diff --git a/SOURCES/0001-GDBus-prefer-getsockopt-style-credentials-passing-AP.patch b/SOURCES/0001-GDBus-prefer-getsockopt-style-credentials-passing-AP.patch deleted file mode 100644 index 5bfd8ba..0000000 --- a/SOURCES/0001-GDBus-prefer-getsockopt-style-credentials-passing-AP.patch +++ /dev/null @@ -1,170 +0,0 @@ -From ee502dbbe89a5976c32eb8863c9a9d274ddb60e1 Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 14 Oct 2019 08:47:39 +0100 -Subject: [PATCH] GDBus: prefer getsockopt()-style credentials-passing APIs - -Conceptually, a D-Bus server is really trying to determine the credentials -of (the process that initiated) a connection, not the credentials that -the process had when it sent a particular message. Ideally, it does -this with a getsockopt()-style API that queries the credentials of the -connection's initiator without requiring any particular cooperation from -that process, avoiding a class of possible failures. - -The leading '\0' in the D-Bus protocol is primarily a workaround -for platforms where the message-based credentials-passing API is -strictly better than the getsockopt()-style API (for example, on -FreeBSD, SCM_CREDS includes a process ID but getpeereid() does not), -or where the getsockopt()-style API does not exist at all. As a result -libdbus, the reference implementation of D-Bus, does not implement -Linux SCM_CREDENTIALS at all - it has no reason to do so, because the -SO_PEERCRED socket option is equally informative. - -This change makes GDBusServer on Linux more closely match the behaviour -of libdbus. - -In particular, GNOME/glib#1831 indicates that when a libdbus client -connects to a GDBus server, recvmsg() sometimes yields a SCM_CREDENTIALS -message with cmsg_data={pid=0, uid=65534, gid=65534}. I think this is -most likely a race condition in the early steps to connect: - - client server - connect - accept - send '\0' <- race -> set SO_PASSCRED = 1 - receive '\0' - -If the server wins the race: - - client server - connect - accept - set SO_PASSCRED = 1 - send '\0' - receive '\0' - -then everything is fine. However, if the client wins the race: - - client server - connect - accept - send '\0' - set SO_PASSCRED = 1 - receive '\0' - -then the kernel does not record credentials for the message containing -'\0' (because SO_PASSCRED was 0 at the time). However, by the time the -server receives the message, the kernel knows that credentials are -desired. I would have expected the kernel to omit the credentials header -in this case, but it seems that instead, it synthesizes a credentials -structure with a dummy process ID 0, a dummy uid derived from -/proc/sys/kernel/overflowuid and a dummy gid derived from -/proc/sys/kernel/overflowgid. - -In an unconfigured GDBusServer, hitting this race condition results in -falling back to DBUS_COOKIE_SHA1 authentication, which in practice usually -succeeds in authenticating the peer's uid. However, we encourage AF_UNIX -servers on Unix platforms to allow only EXTERNAL authentication as a -security-hardening measure, because DBUS_COOKIE_SHA1 relies on a series -of assumptions including a cryptographically strong PRNG and a shared -home directory with no write access by others, which are not necessarily -true for all operating systems and users. EXTERNAL authentication will -fail if the server cannot determine the client's credentials. - -In particular, this caused a regression when CVE-2019-14822 was fixed -in ibus, which appears to be resolved by this commit. Qt clients -(which use libdbus) intermittently fail to connect to an ibus server -(which uses GDBusServer), because ibus no longer allows DBUS_COOKIE_SHA1 -authentication or non-matching uids. - -Signed-off-by: Simon McVittie -Closes: https://gitlab.gnome.org/GNOME/glib/issues/1831 ---- - gio/gcredentialsprivate.h | 18 ++++++++++++++++++ - gio/gdbusauth.c | 27 +++++++++++++++++++++++++-- - 2 files changed, 43 insertions(+), 2 deletions(-) - -diff --git a/gio/gcredentialsprivate.h b/gio/gcredentialsprivate.h -index 06f0aed19..e9ec09b9f 100644 ---- a/gio/gcredentialsprivate.h -+++ b/gio/gcredentialsprivate.h -@@ -81,6 +81,18 @@ - */ - #undef G_CREDENTIALS_SPOOFING_SUPPORTED - -+/* -+ * G_CREDENTIALS_PREFER_MESSAGE_PASSING: -+ * -+ * Defined to 1 if the data structure transferred by the message-passing -+ * API is strictly more informative than the one transferred by the -+ * `getsockopt()`-style API, and hence should be preferred, even for -+ * protocols like D-Bus that are defined in terms of the credentials of -+ * the (process that opened the) socket, as opposed to the credentials -+ * of an individual message. -+ */ -+#undef G_CREDENTIALS_PREFER_MESSAGE_PASSING -+ - #ifdef __linux__ - #define G_CREDENTIALS_SUPPORTED 1 - #define G_CREDENTIALS_USE_LINUX_UCRED 1 -@@ -100,6 +112,12 @@ - #define G_CREDENTIALS_NATIVE_SIZE (sizeof (struct cmsgcred)) - #define G_CREDENTIALS_UNIX_CREDENTIALS_MESSAGE_SUPPORTED 1 - #define G_CREDENTIALS_SPOOFING_SUPPORTED 1 -+/* GLib doesn't implement it yet, but FreeBSD's getsockopt()-style API -+ * is getpeereid(), which is not as informative as struct cmsgcred - -+ * it does not tell us the PID. As a result, libdbus prefers to use -+ * SCM_CREDS, and if we implement getpeereid() in future, we should -+ * do the same. */ -+#define G_CREDENTIALS_PREFER_MESSAGE_PASSING 1 - - #elif defined(__NetBSD__) - #define G_CREDENTIALS_SUPPORTED 1 -diff --git a/gio/gdbusauth.c b/gio/gdbusauth.c -index 752ec23fc..14cc5d70e 100644 ---- a/gio/gdbusauth.c -+++ b/gio/gdbusauth.c -@@ -31,6 +31,7 @@ - #include "gdbusutils.h" - #include "gioenumtypes.h" - #include "gcredentials.h" -+#include "gcredentialsprivate.h" - #include "gdbusprivate.h" - #include "giostream.h" - #include "gdatainputstream.h" -@@ -969,9 +970,31 @@ _g_dbus_auth_run_server (GDBusAuth *auth, - - g_data_input_stream_set_newline_type (dis, G_DATA_STREAM_NEWLINE_TYPE_CR_LF); - -- /* first read the NUL-byte */ -+ /* read the NUL-byte, possibly with credentials attached */ - #ifdef G_OS_UNIX -- if (G_IS_UNIX_CONNECTION (auth->priv->stream)) -+#ifndef G_CREDENTIALS_PREFER_MESSAGE_PASSING -+ if (G_IS_SOCKET_CONNECTION (auth->priv->stream)) -+ { -+ GSocket *sock = g_socket_connection_get_socket (G_SOCKET_CONNECTION (auth->priv->stream)); -+ -+ local_error = NULL; -+ credentials = g_socket_get_credentials (sock, &local_error); -+ -+ if (credentials == NULL && !g_error_matches (local_error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED)) -+ { -+ g_propagate_error (error, local_error); -+ goto out; -+ } -+ else -+ { -+ /* Clear the error indicator, so we can retry with -+ * g_unix_connection_receive_credentials() if necessary */ -+ g_clear_error (&local_error); -+ } -+ } -+#endif -+ -+ if (credentials == NULL && G_IS_UNIX_CONNECTION (auth->priv->stream)) - { - local_error = NULL; - credentials = g_unix_connection_receive_credentials (G_UNIX_CONNECTION (auth->priv->stream), --- -2.23.0 - diff --git a/SOURCES/0001-credentials-Invalid-Linux-struct-ucred-means-no-info.patch b/SOURCES/0001-credentials-Invalid-Linux-struct-ucred-means-no-info.patch deleted file mode 100644 index 764d407..0000000 --- a/SOURCES/0001-credentials-Invalid-Linux-struct-ucred-means-no-info.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 1485a97d8051b0aa047987f7b0c0bfe4ba4ce55b Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Fri, 18 Oct 2019 10:55:09 +0100 -Subject: [PATCH] credentials: Invalid Linux struct ucred means "no - information" - -On Linux, if getsockopt SO_PEERCRED is used on a TCP socket, one -might expect it to fail with an appropriate error like ENOTSUP or -EPROTONOSUPPORT. However, it appears that in fact it succeeds, but -yields a credentials structure with pid 0, uid -1 and gid -1. These -are not real process, user and group IDs that can be allocated to a -real process (pid 0 needs to be reserved to give kill(0) its documented -special semantics, and similarly uid and gid -1 need to be reserved for -setresuid() and setresgid()) so it is not meaningful to signal them to -high-level API users. - -An API user with Linux-specific knowledge can still inspect these fields -via g_credentials_get_native() if desired. - -Similarly, if SO_PASSCRED is used to receive a SCM_CREDENTIALS message -on a receiving Unix socket, but the sending socket had not enabled -SO_PASSCRED at the time that the message was sent, it is possible -for it to succeed but yield a credentials structure with pid 0, uid -/proc/sys/kernel/overflowuid and gid /proc/sys/kernel/overflowgid. Even -if we were to read those pseudo-files, we cannot distinguish between -the overflow IDs and a real process that legitimately has the same IDs -(typically they are set to 'nobody' and 'nogroup', which can be used -by a real process), so we detect this situation by noticing that -pid == 0, and to save syscalls we do not read the overflow IDs from -/proc at all. - -This results in a small API change: g_credentials_is_same_user() now -returns FALSE if we compare two credentials structures that are both -invalid. This seems like reasonable, conservative behaviour: if we cannot -prove that they are the same user, we should assume they are not. - -Signed-off-by: Simon McVittie ---- - gio/gcredentials.c | 42 +++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 39 insertions(+), 3 deletions(-) - -diff --git a/gio/gcredentials.c b/gio/gcredentials.c -index c350e3c88..c4794ded7 100644 ---- a/gio/gcredentials.c -+++ b/gio/gcredentials.c -@@ -265,6 +265,35 @@ g_credentials_to_string (GCredentials *credentials) - - /* ---------------------------------------------------------------------------------------------------- */ - -+#if G_CREDENTIALS_USE_LINUX_UCRED -+/* -+ * Check whether @native contains invalid data. If getsockopt SO_PEERCRED -+ * is used on a TCP socket, it succeeds but yields a credentials structure -+ * with pid 0, uid -1 and gid -1. Similarly, if SO_PASSCRED is used on a -+ * receiving Unix socket when the sending socket did not also enable -+ * SO_PASSCRED, it can succeed but yield a credentials structure with -+ * pid 0, uid /proc/sys/kernel/overflowuid and gid -+ * /proc/sys/kernel/overflowgid. -+ */ -+static gboolean -+linux_ucred_check_valid (struct ucred *native, -+ GError **error) -+{ -+ if (native->pid == 0 -+ || native->uid == -1 -+ || native->gid == -1) -+ { -+ g_set_error_literal (error, -+ G_IO_ERROR, -+ G_IO_ERROR_INVALID_DATA, -+ _("GCredentials contains invalid data")); -+ return FALSE; -+ } -+ -+ return TRUE; -+} -+#endif -+ - /** - * g_credentials_is_same_user: - * @credentials: A #GCredentials. -@@ -294,7 +323,8 @@ g_credentials_is_same_user (GCredentials *credentials, - - ret = FALSE; - #if G_CREDENTIALS_USE_LINUX_UCRED -- if (credentials->native.uid == other_credentials->native.uid) -+ if (linux_ucred_check_valid (&credentials->native, NULL) -+ && credentials->native.uid == other_credentials->native.uid) - ret = TRUE; - #elif G_CREDENTIALS_USE_FREEBSD_CMSGCRED - if (credentials->native.cmcred_euid == other_credentials->native.cmcred_euid) -@@ -453,7 +483,10 @@ g_credentials_get_unix_user (GCredentials *credentials, - g_return_val_if_fail (error == NULL || *error == NULL, -1); - - #if G_CREDENTIALS_USE_LINUX_UCRED -- ret = credentials->native.uid; -+ if (linux_ucred_check_valid (&credentials->native, error)) -+ ret = credentials->native.uid; -+ else -+ ret = -1; - #elif G_CREDENTIALS_USE_FREEBSD_CMSGCRED - ret = credentials->native.cmcred_euid; - #elif G_CREDENTIALS_USE_NETBSD_UNPCBID -@@ -499,7 +532,10 @@ g_credentials_get_unix_pid (GCredentials *credentials, - g_return_val_if_fail (error == NULL || *error == NULL, -1); - - #if G_CREDENTIALS_USE_LINUX_UCRED -- ret = credentials->native.pid; -+ if (linux_ucred_check_valid (&credentials->native, error)) -+ ret = credentials->native.pid; -+ else -+ ret = -1; - #elif G_CREDENTIALS_USE_FREEBSD_CMSGCRED - ret = credentials->native.cmcred_pid; - #elif G_CREDENTIALS_USE_NETBSD_UNPCBID --- -2.23.0 - diff --git a/SOURCES/0001-gcredentialsprivate-Document-the-various-private-mac.patch b/SOURCES/0001-gcredentialsprivate-Document-the-various-private-mac.patch deleted file mode 100644 index fe37025..0000000 --- a/SOURCES/0001-gcredentialsprivate-Document-the-various-private-mac.patch +++ /dev/null @@ -1,83 +0,0 @@ -From ef1035d9d86464ea0b5dde60a7a0e190895fdf5b Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Mon, 14 Oct 2019 08:22:24 +0100 -Subject: [PATCH] gcredentialsprivate: Document the various private macros - -Signed-off-by: Simon McVittie ---- - gio/gcredentialsprivate.h | 59 +++++++++++++++++++++++++++++++++++++++ - 1 file changed, 59 insertions(+) - -diff --git a/gio/gcredentialsprivate.h b/gio/gcredentialsprivate.h -index 4d1c420a8..06f0aed19 100644 ---- a/gio/gcredentialsprivate.h -+++ b/gio/gcredentialsprivate.h -@@ -22,6 +22,65 @@ - #include "gio/gcredentials.h" - #include "gio/gnetworking.h" - -+/* -+ * G_CREDENTIALS_SUPPORTED: -+ * -+ * Defined to 1 if GCredentials works. -+ */ -+#undef G_CREDENTIALS_SUPPORTED -+ -+/* -+ * G_CREDENTIALS_USE_LINUX_UCRED, etc.: -+ * -+ * Defined to 1 if GCredentials uses Linux `struct ucred`, etc. -+ */ -+#undef G_CREDENTIALS_USE_LINUX_UCRED -+#undef G_CREDENTIALS_USE_FREEBSD_CMSGCRED -+#undef G_CREDENTIALS_USE_NETBSD_UNPCBID -+#undef G_CREDENTIALS_USE_OPENBSD_SOCKPEERCRED -+#undef G_CREDENTIALS_USE_SOLARIS_UCRED -+ -+/* -+ * G_CREDENTIALS_NATIVE_TYPE: -+ * -+ * Defined to one of G_CREDENTIALS_TYPE_LINUX_UCRED, etc. -+ */ -+#undef G_CREDENTIALS_NATIVE_TYPE -+ -+/* -+ * G_CREDENTIALS_NATIVE_SIZE: -+ * -+ * Defined to the size of the %G_CREDENTIALS_NATIVE_TYPE -+ */ -+#undef G_CREDENTIALS_NATIVE_SIZE -+ -+/* -+ * G_CREDENTIALS_UNIX_CREDENTIALS_MESSAGE_SUPPORTED: -+ * -+ * Defined to 1 if we have a message-passing API in which credentials -+ * are attached to a particular message, such as `SCM_CREDENTIALS` on Linux -+ * or `SCM_CREDS` on FreeBSD. -+ */ -+#undef G_CREDENTIALS_UNIX_CREDENTIALS_MESSAGE_SUPPORTED -+ -+/* -+ * G_CREDENTIALS_SOCKET_GET_CREDENTIALS_SUPPORTED: -+ * -+ * Defined to 1 if we have a `getsockopt()`-style API in which one end of -+ * a socket connection can directly query the credentials of the process -+ * that initiated the other end, such as `getsockopt SO_PEERCRED` on Linux -+ * or `getpeereid()` on multiple operating systems. -+ */ -+#undef G_CREDENTIALS_SOCKET_GET_CREDENTIALS_SUPPORTED -+ -+/* -+ * G_CREDENTIALS_SPOOFING_SUPPORTED: -+ * -+ * Defined to 1 if privileged processes can spoof their credentials when -+ * using the message-passing API. -+ */ -+#undef G_CREDENTIALS_SPOOFING_SUPPORTED -+ - #ifdef __linux__ - #define G_CREDENTIALS_SUPPORTED 1 - #define G_CREDENTIALS_USE_LINUX_UCRED 1 --- -2.23.0 - diff --git a/SOURCES/0002-gvariant-test-Also-force-alignment-for-tuple-test-da.patch b/SOURCES/0002-gvariant-test-Also-force-alignment-for-tuple-test-da.patch deleted file mode 100644 index 6699c59..0000000 --- a/SOURCES/0002-gvariant-test-Also-force-alignment-for-tuple-test-da.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 4ef58e5661849317a1110c9b93957f2c608677dd Mon Sep 17 00:00:00 2001 -From: Simon McVittie -Date: Thu, 3 Jan 2019 08:21:40 +0000 -Subject: [PATCH 2/2] gvariant test: Also force alignment for tuple test data - -glib!552 (commit 9eed22b3) fixed this for the tests that failed on i686, -but this additional test failed on Debian's s390x port -(IBM z/Architecture, 64-bit big-endian). - -Signed-off-by: Simon McVittie ---- - glib/tests/gvariant.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c -index a7b19826d..c4a996c1f 100644 ---- a/glib/tests/gvariant.c -+++ b/glib/tests/gvariant.c -@@ -4820,6 +4820,7 @@ test_normal_checking_array_offsets (void) - static void - test_normal_checking_tuple_offsets (void) - { -+ gpointer aligned_data; - const guint8 data[] = { - 0x07, 0xe5, 0x00, 0x07, 0x00, 0x07, - '(', 'a', 's', 'a', 's', 'a', 's', 'a', 's', 'a', 's', 'a', 's', ')', -@@ -4828,13 +4829,15 @@ test_normal_checking_tuple_offsets (void) - GVariant *variant = NULL; - GVariant *normal_variant = NULL; - -- variant = g_variant_new_from_data (G_VARIANT_TYPE_VARIANT, data, size, -- FALSE, NULL, NULL); -+ aligned_data = g_memdup (data, size); /* guarantee alignment */ -+ variant = g_variant_new_from_data (G_VARIANT_TYPE_VARIANT, aligned_data, -+ size, FALSE, NULL, NULL); - g_assert_nonnull (variant); - - normal_variant = g_variant_get_normal_form (variant); - g_assert_nonnull (normal_variant); - -+ g_free (aligned_data); - g_variant_unref (normal_variant); - g_variant_unref (variant); - } --- -2.19.1 - diff --git a/SOURCES/backport-per-desktop-overrides.patch b/SOURCES/105.patch similarity index 100% rename from SOURCES/backport-per-desktop-overrides.patch