[Buildroot] [PATCH 1/5] package/gvfs: fix CVE-2019-3827

[Buildroot] [PATCH 1/5] package/gvfs: fix CVE-2019-3827

[Fabrice Fontaine]

An incorrect permission check in the admin backend in gvfs before
version 1.39.4 was found that allows reading and modify arbitrary files
by privileged users without asking for password when no authentication
agent is running. This vulnerability can be exploited by malicious
programs running under privileges of users belonging to the wheel group
to further escalate its privileges by modifying system files without
user's knowledge. Successful exploitation requires uncommon system
configuration.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 ...authentication-agent-isn-t-available.patch | 46 +++++++++++++++++++
 package/gvfs/gvfs.mk                          |  3 ++
 2 files changed, 49 insertions(+)
 create mode 100644 package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch

diff --git a/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch b/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
new file mode 100644
index 0000000000..2715371534
--- /dev/null
+++ b/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
@@ -0,0 +1,46 @@
+From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Wed, 2 Jan 2019 17:13:27 +0100
+Subject: [PATCH] admin: Prevent access if any authentication agent isn't
+ available
+
+The backend currently allows to access and modify files without prompting
+for password if any polkit authentication agent isn't available. This seems
+isn't usually problem, because polkit agents are integral parts of
+graphical environments / linux distributions. The agents can't be simply
+disabled without root permissions and are automatically respawned. However,
+this might be a problem in some non-standard cases.
+
+This affects only users which belong to wheel group (i.e. those who are
+already allowed to use sudo). It doesn't allow privilege escalation for
+users, who don't belong to that group.
+
+Let's return permission denied error also when the subject can't be
+authorized by any polkit agent to prevent this behavior.
+
+Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Retrieved from:
+https://gitlab.gnome.org/GNOME/gvfs/commit/d8d0c8c40049cfd824b2b90d0cd47914052b9811]
+---
+ daemon/gvfsbackendadmin.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
+index ec0f2392..0f849008 100644
+--- a/daemon/gvfsbackendadmin.c
++++ b/daemon/gvfsbackendadmin.c
+@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self,
+       return FALSE;
+     }
+ 
+-  is_authorized = polkit_authorization_result_get_is_authorized (result) ||
+-    polkit_authorization_result_get_is_challenge (result);
++  is_authorized = polkit_authorization_result_get_is_authorized (result);
+ 
+   g_object_unref (result);
+ 
+-- 
+2.24.1
+
diff --git a/package/gvfs/gvfs.mk b/package/gvfs/gvfs.mk
index c380a710fb..6c927fa345 100644
--- a/package/gvfs/gvfs.mk
+++ b/package/gvfs/gvfs.mk
@@ -15,6 +15,9 @@ GVFS_LICENSE = LGPL-2.0+
 GVFS_LICENSE_FILES = COPYING
 GVFS_LIBS = $(TARGET_NLS_LIBS)
 
+# 0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
+GVFS_IGNORE_CVES += CVE-2019-3827
+
 # Export ac_cv_path_LIBGCRYPT_CONFIG unconditionally to prevent
 # build system from searching the host paths.
 GVFS_CONF_ENV = \
-- 
2.25.1

[Buildroot] [PATCH 2/5] package/gvfs: fix CVE-2019-12448

[Fabrice Fontaine]

An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2.
daemon/gvfsbackendadmin.c has race conditions because the admin backend
doesn't implement query_info_on_read/write.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 ...ery_info_on_read-write-functionality.patch | 131 ++++++++++++++++++
 package/gvfs/gvfs.mk                          |   3 +
 2 files changed, 134 insertions(+)
 create mode 100644 package/gvfs/0002-admin-Add-query_info_on_read-write-functionality.patch

