From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 1/5] package/gvfs: fix CVE-2019-3827
Date: Sun, 29 Mar 2020 19:28:18 +0200 [thread overview]
Message-ID: <20200329172818.GL22325@scaer> (raw)
In-Reply-To: <CAPi7W83=ZELwxEACGYeC7UhiOAhNWZjZp-8tCpZTEWc+0YoSwA@mail.gmail.com>
Fabrice, All,
On 2020-03-29 19:12 +0200, Fabrice Fontaine spake thusly:
> Le dim. 29 mars 2020 ? 18:49, Yann E. MORIN <yann.morin.1998@free.fr> a ?crit :
[--SNIP--]
> > Any reason why you sent one patch for each CVE, rather than a single
> > patch?
> No special reason, I thought that it'll be easier to review one by one
> instead of a single patch.
Yes, that's good.
Stil, when all a commit does is backport upstream fixes, I'm OK with a
single big commit (as long as backported patches have proper upstream
URLs, and are really left otherwise totally untouched, code-wise).
So, either way. Thanks! :-)
Regards,
Yann E. MORIN.
> > Regards,
> > Yann E. MORIN.
> >
> > > ---
> > > ...authentication-agent-isn-t-available.patch | 46 +++++++++++++++++++
> > > package/gvfs/gvfs.mk | 3 ++
> > > 2 files changed, 49 insertions(+)
> > > create mode 100644 package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
> > >
> > > diff --git a/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch b/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
> > > new file mode 100644
> > > index 0000000000..2715371534
> > > --- /dev/null
> > > +++ b/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
> > > @@ -0,0 +1,46 @@
> > > +From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001
> > > +From: Ondrej Holy <oholy@redhat.com>
> > > +Date: Wed, 2 Jan 2019 17:13:27 +0100
> > > +Subject: [PATCH] admin: Prevent access if any authentication agent isn't
> > > + available
> > > +
> > > +The backend currently allows to access and modify files without prompting
> > > +for password if any polkit authentication agent isn't available. This seems
> > > +isn't usually problem, because polkit agents are integral parts of
> > > +graphical environments / linux distributions. The agents can't be simply
> > > +disabled without root permissions and are automatically respawned. However,
> > > +this might be a problem in some non-standard cases.
> > > +
> > > +This affects only users which belong to wheel group (i.e. those who are
> > > +already allowed to use sudo). It doesn't allow privilege escalation for
> > > +users, who don't belong to that group.
> > > +
> > > +Let's return permission denied error also when the subject can't be
> > > +authorized by any polkit agent to prevent this behavior.
> > > +
> > > +Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355
> > > +
> > > +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> > > +[Retrieved from:
> > > +https://gitlab.gnome.org/GNOME/gvfs/commit/d8d0c8c40049cfd824b2b90d0cd47914052b9811]
> > > +---
> > > + daemon/gvfsbackendadmin.c | 3 +--
> > > + 1 file changed, 1 insertion(+), 2 deletions(-)
> > > +
> > > +diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
> > > +index ec0f2392..0f849008 100644
> > > +--- a/daemon/gvfsbackendadmin.c
> > > ++++ b/daemon/gvfsbackendadmin.c
> > > +@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self,
> > > + return FALSE;
> > > + }
> > > +
> > > +- is_authorized = polkit_authorization_result_get_is_authorized (result) ||
> > > +- polkit_authorization_result_get_is_challenge (result);
> > > ++ is_authorized = polkit_authorization_result_get_is_authorized (result);
> > > +
> > > + g_object_unref (result);
> > > +
> > > +--
> > > +2.24.1
> > > +
> > > diff --git a/package/gvfs/gvfs.mk b/package/gvfs/gvfs.mk
> > > index c380a710fb..6c927fa345 100644
> > > --- a/package/gvfs/gvfs.mk
> > > +++ b/package/gvfs/gvfs.mk
> > > @@ -15,6 +15,9 @@ GVFS_LICENSE = LGPL-2.0+
> > > GVFS_LICENSE_FILES = COPYING
> > > GVFS_LIBS = $(TARGET_NLS_LIBS)
> > >
> > > +# 0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
> > > +GVFS_IGNORE_CVES += CVE-2019-3827
> > > +
> > > # Export ac_cv_path_LIBGCRYPT_CONFIG unconditionally to prevent
> > > # build system from searching the host paths.
> > > GVFS_CONF_ENV = \
> > > --
> > > 2.25.1
> > >
> > > _______________________________________________
> > > buildroot mailing list
> > > buildroot at busybox.net
> > > http://lists.busybox.net/mailman/listinfo/buildroot
> >
> > --
> > .-----------------.--------------------.------------------.--------------------.
> > | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> > | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
> > | +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
> > | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
> > '------------------------------^-------^------------------^--------------------'
> Best Regards,
>
> Fabrice
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
next prev parent reply other threads:[~2020-03-29 17:28 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-29 16:02 [Buildroot] [PATCH 1/5] package/gvfs: fix CVE-2019-3827 Fabrice Fontaine
2020-03-29 16:02 ` [Buildroot] [PATCH 2/5] package/gvfs: fix CVE-2019-12448 Fabrice Fontaine
2020-03-29 16:02 ` [Buildroot] [PATCH 3/5] package/gvfs: fix CVE-2019-12447 Fabrice Fontaine
2020-03-29 16:02 ` [Buildroot] [PATCH 4/5] package/gvfs: fix CVE-2019-12449 Fabrice Fontaine
2020-03-29 16:02 ` [Buildroot] [PATCH 5/5] package/gvfs: fix CVE-2019-12795 Fabrice Fontaine
2020-03-29 16:49 ` [Buildroot] [PATCH 1/5] package/gvfs: fix CVE-2019-3827 Yann E. MORIN
2020-03-29 17:12 ` Fabrice Fontaine
2020-03-29 17:28 ` Yann E. MORIN [this message]
2020-04-07 19:07 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200329172818.GL22325@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox