent spawning new daemons if outgoing operation
+ exists
+
+A new daemon is always spawned if MountLocation method (or LookupMount for
+automounted) is called and the respective mount isn't registered yet. This
+is not usually an issue, because the redundant daemons are consequently
+terminated. However, this is a problem if mount operations hang for some reason.
+This may happen e.g. with trash backend due to stale NFS mounts. Consequently,
+new and new daemons are spawned which may lead to system failures due to lack
+of system resources. See the following downstream bug report:
+https://bugzilla.redhat.com/show_bug.cgi?id=1632960
+
+Let's fix that behavior simply by preventing spawning of new daemons if
+respective outgoing mount operations exist.
+
+https://gitlab.gnome.org/GNOME/gvfs/merge_requests/19
+---
+ daemon/mount.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/daemon/mount.c b/daemon/mount.c
+index e242666d..33cae597 100644
+--- a/daemon/mount.c
++++ b/daemon/mount.c
+@@ -73,6 +73,7 @@ typedef void (*MountCallback) (VfsMountable *mountable,
+
+ static GList *mountables = NULL;
+ static GList *mounts = NULL;
++static GList *ongoing = NULL;
+
+ static gboolean fuse_available;
+
+@@ -253,6 +254,7 @@ typedef struct {
+ char *obj_path;
+ gboolean spawned;
+ GVfsDBusSpawner *spawner;
++ GList *pending; /* MountData */
+ } MountData;
+
+ static void spawn_mount (MountData *data);
+@@ -264,6 +266,7 @@ mount_data_free (MountData *data)
+ g_mount_spec_unref (data->mount_spec);
+ g_free (data->obj_path);
+ g_clear_object (&data->spawner);
++ g_list_free_full (data->pending, (GDestroyNotify) mount_data_free);
+
+ g_free (data);
+ }
+@@ -271,7 +274,17 @@ mount_data_free (MountData *data)
+ static void
+ mount_finish (MountData *data, GError *error)
+ {
++ GList *l;
++
++ ongoing = g_list_remove (ongoing, data);
++
+ data->callback (data->mountable, error, data->user_data);
++ for (l = data->pending; l != NULL; l = l->next)
++ {
++ MountData *pending_data = l->data;
++ pending_data->callback (pending_data->mountable, error, pending_data->user_data);
++ }
++
+ mount_data_free (data);
+ }
+
+@@ -493,6 +506,7 @@ mountable_mount (VfsMountable *mountable,
+ gpointer user_data)
+ {
+ MountData *data;
++ GList *l;
+
+ data = g_new0 (MountData, 1);
+ data->automount = automount;
+@@ -502,6 +516,18 @@ mountable_mount (VfsMountable *mountable,
+ data->callback = callback;
+ data->user_data = user_data;
+
++ for (l = ongoing; l != NULL; l = l->next)
++ {
++ MountData *ongoing_data = l->data;
++ if (g_mount_spec_equal (ongoing_data->mount_spec, mount_spec))
++ {
++ ongoing_data->pending = g_list_append (ongoing_data->pending, data);
++ return;
++ }
++ }
++
++ ongoing = g_list_append (ongoing, data);
++
+ if (mountable->dbus_name == NULL)
+ spawn_mount (data);
+ else
+--
+2.20.1
+
diff --git a/SOURCES/smbbrowse-Force-NT1-protocol-version-for-workgroup-s.patch b/SOURCES/smbbrowse-Force-NT1-protocol-version-for-workgroup-s.patch
new file mode 100644
index 0000000..4bf9934
--- /dev/null
+++ b/SOURCES/smbbrowse-Force-NT1-protocol-version-for-workgroup-s.patch
@@ -0,0 +1,89 @@
+diff --git a/configure.ac b/configure.ac
+index 3b5836ff..daeee728 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -546,6 +546,11 @@ if test "x$enable_samba" != "xno"; then
+ if test "x$msg_samba" = "xyes"; then
+ PKG_CHECK_MODULES([SAMBA], [smbclient])
+ AC_DEFINE([HAVE_SAMBA], 1, [Define to 1 if you have the samba libraries])
++
++ AC_CHECK_LIB(smbclient, smbc_setOptionProtocols,
++ AC_DEFINE(HAVE_SMBC_SETOPTIONPROTOCOLS, 1, [Define to 1 if smbc_setOptionProtocols() is available]),
++ []
++ )
+ fi
+ fi
+
+diff --git a/daemon/gvfsbackendsmbbrowse.c b/daemon/gvfsbackendsmbbrowse.c
+index f08d2988..3b11883e 100644
+--- a/daemon/gvfsbackendsmbbrowse.c
++++ b/daemon/gvfsbackendsmbbrowse.c
+@@ -45,6 +45,7 @@
+ #include "gvfskeyring.h"
+ #include "gmounttracker.h"
+ #include "gvfsbackendsmbprivate.h"
++#include "gvfsutils.h"
+
+ #include <libsmbclient.h>
+
+@@ -847,6 +848,47 @@ do_mount (GVfsBackend *backend,
+ else
+ op_backend->server = g_strdup (op_backend->mounted_server);
+
++#ifdef HAVE_SMBC_SETOPTIONPROTOCOLS
++ /* Force NT1 protocol version if server can't be resolved (i.e. is not
++ * hostname, nor IP address). This is needed for workgroup support, because
++ * "client max protocol" has been changed from NT1 to SMB3 in recent samba
++ * versions.