diff --git a/package/gvfs/0002-admin-Add-query_info_on_read-write-functionality.patch b/package/gvfs/0002-admin-Add-query_info_on_read-write-functionality.patch
new file mode 100644
index 0000000000..79a11035de
--- /dev/null
+++ b/package/gvfs/0002-admin-Add-query_info_on_read-write-functionality.patch
@@ -0,0 +1,131 @@
+From 5cd76d627f4d1982b6e77a0e271ef9301732d09e Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 23 May 2019 10:24:36 +0200
+Subject: [PATCH] admin: Add query_info_on_read/write functionality
+
+Admin backend doesn't implement query_info_on_read/write which might
+potentially lead to some race conditions which aren't really wanted
+especially in case of admin backend. Let's add this missing functionality.
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Retrieved fom:
+https://gitlab.gnome.org/GNOME/gvfs/commit/5cd76d627f4d1982b6e77a0e271ef9301732d09e]
+---
+ daemon/gvfsbackendadmin.c | 79 +++++++++++++++++++++++++++++++++------
+ 1 file changed, 67 insertions(+), 12 deletions(-)
+
+diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
+index 65a979e7..23d16f16 100644
+--- a/daemon/gvfsbackendadmin.c
++++ b/daemon/gvfsbackendadmin.c
+@@ -42,6 +42,8 @@
+ #include "gvfsjobopenforwrite.h"
+ #include "gvfsjobqueryattributes.h"
+ #include "gvfsjobqueryinfo.h"
++#include "gvfsjobqueryinforead.h"
++#include "gvfsjobqueryinfowrite.h"
+ #include "gvfsjobread.h"
+ #include "gvfsjobseekread.h"
+ #include "gvfsjobseekwrite.h"
+@@ -155,6 +157,19 @@ complete_job (GVfsJob *job,
+   g_vfs_job_succeeded (job);
+ }
+ 
++static void
++fix_file_info (GFileInfo *info)
++{
++  /* Override read/write flags, since the above call will use access()
++   * to determine permissions, which does not honor our privileged
++   * capabilities.
++   */
++  g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE);
++  g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE);
++  g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE);
++  g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE);
++}
++
+ static void
+ do_query_info (GVfsBackend *backend,
+                GVfsJobQueryInfo *query_info_job,
+@@ -180,19 +195,57 @@ do_query_info (GVfsBackend *backend,
+   if (error != NULL)
+     goto out;
+ 
+-  /* Override read/write flags, since the above call will use access()
+-   * to determine permissions, which does not honor our privileged
+-   * capabilities.
+-   */
+-  g_file_info_set_attribute_boolean (real_info,
+-                                     G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE);
+-  g_file_info_set_attribute_boolean (real_info,
+-                                     G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE);
+-  g_file_info_set_attribute_boolean (real_info,
+-                                     G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE);
+-  g_file_info_set_attribute_boolean (real_info,
+-                                     G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE);
++  fix_file_info (real_info);
++  g_file_info_copy_into (real_info, info);
++  g_object_unref (real_info);
++
++ out:
++  complete_job (job, error);
++}
++
++static void
++do_query_info_on_read (GVfsBackend *backend,
++                       GVfsJobQueryInfoRead *query_info_job,
++                       GVfsBackendHandle handle,
++                       GFileInfo *info,
++                       GFileAttributeMatcher *matcher)
++{
++  GVfsJob *job = G_VFS_JOB (query_info_job);
++  GFileInputStream *stream = handle;
++  GError *error = NULL;
++  GFileInfo *real_info;
++
++  real_info = g_file_input_stream_query_info (stream, query_info_job->attributes,
++                                              job->cancellable, &error);
++  if (error != NULL)
++    goto out;
++
++  fix_file_info (real_info);
++  g_file_info_copy_into (real_info, info);
++  g_object_unref (real_info);
++
++ out:
++  complete_job (job, error);
++}
++
++static void
++do_query_info_on_write (GVfsBackend *backend,
++                        GVfsJobQueryInfoWrite *query_info_job,
++                        GVfsBackendHandle handle,
++                        GFileInfo *info,
++                        GFileAttributeMatcher *matcher)
++{
++  GVfsJob *job = G_VFS_JOB (query_info_job);
++  GFileOutputStream *stream = handle;
++  GError *error = NULL;
++  GFileInfo *real_info;
++
++  real_info = g_file_output_stream_query_info (stream, query_info_job->attributes,
++                                               job->cancellable, &error);
++  if (error != NULL)
++    goto out;
+ 
++  fix_file_info (real_info);
+   g_file_info_copy_into (real_info, info);
+   g_object_unref (real_info);
+ 
+@@ -868,6 +921,8 @@ g_vfs_backend_admin_class_init (GVfsBackendAdminClass * klass)
+   backend_class->mount = do_mount;
+   backend_class->open_for_read = do_open_for_read;
+   backend_class->query_info = do_query_info;
++  backend_class->query_info_on_read = do_query_info_on_read;
++  backend_class->query_info_on_write = do_query_info_on_write;
+   backend_class->read = do_read;
+   backend_class->create = do_create;
+   backend_class->append_to = do_append_to;
+-- 
+2.24.1
+
diff --git a/package/gvfs/gvfs.mk b/package/gvfs/gvfs.mk
index 6c927fa345..eb31f6f8df 100644
--- a/package/gvfs/gvfs.mk
+++ b/package/gvfs/gvfs.mk
@@ -18,6 +18,9 @@ GVFS_LIBS = $(TARGET_NLS_LIBS)
 # 0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
 GVFS_IGNORE_CVES += CVE-2019-3827
 
+# package/gvfs/0002-admin-Add-query_info_on_read-write-functionality.patch
+GVFS_IGNORE_CVES += CVE-2019-12448
+
 # Export ac_cv_path_LIBGCRYPT_CONFIG unconditionally to prevent
 # build system from searching the host paths.
 GVFS_CONF_ENV = \
-- 
2.25.1

[Buildroot] [PATCH 3/5] package/gvfs: fix CVE-2019-12447

[Fabrice Fontaine]

