diff --git a/SOURCES/admin-Prevent-access-if-any-authentication-agent-isn.patch b/SOURCES/admin-Prevent-access-if-any-authentication-agent-isn.patch new file mode 100644 index 0000000..63b0c74 --- /dev/null +++ b/SOURCES/admin-Prevent-access-if-any-authentication-agent-isn.patch @@ -0,0 +1,42 @@ +From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Wed, 2 Jan 2019 17:13:27 +0100 +Subject: [PATCH] admin: Prevent access if any authentication agent isn't + available + +The backend currently allows to access and modify files without prompting +for password if any polkit authentication agent isn't available. This seems +isn't usually problem, because polkit agents are integral parts of +graphical environments / linux distributions. The agents can't be simply +disabled without root permissions and are automatically respawned. However, +this might be a problem in some non-standard cases. + +This affects only users which belong to wheel group (i.e. those who are +already allowed to use sudo). It doesn't allow privilege escalation for +users, who don't belong to that group. + +Let's return permission denied error also when the subject can't be +authorized by any polkit agent to prevent this behavior. + +Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355 +--- + daemon/gvfsbackendadmin.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c +index ec0f2392..0f849008 100644 +--- a/daemon/gvfsbackendadmin.c ++++ b/daemon/gvfsbackendadmin.c +@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self, + return FALSE; + } + +- is_authorized = polkit_authorization_result_get_is_authorized (result) || +- polkit_authorization_result_get_is_challenge (result); ++ is_authorized = polkit_authorization_result_get_is_authorized (result); + + g_object_unref (result); + +-- +2.20.1 + diff --git a/SPECS/gvfs.spec b/SPECS/gvfs.spec index 4c8e1af..29590ed 100644 --- a/SPECS/gvfs.spec +++ b/SPECS/gvfs.spec @@ -24,13 +24,16 @@ Name: gvfs Version: 1.36.2 -Release: 1%{?dist} +Release: 2%{?dist}.1 Summary: Backends for the gio framework in GLib License: GPLv3 and LGPLv2+ and BSD and MPLv2.0 URL: https://wiki.gnome.org/Projects/gvfs Source0: https://download.gnome.org/sources/gvfs/1.36/gvfs-%{version}.tar.xz +# https://bugzilla.redhat.com/show_bug.cgi?id=1690470 +Patch0: admin-Prevent-access-if-any-authentication-agent-isn.patch + BuildRequires: pkgconfig BuildRequires: pkgconfig(glib-2.0) >= %{glib2_version} BuildRequires: pkgconfig(dbus-glib-1) @@ -213,6 +216,7 @@ the functionality of the installed gvfs package. %prep %setup -q +%patch0 -p1 -b .admin-Prevent-access-if-any-authentication-agent-isn autoreconf -fi @@ -405,6 +409,12 @@ killall -USR1 gvfsd >&/dev/null || : %{_datadir}/installed-tests %changelog +* Mon Apr 01 2019 Ondrej Holy - 1.36.2-2.1 +- CVE-2019-3827: Prevent access if any authentication agent isn't available (#1690470) + +* Fri Dec 14 2018 Ray Strode - 1.36.2-2 +- rebuild + * Tue Jun 12 2018 Ondrej Holy - 1.36.2-1 - Update to 1.36.2 - Remove mount-archive.desktop helper