rename to SOURCES/105.patch diff --git a/SOURCES/1176.patch b/SOURCES/1176.patch new file mode 100644 index 0000000..7322a12 --- /dev/null +++ b/SOURCES/1176.patch @@ -0,0 +1,371 @@ +From ef1035d9d86464ea0b5dde60a7a0e190895fdf5b Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Mon, 14 Oct 2019 08:22:24 +0100 +Subject: [PATCH] gcredentialsprivate: Document the various private macros + +Signed-off-by: Simon McVittie +--- + gio/gcredentialsprivate.h | 59 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 59 insertions(+) + +diff --git a/gio/gcredentialsprivate.h b/gio/gcredentialsprivate.h +index 4d1c420a8..06f0aed19 100644 +--- a/gio/gcredentialsprivate.h ++++ b/gio/gcredentialsprivate.h +@@ -22,6 +22,65 @@ + #include "gio/gcredentials.h" + #include "gio/gnetworking.h" + ++/* ++ * G_CREDENTIALS_SUPPORTED: ++ * ++ * Defined to 1 if GCredentials works. ++ */ ++#undef G_CREDENTIALS_SUPPORTED ++ ++/* ++ * G_CREDENTIALS_USE_LINUX_UCRED, etc.: ++ * ++ * Defined to 1 if GCredentials uses Linux `struct ucred`, etc. ++ */ ++#undef G_CREDENTIALS_USE_LINUX_UCRED ++#undef G_CREDENTIALS_USE_FREEBSD_CMSGCRED ++#undef G_CREDENTIALS_USE_NETBSD_UNPCBID ++#undef G_CREDENTIALS_USE_OPENBSD_SOCKPEERCRED ++#undef G_CREDENTIALS_USE_SOLARIS_UCRED ++ ++/* ++ * G_CREDENTIALS_NATIVE_TYPE: ++ * ++ * Defined to one of G_CREDENTIALS_TYPE_LINUX_UCRED, etc. ++ */ ++#undef G_CREDENTIALS_NATIVE_TYPE ++ ++/* ++ * G_CREDENTIALS_NATIVE_SIZE: ++ * ++ * Defined to the size of the %G_CREDENTIALS_NATIVE_TYPE ++ */ ++#undef G_CREDENTIALS_NATIVE_SIZE ++ ++/* ++ * G_CREDENTIALS_UNIX_CREDENTIALS_MESSAGE_SUPPORTED: ++ * ++ * Defined to 1 if we have a message-passing API in which credentials ++ * are attached to a particular message, such as `SCM_CREDENTIALS` on Linux ++ * or `SCM_CREDS` on FreeBSD. ++ */ ++#undef G_CREDENTIALS_UNIX_CREDENTIALS_MESSAGE_SUPPORTED ++ ++/* ++ * G_CREDENTIALS_SOCKET_GET_CREDENTIALS_SUPPORTED: ++ * ++ * Defined to 1 if we have a `getsockopt()`-style API in which one end of ++ * a socket connection can directly query the credentials of the process ++ * that initiated the other end, such as `getsockopt SO_PEERCRED` on Linux ++ * or `getpeereid()` on multiple operating systems. ++ */ ++#undef G_CREDENTIALS_SOCKET_GET_CREDENTIALS_SUPPORTED ++ ++/* ++ * G_CREDENTIALS_SPOOFING_SUPPORTED: ++ * ++ * Defined to 1 if privileged processes can spoof their credentials when ++ * using the message-passing API. ++ */ ++#undef G_CREDENTIALS_SPOOFING_SUPPORTED ++ + #ifdef __linux__ + #define G_CREDENTIALS_SUPPORTED 1 + #define G_CREDENTIALS_USE_LINUX_UCRED 1 +-- +2.23.0 + +From ee502dbbe89a5976c32eb8863c9a9d274ddb60e1 Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Mon, 14 Oct 2019 08:47:39 +0100 +Subject: [PATCH] GDBus: prefer getsockopt()-style credentials-passing APIs + +Conceptually, a D-Bus server is really trying to determine the credentials +of (the process that initiated) a connection, not the credentials that +the process had when it sent a particular message. Ideally, it does +this with a getsockopt()-style API that queries the credentials of the +connection's initiator without requiring any particular cooperation from +that process, avoiding a class of possible failures. + +The leading '\0' in the D-Bus protocol is primarily a workaround +for platforms where the message-based credentials-passing API is +strictly better than the getsockopt()-style API (for example, on +FreeBSD, SCM_CREDS includes a process ID but getpeereid() does not), +or where the getsockopt()-style API does not exist at all. As a result +libdbus, the reference implementation of D-Bus, does not implement +Linux SCM_CREDENTIALS at all - it has no reason to do so, because the +SO_PEERCRED socket option is equally informative. + +This change makes GDBusServer on Linux more closely match the behaviour +of libdbus. + +In particular, GNOME/glib#1831 indicates that when a libdbus client +connects to a GDBus server, recvmsg() sometimes yields a SCM_CREDENTIALS +message with cmsg_data={pid=0, uid=65534, gid=65534}. I think this is +most likely a race condition in the early steps to connect: + + client server + connect + accept + send '\0' <- race -> set SO_PASSCRED = 1 + receive '\0' + +If the server wins the race: + + client server + connect + accept + set SO_PASSCRED = 1 + send '\0' + receive '\0' + +then everything is fine. However, if the client wins the race: + + client server + connect + accept + send '\0' + set SO_PASSCRED = 1 + receive '\0' + +then the kernel does not record credentials for the message containing +'\0' (because SO_PASSCRED was 0 at the time). However, by the time the +server receives the message, the kernel knows that credentials are +desired. I would have expected the kernel to omit the credentials header +in this case, but it seems that instead, it synthesizes a credentials +structure with a dummy process ID 0, a dummy uid derived from +/proc/sys/kernel/overflowuid and a dummy gid derived from +/proc/sys/kernel/overflowgid. + +In an unconfigured GDBusServer, hitting this race condition results in +falling back to DBUS_COOKIE_SHA1 authentication, which in practice usually +succeeds in authenticating the peer's uid. However, we encourage AF_UNIX +servers on Unix platforms to allow only EXTERNAL authentication as a +security-hardening measure, because DBUS_COOKIE_SHA1 relies on a series +of assumptions including a cryptographically strong PRNG and a shared +home directory with no write access by others, which are not necessarily +true for all operating