An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2.
daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid is
not used.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 ...0003-admin-Allow-changing-file-owner.patch | 34 +++++++
 ...uid-to-ensure-correct-file-ownership.patch | 91 +++++++++++++++++++
 package/gvfs/gvfs.mk                          |  4 +
 3 files changed, 129 insertions(+)
 create mode 100644 package/gvfs/0003-admin-Allow-changing-file-owner.patch
 create mode 100644 package/gvfs/0004-admin-Use-fsuid-to-ensure-correct-file-ownership.patch

diff --git a/package/gvfs/0003-admin-Allow-changing-file-owner.patch b/package/gvfs/0003-admin-Allow-changing-file-owner.patch
new file mode 100644
index 0000000000..6465693283
--- /dev/null
+++ b/package/gvfs/0003-admin-Allow-changing-file-owner.patch
@@ -0,0 +1,34 @@
+From daf1163aba229afcfddf0f925aef7e97047e8959 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 23 May 2019 10:29:08 +0200
+Subject: [PATCH] admin: Allow changing file owner
+
+CAP_CHOWN is dropped together with other privilages and thus the backend
+can't change file owner. This might be probably e.g. in case of copy
+operation when G_FILE_COPY_ALL_METADATA is used. Let's keep CAP_CHOWN
+to fix this.
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Retrieved from:
+https://gitlab.gnome.org/GNOME/gvfs/commit/daf1163aba229afcfddf0f925aef7e97047e8959]
+---
+ daemon/gvfsbackendadmin.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
+index 23d16f16..a74d09cf 100644
+--- a/daemon/gvfsbackendadmin.c
++++ b/daemon/gvfsbackendadmin.c
+@@ -968,7 +968,8 @@ g_vfs_backend_admin_init (GVfsBackendAdmin *self)
+ 
+ #define REQUIRED_CAPS (CAP_TO_MASK(CAP_FOWNER) | \
+                        CAP_TO_MASK(CAP_DAC_OVERRIDE) | \
+-                       CAP_TO_MASK(CAP_DAC_READ_SEARCH))
++                       CAP_TO_MASK(CAP_DAC_READ_SEARCH) | \
++                       CAP_TO_MASK(CAP_CHOWN))
+ 
+ static void
+ acquire_caps (uid_t uid)
+-- 
+2.24.1
+
diff --git a/package/gvfs/0004-admin-Use-fsuid-to-ensure-correct-file-ownership.patch b/package/gvfs/0004-admin-Use-fsuid-to-ensure-correct-file-ownership.patch
new file mode 100644
index 0000000000..a4343ee897
--- /dev/null
+++ b/package/gvfs/0004-admin-Use-fsuid-to-ensure-correct-file-ownership.patch
@@ -0,0 +1,91 @@
+From 3895e09d784ebec0fbc4614d5c37068736120e1d Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 23 May 2019 10:33:30 +0200
+Subject: [PATCH] admin: Use fsuid to ensure correct file ownership
+
+Files created over admin backend should be owned by root, but they are
+owned by the user itself. This is because the daemon drops the uid to
+make dbus connection work. Use fsuid and euid to fix this issue.
+
+Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/21
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Retrieved from:
+https://gitlab.gnome.org/GNOME/gvfs/commit/3895e09d784ebec0fbc4614d5c37068736120e1d]
+---
+ daemon/gvfsbackendadmin.c | 29 +++++++----------------------
+ 1 file changed, 7 insertions(+), 22 deletions(-)
+
+diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
+index a74d09cf..32b51b1a 100644
+--- a/daemon/gvfsbackendadmin.c
++++ b/daemon/gvfsbackendadmin.c
+@@ -157,19 +157,6 @@ complete_job (GVfsJob *job,
+   g_vfs_job_succeeded (job);
+ }
+ 
+-static void
+-fix_file_info (GFileInfo *info)
+-{
+-  /* Override read/write flags, since the above call will use access()
+-   * to determine permissions, which does not honor our privileged
+-   * capabilities.
+-   */
+-  g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE);
+-  g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE);
+-  g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE);
+-  g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE);
+-}
+-
+ static void
+ do_query_info (GVfsBackend *backend,
+                GVfsJobQueryInfo *query_info_job,
+@@ -195,7 +182,6 @@ do_query_info (GVfsBackend *backend,
+   if (error != NULL)
+     goto out;
+ 
+-  fix_file_info (real_info);
+   g_file_info_copy_into (real_info, info);
+   g_object_unref (real_info);
+ 
+@@ -220,7 +206,6 @@ do_query_info_on_read (GVfsBackend *backend,
+   if (error != NULL)
+     goto out;
+ 
+-  fix_file_info (real_info);
+   g_file_info_copy_into (real_info, info);
+   g_object_unref (real_info);
+ 
+@@ -245,7 +230,6 @@ do_query_info_on_write (GVfsBackend *backend,
+   if (error != NULL)
+     goto out;
+ 
+-  fix_file_info (real_info);
+   g_file_info_copy_into (real_info, info);
+   g_object_unref (real_info);
+ 
+@@ -977,14 +961,15 @@ acquire_caps (uid_t uid)
+   struct __user_cap_header_struct hdr;
+   struct __user_cap_data_struct data;
+ 
+-  /* Tell kernel not clear capabilities when dropping root */
+-  if (prctl (PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0)
+-    g_error ("prctl(PR_SET_KEEPCAPS) failed");
+-
+-  /* Drop root uid, but retain the required permitted caps */
+-  if (setuid (uid) < 0)
++  /* Set euid to user to make dbus work */
++  if (seteuid (uid) < 0)
+     g_error ("unable to drop privs");
+ 
++  /* Set fsuid to still behave like root when working with files */
++  setfsuid (0);
++  if (setfsuid (-1) != 0)
++   g_error ("setfsuid failed");
++
+   memset (&hdr, 0, sizeof(hdr));
+   hdr.version = _LINUX_CAPABILITY_VERSION;
+ 
+-- 
+2.24.1
+
diff --git a/package/gvfs/gvfs.mk b/package/gvfs/gvfs.mk
index eb31f6f8df..ec75852438 100644
--- a/package/gvfs/gvfs.mk
+++ b/package/gvfs/gvfs.mk
@@ -21,6 +21,10 @@ GVFS_IGNORE_CVES += CVE-2019-3827
 # package/gvfs/0002-admin-Add-query_info_on_read-write-functionality.patch
 GVFS_IGNORE_CVES += CVE-2019-12448
 