++ */
++
++ if (op_backend->server != NULL)
++ {
++ GResolver *resolver;
++ GList *addresses;
++ GError *error = NULL;
++ gchar *server;
++
++ resolver = g_resolver_get_default ();
++
++ /* IPv6 server includes brackets in GMountSpec, GResolver doesn't */
++ if (gvfs_is_ipv6 (op_backend->server))
++ server = g_strndup (op_backend->server + 1, strlen (op_backend->server) - 2);
++ else
++ server = g_strdup (op_backend->server);
++
++ addresses = g_resolver_lookup_by_name (resolver, server, NULL, &error);
++ if (addresses == NULL)
++ {
++ if (error != NULL)
++ {
++ g_debug ("%s\n", error->message);
++ g_error_free (error);
++ }
++
++ g_debug ("Forcing NT1 protocol version\n");
++ smbc_setOptionProtocols (smb_context, "NT1", "NT1");
++ }
++
++ g_resolver_free_addresses (addresses);
++ g_object_unref (resolver);
++ g_free (server);
++ }
++#endif
++
+ icon = NULL;
+ symbolic_icon = NULL;
+ if (op_backend->server == NULL)
+diff --git a/meson.build b/meson.build
+index 34600188..3a876172 100644
+--- a/meson.build
++++ b/meson.build
+@@ -416,6 +416,8 @@ config_h.set10('HAVE_LIBUSB', enable_libusb)
+ enable_samba = get_option('smb')
+ if enable_samba
+ smbclient_dep = dependency('smbclient')
++
++ config_h.set('HAVE_SMBC_SETOPTIONPROTOCOLS', cc.has_function('smbc_setOptionProtocols', dependencies: smbclient_dep))
+ endif
+
+ # *** Check for libarchive ***
diff --git a/SPECS/gvfs.spec b/SPECS/gvfs.spec
index dad76c9..e525e88 100644
--- a/SPECS/gvfs.spec
+++ b/SPECS/gvfs.spec
@@ -24,7 +24,7 @@
Name: gvfs
Version: 1.36.2
-Release: 1%{?dist}
+Release: 3%{?dist}
Summary: Backends for the gio framework in GLib
License: GPLv3 and LGPLv2+ and BSD and MPLv2.0
@@ -34,6 +34,15 @@ Source0: https://download.gnome.org/sources/gvfs/1.36/gvfs-%{version}.tar.xz
# http://bugzilla.gnome.org/show_bug.cgi?id=567235
Patch0: gvfs-archive-integration.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1632960
+Patch1: daemon-Prevent-spawning-new-daemons-if-outgoing-oper.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1673887
+Patch2: admin-Prevent-access-if-any-authentication-agent-isn.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1619719
+Patch3: smbbrowse-Force-NT1-protocol-version-for-workgroup-s.patch
+
BuildRequires: pkgconfig
BuildRequires: pkgconfig(glib-2.0) >= %{glib2_version}
BuildRequires: pkgconfig(dbus-glib-1)
@@ -217,6 +226,9 @@ the functionality of the installed gvfs package.
%prep
%setup -q
%patch0 -p1 -b .archive-integration
+%patch1 -p1 -b .daemon-Prevent-spawning-new-daemons-if-outgoing-oper
+%patch2 -p1 -b .admin-Prevent-access-if-any-authentication-agent-isn
+%patch3 -p1 -b .smbbrowse-Force-NT1-protocol-version-for-workgroup-s
# Needed for gvfs-0.2.1-archive-integration.patch
autoreconf -fi
@@ -433,6 +445,13 @@ killall -USR1 gvfsd >&/dev/null || :
%{_datadir}/installed-tests
%changelog
+* Fri Feb 15 2019 Ondrej Holy <oholy@redhat.com> - 1.36.2-3
+- Force NT1 protocol version for workgroup support (#1619719)
+
+* Thu Jan 31 2019 Ondrej Holy <oholy@redhat.com> - 1.36.2-2
+- Prevent spawning new daemons if outgoing operation exists (#1632960)
+- CVE-2019-3827: Prevent access if any authentication agent isn't available (#1673887)
+
* Tue May 08 2018 Kalev Lember <klember@redhat.com> - 1.36.2-1
- Update to 1.36.2
- Resolves: #1569268