systems and users. EXTERNAL authentication will +fail if the server cannot determine the client's credentials. + +In particular, this caused a regression when CVE-2019-14822 was fixed +in ibus, which appears to be resolved by this commit. Qt clients +(which use libdbus) intermittently fail to connect to an ibus server +(which uses GDBusServer), because ibus no longer allows DBUS_COOKIE_SHA1 +authentication or non-matching uids. + +Signed-off-by: Simon McVittie +Closes: https://gitlab.gnome.org/GNOME/glib/issues/1831 +--- + gio/gcredentialsprivate.h | 18 ++++++++++++++++++ + gio/gdbusauth.c | 27 +++++++++++++++++++++++++-- + 2 files changed, 43 insertions(+), 2 deletions(-) + +diff --git a/gio/gcredentialsprivate.h b/gio/gcredentialsprivate.h +index 06f0aed19..e9ec09b9f 100644 +--- a/gio/gcredentialsprivate.h ++++ b/gio/gcredentialsprivate.h +@@ -81,6 +81,18 @@ + */ + #undef G_CREDENTIALS_SPOOFING_SUPPORTED + ++/* ++ * G_CREDENTIALS_PREFER_MESSAGE_PASSING: ++ * ++ * Defined to 1 if the data structure transferred by the message-passing ++ * API is strictly more informative than the one transferred by the ++ * `getsockopt()`-style API, and hence should be preferred, even for ++ * protocols like D-Bus that are defined in terms of the credentials of ++ * the (process that opened the) socket, as opposed to the credentials ++ * of an individual message. ++ */ ++#undef G_CREDENTIALS_PREFER_MESSAGE_PASSING ++ + #ifdef __linux__ + #define G_CREDENTIALS_SUPPORTED 1 + #define G_CREDENTIALS_USE_LINUX_UCRED 1 +@@ -100,6 +112,12 @@ + #define G_CREDENTIALS_NATIVE_SIZE (sizeof (struct cmsgcred)) + #define G_CREDENTIALS_UNIX_CREDENTIALS_MESSAGE_SUPPORTED 1 + #define G_CREDENTIALS_SPOOFING_SUPPORTED 1 ++/* GLib doesn't implement it yet, but FreeBSD's getsockopt()-style API ++ * is getpeereid(), which is not as informative as struct cmsgcred - ++ * it does not tell us the PID. As a result, libdbus prefers to use ++ * SCM_CREDS, and if we implement getpeereid() in future, we should ++ * do the same. */ ++#define G_CREDENTIALS_PREFER_MESSAGE_PASSING 1 + + #elif defined(__NetBSD__) + #define G_CREDENTIALS_SUPPORTED 1 +diff --git a/gio/gdbusauth.c b/gio/gdbusauth.c +index 752ec23fc..14cc5d70e 100644 +--- a/gio/gdbusauth.c ++++ b/gio/gdbusauth.c +@@ -31,6 +31,7 @@ + #include "gdbusutils.h" + #include "gioenumtypes.h" + #include "gcredentials.h" ++#include "gcredentialsprivate.h" + #include "gdbusprivate.h" + #include "giostream.h" + #include "gdatainputstream.h" +@@ -969,9 +970,31 @@ _g_dbus_auth_run_server (GDBusAuth *auth, + + g_data_input_stream_set_newline_type (dis, G_DATA_STREAM_NEWLINE_TYPE_CR_LF); + +- /* first read the NUL-byte */ ++ /* read the NUL-byte, possibly with credentials attached */ + #ifdef G_OS_UNIX +- if (G_IS_UNIX_CONNECTION (auth->priv->stream)) ++#ifndef G_CREDENTIALS_PREFER_MESSAGE_PASSING ++ if (G_IS_SOCKET_CONNECTION (auth->priv->stream)) ++ { ++ GSocket *sock = g_socket_connection_get_socket (G_SOCKET_CONNECTION (auth->priv->stream)); ++ ++ local_error = NULL; ++ credentials = g_socket_get_credentials (sock, &local_error); ++ ++ if (credentials == NULL && !g_error_matches (local_error, G_IO_ERROR, G_IO_ERROR_NOT_SUPPORTED)) ++ { ++ g_propagate_error (error, local_error); ++ goto out; ++ } ++ else ++ { ++ /* Clear the error indicator, so we can retry with ++ * g_unix_connection_receive_credentials() if necessary */ ++ g_clear_error (&local_error); ++ } ++ } ++#endif ++ ++ if (credentials == NULL && G_IS_UNIX_CONNECTION (auth->priv->stream)) + { + local_error = NULL; + credentials = g_unix_connection_receive_credentials (G_UNIX_CONNECTION (auth->priv->stream), +-- +2.23.0 + +From 1485a97d8051b0aa047987f7b0c0bfe4ba4ce55b Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Fri, 18 Oct 2019 10:55:09 +0100 +Subject: [PATCH] credentials: Invalid Linux struct ucred means "no + information" + +On Linux, if getsockopt SO_PEERCRED is used on a TCP socket, one +might expect it to fail with an appropriate error like ENOTSUP or +EPROTONOSUPPORT. However, it appears that in fact it succeeds, but +yields a credentials structure with pid 0, uid -1 and gid -1. These +are not real process, user and group IDs that can be allocated to a +real process (pid 0 needs to be reserved to give kill(0) its documented +special semantics, and similarly uid and gid -1 need to be reserved for +setresuid() and setresgid()) so it is not meaningful to signal them to +high-level API users. + +An API user with Linux-specific knowledge can still inspect these fields +via g_credentials_get_native() if desired. + +Similarly, if SO_PASSCRED is used to receive a SCM_CREDENTIALS message +on a receiving Unix socket, but the sending socket had not enabled +SO_PASSCRED at the time that the message was sent, it is possible +for it to succeed but yield a credentials structure with pid 0, uid +/proc/sys/kernel/overflowuid and gid /proc/sys/kernel/overflowgid. Even +if we were to read those pseudo-files, we cannot distinguish between +the overflow IDs and a real process that legitimately has the same IDs +(typically they are set to 'nobody' and 'nogroup', which can be used +by a real process), so we detect this situation by noticing that +pid == 0, and to save syscalls we do not read the overflow IDs from +/proc at all. + +This results in a small API change: g_credentials_is_same_user() now +returns FALSE if we compare two credentials structures that are both +invalid. This seems like reasonable, conservative behaviour: if we cannot +prove that they are the same user, we should assume they