+# 0003-admin-Allow-changing-file-owner.patch
+# 0004-admin-Use-fsuid-to-ensure-correct-file-ownership.patch
+GVFS_IGNORE_CVES += CVE-2019-12447
+
 # Export ac_cv_path_LIBGCRYPT_CONFIG unconditionally to prevent
 # build system from searching the host paths.
 GVFS_CONF_ENV = \
-- 
2.25.1

[Buildroot] [PATCH 4/5] package/gvfs: fix CVE-2019-12449

[Fabrice Fontaine]

An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2.
daemon/gvfsbackendadmin.c mishandles a file's user and group ownership
during move (and copy with G_FILE_COPY_ALL_METADATA) operations from
admin:// to file:// URIs, because root privileges are unavailable.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 ...ct-ownership-when-moving-to-file-uri.patch | 84 +++++++++++++++++++
 package/gvfs/gvfs.mk                          |  3 +
 2 files changed, 87 insertions(+)
 create mode 100644 package/gvfs/0005-admin-Ensure-correct-ownership-when-moving-to-file-uri.patch

diff --git a/package/gvfs/0005-admin-Ensure-correct-ownership-when-moving-to-file-uri.patch b/package/gvfs/0005-admin-Ensure-correct-ownership-when-moving-to-file-uri.patch
new file mode 100644
index 0000000000..3b60120751
--- /dev/null
+++ b/package/gvfs/0005-admin-Ensure-correct-ownership-when-moving-to-file-uri.patch
@@ -0,0 +1,84 @@
+From d5dfd823c94045488aef8727c553f1e0f7666b90 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Fri, 24 May 2019 09:43:43 +0200
+Subject: [PATCH] admin: Ensure correct ownership when moving to file:// uri
+
+User and group is not restored properly when moving (or copying with
+G_FILE_COPY_ALL_METADATA) from admin:// to file://, because it is handled
+by GIO fallback code, which doesn't run with root permissions. Let's
+handle this case with pull method to ensure correct ownership.
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Retrieved from:
+https://gitlab.gnome.org/GNOME/gvfs/commit/d5dfd823c94045488aef8727c553f1e0f7666b90]
+---
+ daemon/gvfsbackendadmin.c | 46 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 46 insertions(+)
+
+diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
+index 32b51b1a..9a7e8295 100644
+--- a/daemon/gvfsbackendadmin.c
++++ b/daemon/gvfsbackendadmin.c
+@@ -807,6 +807,51 @@ do_move (GVfsBackend *backend,
+   complete_job (job, error);
+ }
+ 
++static void
++do_pull (GVfsBackend *backend,
++         GVfsJobPull *pull_job,
++         const char *source,
++         const char *local_path,
++         GFileCopyFlags flags,
++         gboolean remove_source,
++         GFileProgressCallback progress_callback,
++         gpointer progress_callback_data)
++{
++  GVfsBackendAdmin *self = G_VFS_BACKEND_ADMIN (backend);
++  GVfsJob *job = G_VFS_JOB (pull_job);
++  GError *error = NULL;
++  GFile *src_file, *dst_file;
++
++  /* Pull method is necessary when user/group needs to be restored, return
++   * G_IO_ERROR_NOT_SUPPORTED in other cases to proceed with the fallback code.
++   */
++  if (!(flags & G_FILE_COPY_ALL_METADATA))
++    {
++      g_vfs_job_failed_literal (G_VFS_JOB (job), G_IO_ERROR,
++                                G_IO_ERROR_NOT_SUPPORTED,
++                                _("Operation not supported"));
++      return;
++    }
++
++  if (!check_permission (self, job))
++    return;
++
++  src_file = g_file_new_for_path (source);
++  dst_file = g_file_new_for_path (local_path);
++
++  if (remove_source)
++    g_file_move (src_file, dst_file, flags, job->cancellable,
++                 progress_callback, progress_callback_data, &error);
++  else
++    g_file_copy (src_file, dst_file, flags, job->cancellable,
++                 progress_callback, progress_callback_data, &error);
++
++  g_object_unref (src_file);
++  g_object_unref (dst_file);
++
++  complete_job (job, error);
++}
++
+ static void
+ do_query_settable_attributes (GVfsBackend *backend,
+                               GVfsJobQueryAttributes *query_job,
+@@ -927,6 +972,7 @@ g_vfs_backend_admin_class_init (GVfsBackendAdminClass * klass)
+   backend_class->set_attribute = do_set_attribute;
+   backend_class->delete = do_delete;
+   backend_class->move = do_move;
++  backend_class->pull = do_pull;
+   backend_class->query_settable_attributes = do_query_settable_attributes;
+   backend_class->query_writable_namespaces = do_query_writable_namespaces;
+ }
+-- 
+2.24.1
+
diff --git a/package/gvfs/gvfs.mk b/package/gvfs/gvfs.mk
index ec75852438..a3308b713d 100644
--- a/package/gvfs/gvfs.mk
+++ b/package/gvfs/gvfs.mk
@@ -25,6 +25,9 @@ GVFS_IGNORE_CVES += CVE-2019-12448
 # 0004-admin-Use-fsuid-to-ensure-correct-file-ownership.patch
 GVFS_IGNORE_CVES += CVE-2019-12447
 
