From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 1/5] package/gvfs: fix CVE-2019-3827
Date: Sun, 29 Mar 2020 18:49:16 +0200 [thread overview]
Message-ID: <20200329164916.GH22325@scaer> (raw)
In-Reply-To: <20200329160246.4053834-1-fontaine.fabrice@gmail.com>
Fabrice, All,
On 2020-03-29 18:02 +0200, Fabrice Fontaine spake thusly:
> An incorrect permission check in the admin backend in gvfs before
> version 1.39.4 was found that allows reading and modify arbitrary files
> by privileged users without asking for password when no authentication
> agent is running. This vulnerability can be exploited by malicious
> programs running under privileges of users belonging to the wheel group
> to further escalate its privileges by modifying system files without
> user's knowledge. Successful exploitation requires uncommon system
> configuration.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Patch series applied to master, thanks.
Any reason why you sent one patch for each CVE, rather than a single
patch?
Regards,
Yann E. MORIN.
> ---
> ...authentication-agent-isn-t-available.patch | 46 +++++++++++++++++++
> package/gvfs/gvfs.mk | 3 ++
> 2 files changed, 49 insertions(+)
> create mode 100644 package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
>
> diff --git a/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch b/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
> new file mode 100644
> index 0000000000..2715371534
> --- /dev/null
> +++ b/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
> @@ -0,0 +1,46 @@
> +From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001
> +From: Ondrej Holy <oholy@redhat.com>
> +Date: Wed, 2 Jan 2019 17:13:27 +0100
> +Subject: [PATCH] admin: Prevent access if any authentication agent isn't
> + available
> +
> +The backend currently allows to access and modify files without prompting
> +for password if any polkit authentication agent isn't available. This seems
> +isn't usually problem, because polkit agents are integral parts of
> +graphical environments / linux distributions. The agents can't be simply
> +disabled without root permissions and are automatically respawned. However,
> +this might be a problem in some non-standard cases.
> +
> +This affects only users which belong to wheel group (i.e. those who are
> +already allowed to use sudo). It doesn't allow privilege escalation for
> +users, who don't belong to that group.
> +
> +Let's return permission denied error also when the subject can't be
> +authorized by any polkit agent to prevent this behavior.
> +
> +Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355
> +
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +[Retrieved from:
> +https://gitlab.gnome.org/GNOME/gvfs/commit/d8d0c8c40049cfd824b2b90d0cd47914052b9811]
> +---
> + daemon/gvfsbackendadmin.c | 3 +--
> + 1 file changed, 1 insertion(+), 2 deletions(-)
> +
> +diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
> +index ec0f2392..0f849008 100644
> +--- a/daemon/gvfsbackendadmin.c
> ++++ b/daemon/gvfsbackendadmin.c
> +@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self,
> + return FALSE;
> + }
> +
> +- is_authorized = polkit_authorization_result_get_is_authorized (result) ||
> +- polkit_authorization_result_get_is_challenge (result);
> ++ is_authorized = polkit_authorization_result_get_is_authorized (result);
> +
> + g_object_unref (result);
> +
> +--
> +2.24.1
> +
> diff --git a/package/gvfs/gvfs.mk b/package/gvfs/gvfs.mk
> index c380a710fb..6c927fa345 100644
> --- a/package/gvfs/gvfs.mk
> +++ b/package/gvfs/gvfs.mk
> @@ -15,6 +15,9 @@ GVFS_LICENSE = LGPL-2.0+
> GVFS_LICENSE_FILES = COPYING
> GVFS_LIBS = $(TARGET_NLS_LIBS)
>
> +# 0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
> +GVFS_IGNORE_CVES += CVE-2019-3827
> +
> # Export ac_cv_path_LIBGCRYPT_CONFIG unconditionally to prevent
> # build system from searching the host paths.
> GVFS_CONF_ENV = \
> --
> 2.25.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
next prev parent reply other threads:[~2020-03-29 16:49 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-29 16:02 [Buildroot] [PATCH 1/5] package/gvfs: fix CVE-2019-3827 Fabrice Fontaine
2020-03-29 16:02 ` [Buildroot] [PATCH 2/5] package/gvfs: fix CVE-2019-12448 Fabrice Fontaine
2020-03-29 16:02 ` [Buildroot] [PATCH 3/5] package/gvfs: fix CVE-2019-12447 Fabrice Fontaine
2020-03-29 16:02 ` [Buildroot] [PATCH 4/5] package/gvfs: fix CVE-2019-12449 Fabrice Fontaine
2020-03-29 16:02 ` [Buildroot] [PATCH 5/5] package/gvfs: fix CVE-2019-12795 Fabrice Fontaine
2020-03-29 16:49 ` Yann E. MORIN [this message]
2020-03-29 17:12 ` [Buildroot] [PATCH 1/5] package/gvfs: fix CVE-2019-3827 Fabrice Fontaine
2020-03-29 17:28 ` Yann E. MORIN
2020-04-07 19:07 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200329164916.GH22325@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.