are not. + +Signed-off-by: Simon McVittie +--- + gio/gcredentials.c | 42 +++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 39 insertions(+), 3 deletions(-) + +diff --git a/gio/gcredentials.c b/gio/gcredentials.c +index c350e3c88..c4794ded7 100644 +--- a/gio/gcredentials.c ++++ b/gio/gcredentials.c +@@ -265,6 +265,35 @@ g_credentials_to_string (GCredentials *credentials) + + /* ---------------------------------------------------------------------------------------------------- */ + ++#if G_CREDENTIALS_USE_LINUX_UCRED ++/* ++ * Check whether @native contains invalid data. If getsockopt SO_PEERCRED ++ * is used on a TCP socket, it succeeds but yields a credentials structure ++ * with pid 0, uid -1 and gid -1. Similarly, if SO_PASSCRED is used on a ++ * receiving Unix socket when the sending socket did not also enable ++ * SO_PASSCRED, it can succeed but yield a credentials structure with ++ * pid 0, uid /proc/sys/kernel/overflowuid and gid ++ * /proc/sys/kernel/overflowgid. ++ */ ++static gboolean ++linux_ucred_check_valid (struct ucred *native, ++ GError **error) ++{ ++ if (native->pid == 0 ++ || native->uid == -1 ++ || native->gid == -1) ++ { ++ g_set_error_literal (error, ++ G_IO_ERROR, ++ G_IO_ERROR_INVALID_DATA, ++ _("GCredentials contains invalid data")); ++ return FALSE; ++ } ++ ++ return TRUE; ++} ++#endif ++ + /** + * g_credentials_is_same_user: + * @credentials: A #GCredentials. +@@ -294,7 +323,8 @@ g_credentials_is_same_user (GCredentials *credentials, + + ret = FALSE; + #if G_CREDENTIALS_USE_LINUX_UCRED +- if (credentials->native.uid == other_credentials->native.uid) ++ if (linux_ucred_check_valid (&credentials->native, NULL) ++ && credentials->native.uid == other_credentials->native.uid) + ret = TRUE; + #elif G_CREDENTIALS_USE_FREEBSD_CMSGCRED + if (credentials->native.cmcred_euid == other_credentials->native.cmcred_euid) +@@ -453,7 +483,10 @@ g_credentials_get_unix_user (GCredentials *credentials, + g_return_val_if_fail (error == NULL || *error == NULL, -1); + + #if G_CREDENTIALS_USE_LINUX_UCRED +- ret = credentials->native.uid; ++ if (linux_ucred_check_valid (&credentials->native, error)) ++ ret = credentials->native.uid; ++ else ++ ret = -1; + #elif G_CREDENTIALS_USE_FREEBSD_CMSGCRED + ret = credentials->native.cmcred_euid; + #elif G_CREDENTIALS_USE_NETBSD_UNPCBID +@@ -499,7 +532,10 @@ g_credentials_get_unix_pid (GCredentials *credentials, + g_return_val_if_fail (error == NULL || *error == NULL, -1); + + #if G_CREDENTIALS_USE_LINUX_UCRED +- ret = credentials->native.pid; ++ if (linux_ucred_check_valid (&credentials->native, error)) ++ ret = credentials->native.pid; ++ else ++ ret = -1; + #elif G_CREDENTIALS_USE_FREEBSD_CMSGCRED + ret = credentials->native.cmcred_pid; + #elif G_CREDENTIALS_USE_NETBSD_UNPCBID +-- +2.23.0 + diff --git a/SOURCES/1369.patch b/SOURCES/1369.patch new file mode 100644 index 0000000..2d5d1c3 --- /dev/null +++ b/SOURCES/1369.patch @@ -0,0 +1,38 @@ +From a18f091c6c090b93cd816f8cd5be763b6e238632 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Fri, 7 Feb 2020 17:10:23 +0000 +Subject: [PATCH] libcharset: Drop a redundant environment variable + +It was used for running tests when we built with autotools, but is no +longer used in the Meson build system. If we need something similar in +future, it should be done by adding internal API to override the +directory on a per-call basis, rather than loading a path from a shared +global table every time. + +Signed-off-by: Philip Withnall + +Helps: #1919 +--- + glib/libcharset/localcharset.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/glib/libcharset/localcharset.c b/glib/libcharset/localcharset.c +index 0c4d544be..ab3a2678d 100644 +--- a/glib/libcharset/localcharset.c ++++ b/glib/libcharset/localcharset.c +@@ -117,11 +117,7 @@ _g_locale_get_charset_aliases (void) + const char *base = "charset.alias"; + char *file_name; + +- /* Make it possible to override the charset.alias location. This is +- necessary for running the testsuite before "make install". */ +- dir = getenv ("CHARSETALIASDIR"); +- if (dir == NULL || dir[0] == '\0') +- dir = relocate (GLIB_CHARSETALIAS_DIR); ++ dir = relocate (GLIB_CHARSETALIAS_DIR); + + /* Concatenate dir and base into freshly allocated file_name. */ + { +-- +2.31.1 + diff --git a/SOURCES/1713.patch b/SOURCES/1713.patch new file mode 100644 index 0000000..cace858 --- /dev/null +++ b/SOURCES/1713.patch @@ -0,0 +1,204 @@ +From 4f0a31d66c2a6588495b8ae682f555584dafdf45 Mon Sep 17 00:00:00 2001 +From: Claudio Saavedra +Date: Wed, 21 Oct 2020 13:19:42 +0300 +Subject: [PATCH] gmain: g_main_context_check() can skip updating polled FD + sources + +If there is a file descriptor source that has a lower priority +than the one for sources that are going to be dispatched, +all subsequent file descriptor sources (internally sorted by +file descriptor identifier) do not get an update in their GPollRec +and later on wrong sources can be dispatched. + +Fix this by first finding the first GPollRec that matches the current +GPollFD, instead of relying on it to be the current one. At +the same time, document the assumptions about the ordering of the +file descriptor records and array and make explicit in the documentation +that the array needs to be passed to g_main_context_check() as it was +received from g_main_context_query(). + +Added a new test that reproduces the bug by creating two file +descriptor sources and an idle one. Since the first +file descriptor created has a lower identifier and a low priority, +the second one is not