+# 0005-admin-Ensure-correct-ownership-when-moving-to-file-uri.patch
+GVFS_IGNORE_CVES += CVE-2019-12449
+
 # Export ac_cv_path_LIBGCRYPT_CONFIG unconditionally to prevent
 # build system from searching the host paths.
 GVFS_CONF_ENV = \
-- 
2.25.1

[Buildroot] [PATCH 5/5] package/gvfs: fix CVE-2019-12795

[Fabrice Fontaine]

daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x
before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server
socket without configuring an authorization rule. A local attacker could
connect to this server socket and issue D-Bus method calls. (Note that
the server socket only accepts a single connection, so the attacker
would have to discover the server and connect to the socket before its
owner does.)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 ...e-connecting-client-is-the-same-user.patch | 96 +++++++++++++++++++
 package/gvfs/gvfs.mk                          |  3 +
 2 files changed, 99 insertions(+)
 create mode 100644 package/gvfs/0006-gvfsdaemon-Check-that-the-connecting-client-is-the-same-user.patch

diff --git a/package/gvfs/0006-gvfsdaemon-Check-that-the-connecting-client-is-the-same-user.patch b/package/gvfs/0006-gvfsdaemon-Check-that-the-connecting-client-is-the-same-user.patch
new file mode 100644
index 0000000000..4be7a81130
--- /dev/null
+++ b/package/gvfs/0006-gvfsdaemon-Check-that-the-connecting-client-is-the-same-user.patch
@@ -0,0 +1,96 @@
+From 70dbfc68a79faac49bd3423e079cb6902522082a Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Wed, 5 Jun 2019 13:33:38 +0100
+Subject: [PATCH] gvfsdaemon: Check that the connecting client is the same user
+
+Otherwise, an attacker who learns the abstract socket address from
+netstat(8) or similar could connect to it and issue D-Bus method
+calls.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Retrieved from:
+https://gitlab.gnome.org/GNOME/gvfs/commit/70dbfc68a79faac49bd3423e079cb6902522082a]
+---
+ daemon/gvfsdaemon.c | 36 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c
+index 406d4f8e..be148a7b 100644
+--- a/daemon/gvfsdaemon.c
++++ b/daemon/gvfsdaemon.c
+@@ -79,6 +79,7 @@ struct _GVfsDaemon
+   
+   gint mount_counter;
+   
++  GDBusAuthObserver *auth_observer;
+   GDBusConnection *conn;
+   GVfsDBusDaemon *daemon_skeleton;
+   GVfsDBusMountable *mountable_skeleton;
+@@ -171,6 +172,8 @@ g_vfs_daemon_finalize (GObject *object)
+     }
+   if (daemon->conn != NULL)
+     g_object_unref (daemon->conn);
++  if (daemon->auth_observer != NULL)
++    g_object_unref (daemon->auth_observer);
+   
+   g_hash_table_destroy (daemon->registered_paths);
+   g_hash_table_destroy (daemon->client_connections);
+@@ -236,6 +239,35 @@ name_vanished_handler (GDBusConnection *connection,
+   daemon->lost_main_daemon = TRUE;
+ }
+ 
++/*
++ * Authentication observer signal handler that authorizes connections
++ * from the same uid as this process. This matches the behaviour of a
++ * libdbus DBusServer/DBusConnection when no DBusAllowUnixUserFunction
++ * has been set, but is not the default in GDBus.
++ */
++static gboolean
++authorize_authenticated_peer_cb (GDBusAuthObserver *observer,
++                                 G_GNUC_UNUSED GIOStream *stream,
++                                 GCredentials *credentials,
++                                 G_GNUC_UNUSED gpointer user_data)
++{
++  gboolean authorized = FALSE;
++
++  if (credentials != NULL)
++    {
++      GCredentials *own_credentials;
++
++      own_credentials = g_credentials_new ();
++
++      if (g_credentials_is_same_user (credentials, own_credentials, NULL))
++        authorized = TRUE;
++
++      g_object_unref (own_credentials);
++    }
++
++  return authorized;
++}
++
+ static void
+ g_vfs_daemon_init (GVfsDaemon *daemon)
+ {
+@@ -265,6 +297,8 @@ g_vfs_daemon_init (GVfsDaemon *daemon)
+ 
+   daemon->conn = g_bus_get_sync (G_BUS_TYPE_SESSION, NULL, NULL);
+   g_assert (daemon->conn != NULL);
++  daemon->auth_observer = g_dbus_auth_observer_new ();
++  g_signal_connect (daemon->auth_observer, "authorize-authenticated-peer", G_CALLBACK (authorize_authenticated_peer_cb), NULL);
+ 
+   daemon->daemon_skeleton = gvfs_dbus_daemon_skeleton_new ();
+   g_signal_connect (daemon->daemon_skeleton, "handle-get-connection", G_CALLBACK (handle_get_connection), daemon);
+@@ -876,7 +910,7 @@ handle_get_connection (GVfsDBusDaemon *object,
+   server = g_dbus_server_new_sync (address1,
+                                    G_DBUS_SERVER_FLAGS_NONE,
+                                    guid,
+-                                   NULL, /* GDBusAuthObserver */
++                                   daemon->auth_observer,
+                                    NULL, /* GCancellable */
+                                    &error);
+   g_free (guid);
+-- 
+2.24.1
+
diff --git a/package/gvfs/gvfs.mk b/package/gvfs/gvfs.mk
index a3308b713d..b3b18a3482 100644
--- a/package/gvfs/gvfs.mk
+++ b/package/gvfs/gvfs.mk
@@ -28,6 +28,9 @@ GVFS_IGNORE_CVES += CVE-2019-12447
 # 0005-admin-Ensure-correct-ownership-when-moving-to-file-uri.patch
 GVFS_IGNORE_CVES += CVE-2019-12449
 
+# 0006-gvfsdaemon-Check-that-the-connecting-client-is-the-same-user.patch
+GVFS_IGNORE_CVES += CVE-2019-12795
+
 # Export ac_cv_path_LIBGCRYPT_CONFIG unconditionally to prevent
 # build system from searching the host paths.
 GVFS_CONF_ENV = \
-- 
2.25.1

[Buildroot] [PATCH 1/5] package/gvfs: fix CVE-2019-3827

[Yann E. MORIN]

Fabrice, All,

On 2020-03-29 18:02 +0200, Fabrice Fontaine spake thusly:
> An incorrect permission check in the admin backend in gvfs before
> version 1.39.4 was found that allows reading and modify arbitrary files
> by privileged users without asking for password when no authentication
> agent is running. This vulnerability can be exploited by malicious
> programs running under privileges of users belonging to the wheel group
> to further escalate its privileges by modifying system files without
> user's knowledge. Successful exploitation requires uncommon system
> configuration.
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Patch series applied to master, thanks.

Any reason why you sent one patch for each CVE, rather than a single
patch?

Regards,
Yann E. MORIN.

> ---
>  ...authentication-agent-isn-t-available.patch | 46 +++++++++++++++++++
>  package/gvfs/gvfs.mk                          |  3 ++
>  2 files changed, 49 insertions(+)
>  create mode 100644 package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
> 
> diff --git a/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch b/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
> new file mode 100644
> index 0000000000..2715371534
> --- /dev/null
> +++ b/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
> @@ -0,0 +1,46 @@
> +From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001
> +From: Ondrej Holy <oholy@redhat.com>
> +Date: Wed, 2 Jan 2019 17:13:27 +0100
> +Subject: [PATCH] admin: Prevent access if any authentication agent isn't
> + available
> +
> +The backend currently allows to access and modify files without prompting
> +for password if any polkit authentication agent isn't available. This seems
> +isn't usually problem, because polkit agents are integral parts of
> +graphical environments / linux distributions. The agents can't be simply
> +disabled without root permissions and are automatically respawned. However,
> +this might be a problem in some non-standard cases.
> +
> +This affects only users which belong to wheel group (i.e. those who are
> +already allowed to use sudo). It doesn't allow privilege escalation for
> +users, who don't belong to that group.
> +
> +Let's return permission denied error also when the subject can't be
> +authorized by any polkit agent to prevent this behavior.
> +
> +Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355
> +
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +[Retrieved from:
> +https://gitlab.gnome.org/GNOME/gvfs/commit/d8d0c8c40049cfd824b2b90d0cd47914052b9811]
> +---
> + daemon/gvfsbackendadmin.c | 3 +--
> + 1 file changed, 1 insertion(+), 2 deletions(-)
> +
> +diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
> +index ec0f2392..0f849008 100644
> +--- a/daemon/gvfsbackendadmin.c
> ++++ b/daemon/gvfsbackendadmin.c
> +@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self,
> +       return FALSE;
> +     }
> + 
> +-  is_authorized = polkit_authorization_result_get_is_authorized (result) ||
> +-    polkit_authorization_result_get_is_challenge (result);
> ++  is_authorized = polkit_authorization_result_get_is_authorized (result);
> + 
> +   g_object_unref (result);
> + 
> +-- 
> +2.24.1
> +
> diff --git a/package/gvfs/gvfs.mk b/package/gvfs/gvfs.mk
> index c380a710fb..6c927fa345 100644
> --- a/package/gvfs/gvfs.mk
> +++ b/package/gvfs/gvfs.mk
> @@ -15,6 +15,9 @@ GVFS_LICENSE = LGPL-2.0+
>  GVFS_LICENSE_FILES = COPYING
>  GVFS_LIBS = $(TARGET_NLS_LIBS)
>  
> +# 0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
> +GVFS_IGNORE_CVES += CVE-2019-3827
> +
>  # Export ac_cv_path_LIBGCRYPT_CONFIG unconditionally to prevent
>  # build system from searching the host paths.
>  GVFS_CONF_ENV = \
> -- 
> 2.25.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 1/5] package/gvfs: fix CVE-2019-3827

[Fabrice Fontaine]

Yann,

Le dim. 29 mars 2020 ? 18:49, Yann E. MORIN <yann.morin.1998@free.fr> a ?crit :
>
> Fabrice, All,
>
> On 2020-03-29 18:02 +0200, Fabrice Fontaine spake thusly:
> > An incorrect permission check in the admin backend in gvfs before
> > version 1.39.4 was found that allows reading and modify arbitrary files
> > by privileged users without asking for password when no authentication
> > agent is running. This vulnerability can be exploited by malicious
> > programs running under privileges of users belonging to the wheel group
> > to further escalate its privileges by modifying system files without
> > user's knowledge. Successful exploitation requires uncommon system
> > configuration.
> >
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>
> Patch series applied to master, thanks.
>
> Any reason why you sent one patch for each CVE, rather than a single
> patch?
No special reason, I thought that it'll be easier to review one by one
instead of a single patch.
>
> Regards,
> Yann E. MORIN.
>
> > ---
> >  ...authentication-agent-isn-t-available.patch | 46 +++++++++++++++++++
> >  package/gvfs/gvfs.mk                          |  3 ++
> >  2 files changed, 49 insertions(+)
> >  create mode 100644 package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
> >
> > diff --git a/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch b/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
> > new file mode 100644
> > index 0000000000..2715371534
> > --- /dev/null
> > +++ b/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
> > @@ -0,0 +1,46 @@
> > +From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001
> > +From: Ondrej Holy <oholy@redhat.com>
> > +Date: Wed, 2 Jan 2019 17:13:27 +0100
> > +Subject: [PATCH] admin: Prevent access if any authentication agent isn't
> > + available
> > +
> > +The backend currently allows to access and modify files without prompting
> > +for password if any polkit authentication agent isn't available. This seems
> > +isn't usually problem, because polkit agents are integral parts of
> > +graphical environments / linux distributions. The agents can't be simply
> > +disabled without root permissions and are automatically respawned. However,
> > +this might be a problem in some non-standard cases.
> > +
> > +This affects only users which belong to wheel group (i.e. those who are
> > +already allowed to use sudo). It doesn't allow privilege escalation for
> > +users, who don't belong to that group.
> > +
> > +Let's return permission denied error also when the subject can't be
> > +authorized by any polkit agent to prevent this behavior.
> > +
> > +Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355
> > +
> > +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> > +[Retrieved from:
> > +https://gitlab.gnome.org/GNOME/gvfs/commit/d8d0c8c40049cfd824b2b90d0cd47914052b9811]
> > +---
> > + daemon/gvfsbackendadmin.c | 3 +--
> > + 1 file changed, 1 insertion(+), 2 deletions(-)
> > +
> > +diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
> > +index ec0f2392..0f849008 100644
> > +--- a/daemon/gvfsbackendadmin.c
> > ++++ b/daemon/gvfsbackendadmin.c
> > +@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self,
> > +       return FALSE;
> > +     }
> > +
> > +-  is_authorized = polkit_authorization_result_get_is_authorized (result) ||
> > +-    polkit_authorization_result_get_is_challenge (result);
> > ++  is_authorized = polkit_authorization_result_get_is_authorized (result);
> > +
> > +   g_object_unref (result);
> > +
> > +--
> > +2.24.1
> > +
> > diff --git a/package/gvfs/gvfs.mk b/package/gvfs/gvfs.mk
> > index c380a710fb..6c927fa345 100644
> > --- a/package/gvfs/gvfs.mk
> > +++ b/package/gvfs/gvfs.mk
> > @@ -15,6 +15,9 @@ GVFS_LICENSE = LGPL-2.0+
> >  GVFS_LICENSE_FILES = COPYING
> >  GVFS_LIBS = $(TARGET_NLS_LIBS)
> >
> > +# 0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
> > +GVFS_IGNORE_CVES += CVE-2019-3827
> > +
> >  # Export ac_cv_path_LIBGCRYPT_CONFIG unconditionally to prevent
> >  # build system from searching the host paths.
> >  GVFS_CONF_ENV = \
> > --
> > 2.25.1
> >
> > _______________________________________________
> > buildroot mailing list
> > buildroot at busybox.net
> > http://lists.busybox.net/mailman/listinfo/buildroot
>
> --
> .-----------------.--------------------.------------------.--------------------.
> |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> '------------------------------^-------^------------------^--------------------'
Best Regards,

Fabrice

[Buildroot] [PATCH 1/5] package/gvfs: fix CVE-2019-3827

[Yann E. MORIN]

Fabrice, All,

On 2020-03-29 19:12 +0200, Fabrice Fontaine spake thusly:
> Le dim. 29 mars 2020 ? 18:49, Yann E. MORIN <yann.morin.1998@free.fr> a ?crit :
[--SNIP--]
> > Any reason why you sent one patch for each CVE, rather than a single
> > patch?
> No special reason, I thought that it'll be easier to review one by one
> instead of a single patch.

Yes, that's good.

Stil, when all a commit does is backport upstream fixes, I'm OK with a
single big commit (as long as backported patches have proper upstream
URLs, and are really left otherwise totally untouched, code-wise).

So, either way. Thanks! :-)

Regards,
Yann E. MORIN.

> > Regards,
> > Yann E. MORIN.
> >
> > > ---
> > >  ...authentication-agent-isn-t-available.patch | 46 +++++++++++++++++++
> > >  package/gvfs/gvfs.mk                          |  3 ++
> > >  2 files changed, 49 insertions(+)
> > >  create mode 100644 package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
> > >
> > > diff --git a/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch b/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
> > > new file mode 100644
> > > index 0000000000..2715371534
> > > --- /dev/null
> > > +++ b/package/gvfs/0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
> > > @@ -0,0 +1,46 @@
> > > +From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001
> > > +From: Ondrej Holy <oholy@redhat.com>
> > > +Date: Wed, 2 Jan 2019 17:13:27 +0100
> > > +Subject: [PATCH] admin: Prevent access if any authentication agent isn't
> > > + available
> > > +
> > > +The backend currently allows to access and modify files without prompting
> > > +for password if any polkit authentication agent isn't available. This seems
> > > +isn't usually problem, because polkit agents are integral parts of
> > > +graphical environments / linux distributions. The agents can't be simply
> > > +disabled without root permissions and are automatically respawned. However,
> > > +this might be a problem in some non-standard cases.
> > > +
> > > +This affects only users which belong to wheel group (i.e. those who are
> > > +already allowed to use sudo). It doesn't allow privilege escalation for
> > > +users, who don't belong to that group.
> > > +
> > > +Let's return permission denied error also when the subject can't be
> > > +authorized by any polkit agent to prevent this behavior.
> > > +
> > > +Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355
> > > +
> > > +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> > > +[Retrieved from:
> > > +https://gitlab.gnome.org/GNOME/gvfs/commit/d8d0c8c40049cfd824b2b90d0cd47914052b9811]
> > > +---
> > > + daemon/gvfsbackendadmin.c | 3 +--
> > > + 1 file changed, 1 insertion(+), 2 deletions(-)
> > > +
> > > +diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
> > > +index ec0f2392..0f849008 100644
> > > +--- a/daemon/gvfsbackendadmin.c
> > > ++++ b/daemon/gvfsbackendadmin.c
> > > +@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self,
> > > +       return FALSE;
> > > +     }
> > > +
> > > +-  is_authorized = polkit_authorization_result_get_is_authorized (result) ||
> > > +-    polkit_authorization_result_get_is_challenge (result);
> > > ++  is_authorized = polkit_authorization_result_get_is_authorized (result);
> > > +
> > > +   g_object_unref (result);
> > > +
> > > +--
> > > +2.24.1
> > > +
> > > diff --git a/package/gvfs/gvfs.mk b/package/gvfs/gvfs.mk
> > > index c380a710fb..6c927fa345 100644
> > > --- a/package/gvfs/gvfs.mk
> > > +++ b/package/gvfs/gvfs.mk
> > > @@ -15,6 +15,9 @@ GVFS_LICENSE = LGPL-2.0+
> > >  GVFS_LICENSE_FILES = COPYING
> > >  GVFS_LIBS = $(TARGET_NLS_LIBS)
> > >
> > > +# 0001-admin-Prevent-access-if-any-authentication-agent-isn-t-available.patch
> > > +GVFS_IGNORE_CVES += CVE-2019-3827
> > > +
> > >  # Export ac_cv_path_LIBGCRYPT_CONFIG unconditionally to prevent
> > >  # build system from searching the host paths.
> > >  GVFS_CONF_ENV = \
> > > --
> > > 2.25.1
> > >
> > > _______________________________________________
> > > buildroot mailing list
> > > buildroot at busybox.net
> > > http://lists.busybox.net/mailman/listinfo/buildroot
> >
> > --
> > .-----------------.--------------------.------------------.--------------------.
> > |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
> > | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
> > | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
> > | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
> > '------------------------------^-------^------------------^--------------------'
> Best Regards,
> 
> Fabrice

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 1/5] package/gvfs: fix CVE-2019-3827

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > An incorrect permission check in the admin backend in gvfs before
 > version 1.39.4 was found that allows reading and modify arbitrary files
 > by privileged users without asking for password when no authentication
 > agent is running. This vulnerability can be exploited by malicious
 > programs running under privileges of users belonging to the wheel group
 > to further escalate its privileges by modifying system files without
 > user's knowledge. Successful exploitation requires uncommon system
 > configuration.

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed all 5 to 2019.02.x, 2019.11.x and 2020.02.x, thanks.

-- 
Bye, Peter Korsgaard