dispatched even when it has the same, higher, +priority as the idle source. After fixing this bug, both +higher priority sources are dispatched as expected. + +While this patch was written independently, a similar fix for this +bug was first submitted by Eugene M in GNOME/glib!562. Having a +second fix that basically does the same is a reassurance that we +are in the right here. + +Fixes #1592 +--- + glib/gmain.c | 32 ++++++++++++++++++++++-- + glib/tests/mainloop.c | 57 +++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 87 insertions(+), 2 deletions(-) + +diff --git a/glib/gmain.c b/glib/gmain.c +index 95992253d..a59cd686c 100644 +--- a/glib/gmain.c ++++ b/glib/gmain.c +@@ -3573,7 +3573,10 @@ g_main_context_prepare (GMainContext *context, + * store #GPollFD records that need to be polled. + * @n_fds: (in): length of @fds. + * +- * Determines information necessary to poll this main loop. ++ * Determines information necessary to poll this main loop. You should ++ * be careful to pass the resulting @fds array and its length @n_fds ++ * as is when calling g_main_context_check(), as this function relies ++ * on assumptions made when the array is filled. + * + * You must have successfully acquired the context with + * g_main_context_acquire() before you may call this function. +@@ -3597,6 +3600,10 @@ g_main_context_query (GMainContext *context, + + TRACE (GLIB_MAIN_CONTEXT_BEFORE_QUERY (context, max_priority)); + ++ /* fds is filled sequentially from poll_records. Since poll_records ++ * are incrementally sorted by file descriptor identifier, fds will ++ * also be incrementally sorted. ++ */ + n_poll = 0; + lastpollrec = NULL; + for (pollrec = context->poll_records; pollrec; pollrec = pollrec->next) +@@ -3611,6 +3618,10 @@ g_main_context_query (GMainContext *context, + */ + events = pollrec->fd->events & ~(G_IO_ERR|G_IO_HUP|G_IO_NVAL); + ++ /* This optimization --using the same GPollFD to poll for more ++ * than one poll record-- relies on the poll records being ++ * incrementally sorted. ++ */ + if (lastpollrec && pollrec->fd->fd == lastpollrec->fd->fd) + { + if (n_poll - 1 < n_fds) +@@ -3656,7 +3667,10 @@ g_main_context_query (GMainContext *context, + * the last call to g_main_context_query() + * @n_fds: return value of g_main_context_query() + * +- * Passes the results of polling back to the main loop. ++ * Passes the results of polling back to the main loop. You should be ++ * careful to pass @fds and its length @n_fds as received from ++ * g_main_context_query(), as this functions relies on assumptions ++ * on how @fds is filled. + * + * You must have successfully acquired the context with + * g_main_context_acquire() before you may call this function. +@@ -3711,10 +3725,22 @@ g_main_context_check (GMainContext *context, + return FALSE; + } + ++ /* The linear iteration below relies on the assumption that both ++ * poll records and the fds array are incrementally sorted by file ++ * descriptor identifier. ++ */ + pollrec = context->poll_records; + i = 0; + while (pollrec && i < n_fds) + { ++ /* Make sure that fds is sorted by file descriptor identifier. */ ++ g_assert (i <= 0 || fds[i - 1].fd < fds[i].fd); ++ ++ /* Skip until finding the first GPollRec matching the current GPollFD. */ ++ while (pollrec && pollrec->fd->fd != fds[i].fd) ++ pollrec = pollrec->next; ++ ++ /* Update all consecutive GPollRecs that match. */ + while (pollrec && pollrec->fd->fd == fds[i].fd) + { + if (pollrec->priority <= max_priority) +@@ -3725,6 +3751,7 @@ g_main_context_check (GMainContext *context, + pollrec = pollrec->next; + } + ++ /* Iterate to next GPollFD. */ + i++; + } + +@@ -4320,6 +4347,7 @@ g_main_context_add_poll_unlocked (GMainContext *context, + newrec->fd = fd; + newrec->priority = priority; + ++ /* Poll records are incrementally sorted by file descriptor identifier. */ + prevrec = NULL; + nextrec = context->poll_records; + while (nextrec) +diff --git a/glib/tests/mainloop.c b/glib/tests/mainloop.c +index f5d672a63..397921f2d 100644 +--- a/glib/tests/mainloop.c ++++ b/glib/tests/mainloop.c +@@ -1511,6 +1511,62 @@ test_unix_file_poll (void) + close (fd); + } + ++static void ++test_unix_fd_priority (void) ++{ ++ gint fd1, fd2; ++ GMainLoop *loop; ++ GSource *source; ++ ++ gint s1 = 0; ++ gboolean s2 = FALSE, s3 = FALSE; ++ ++ g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/1592"); ++ ++ loop = g_main_loop_new (NULL, FALSE); ++ ++ source = g_idle_source_new (); ++ g_source_set_callback (source, count_calls, &s1, NULL); ++ g_source_set_priority (source, 0); ++ g_source_attach (source, NULL); ++ g_source_unref (source); ++ ++ fd1 = open ("/dev/random", O_RDONLY); ++ g_assert_cmpint (fd1, >=, 0); ++ source = g_unix_fd_source_new (fd1, G_IO_IN); ++ g_source_set_callback (source, (GSourceFunc) (void (*)(void)) (flag_bool), &s2, NULL); ++ g_source_set_priority (source, 10); ++ g_source_attach (source, NULL); ++ g_source_unref (source); ++ ++ fd2 = open ("/dev/random", O_RDONLY); ++ g_assert_cmpint (fd2, >=, 0); ++ source = g_unix_fd_source_new (fd2, G_IO_IN); ++ g_source_set_callback (source, (GSourceFunc) (void (*)(void)) (flag_bool), &s3, NULL); ++ g_source_set_priority (source, 0); ++ g_source_attach (source, NULL); ++ g_source_unref (source); ++ ++ /* This tests a bug that depends on the source with the lowest FD ++ identifier to have the lowest priority. Make sure that this is ++ the case. */ ++ g_assert_cmpint (fd1, <, fd2); ++ ++ g_assert_true (g_main_context_iteration (NULL, FALSE)); ++ ++ /* Idle source should have been dispatched. */ ++ g_assert_cmpint (s1, ==, 1); ++ /* Low priority FD source shouldn't have been dispatched. */ ++ g_assert_false (s2); ++ /* Default priority FD source should have been dispatched. */ ++ g_assert_true (s3); ++ ++ g_main_loop_unref (loop); ++ ++ close (fd1); ++ close (fd2); ++} ++ + #endif + + static gboolean +@@ -1751,6 +1807,7 @@ main (int argc, char *argv[]) + g_test_add_func ("/mainloop/source-unix-fd-api", test_source_unix_fd_api); + g_test_add_func ("/mainloop/wait", test_mainloop_wait); + g_test_add_func ("/mainloop/unix-file-poll", test_unix_file_poll); ++ g_test_add_func ("/mainloop/unix-fd-priority", test_unix_fd_priority); + #endif + g_test_add_func ("/mainloop/nfds", test_nfds); + +-- +2.31.1 + diff --git a/SOURCES/0001-codegen-Change-pointer-casting-to-remove-type-punnin.patch b/SOURCES/309.patch similarity index 100% rename from SOURCES/0001-codegen-Change-pointer-casting-to-remove-type-punnin.patch rename to SOURCES/309.patch diff --git a/SOURCES/0001-build-sys-Pass-CFLAGS-to-DTRACE.patch b/SOURCES/409.patch similarity index 100% rename from SOURCES/0001-build-sys-Pass-CFLAGS-to-DTRACE.patch rename to SOURCES/409.patch diff --git a/SOURCES/0001-gdbus-unix-addresses-test-don-t-g_debug-when-also-te.patch b/SOURCES/50.patch similarity index 100% rename from SOURCES/0001-gdbus-unix-addresses-test-don-t-g_debug-when-also-te.patch rename to SOURCES/50.patch diff --git a/SOURCES/0001-gdbus-codegen-honor-Property.EmitsChangedSignal-anno.patch b/SOURCES/532.patch similarity index 100% rename from SOURCES/0001-gdbus-codegen-honor-Property.EmitsChangedSignal-anno.patch rename to SOURCES/532.patch diff --git a/SOURCES/0001-spawn-add-shebang-line-to-script.patch b/SOURCES/546.patch similarity index 100% rename from SOURCES/0001-spawn-add-shebang-line-to-script.patch rename to SOURCES/546.patch diff --git a/SOURCES/0001-gfile-Limit-access-to-files-when-copying.patch b/SOURCES/CVE-2019-12450.patch similarity index 100% rename from SOURCES/0001-gfile-Limit-access-to-files-when-copying.patch rename to SOURCES/CVE-2019-12450.patch diff --git a/SOURCES/CVE-2021-27218.patch b/SOURCES/CVE-2021-27218.patch index 7ffc4ce..15aa571 100644 --- a/SOURCES/CVE-2021-27218.patch +++ b/SOURCES/CVE-2021-27218.patch @@ -126,3 +126,4 @@ index 5ea5c2b35..42281307b 100644 g_test_add_func ("/bytes/null", test_null); -- 2.31.1 + diff --git a/SOURCES/CVE-2021-28153.patch b/SOURCES/CVE-2021-28153.patch new file mode 100644 index 0000000..9397463 --- /dev/null +++ b/SOURCES/CVE-2021-28153.patch @@ -0,0 +1,388 @@ +From 8fef6abe1131da0c8a7211c740a12ebe11cbcc51 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 10 Mar 2021 16:05:55 +0000 +Subject: [PATCH 1/3] glocalfileoutputstream: Factor out a flag check + +This clarifies the code a little. It introduces no functional changes. + +Signed-off-by: Philip Withnall +--- + gio/glocalfileoutputstream.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c +index 57d2d5dfe..6a70b2a04 100644 +--- a/gio/glocalfileoutputstream.c ++++ b/gio/glocalfileoutputstream.c +@@ -751,6 +751,7 @@ handle_overwrite_open (const char *filename, + int res; + int mode; + int errsv; ++ gboolean replace_destination_set = (flags & G_FILE_CREATE_REPLACE_DESTINATION); + + mode = mode_from_flags_or_info (flags, reference_info); + +@@ -857,8 +858,8 @@ handle_overwrite_open (const char *filename, + * The second strategy consist simply in copying the old file + * to a backup file and rewrite the contents of the file. + */ +- +- if ((flags & G_FILE_CREATE_REPLACE_DESTINATION) || ++ ++ if (replace_destination_set || + (!(original_stat.st_nlink > 1) && !is_symlink)) + { + char *dirname, *tmp_filename; +@@ -877,7 +878,7 @@ handle_overwrite_open (const char *filename, + + /* try to keep permissions (unless replacing) */ + +- if ( ! (flags & G_FILE_CREATE_REPLACE_DESTINATION) && ++ if (!replace_destination_set && + ( + #ifdef HAVE_FCHOWN + fchown (tmpfd, original_stat.st_uid, original_stat.st_gid) == -1 || +@@ -1016,7 +1017,7 @@ handle_overwrite_open (const char *filename, + } + } + +- if (flags & G_FILE_CREATE_REPLACE_DESTINATION) ++ if (replace_destination_set) + { + g_close (fd, NULL); + +-- +2.31.1 + +From 6c10e8ce6905e8fcc3466eb8af707b5d0d3bdb85 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 24 Feb 2021 17:36:07 +0000 +Subject: [PATCH 2/3] glocalfileoutputstream: Fix CREATE_REPLACE_DESTINATION + with symlinks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The `G_FILE_CREATE_REPLACE_DESTINATION` flag is equivalent to unlinking +the destination file and re-creating it from scratch. That did +previously work, but in the process the code would call `open(O_CREAT)` +on the file. If the file was a dangling symlink, this would create the +destination file (empty). That’s not an intended side-effect, and has +security implications if the symlink is controlled by a lower-privileged +process. + +Fix that by not opening the destination file if it’s a symlink, and +adjusting the rest of the code to cope with + - the fact that `fd == -1` is not an error iff `is_symlink` is true, + - and that `original_stat` will contain the `lstat()` results for the + symlink now, rather than the `stat()` results for its target (again, + iff `is_symlink` is true). + +This means that the target of the dangling symlink is no longer created, +which was the bug. The symlink itself continues to be replaced (as +before) with the new file — this is the intended behaviour of +`g_file_replace()`. + +The behaviour for non-symlink cases, or cases where the symlink was not +dangling, should be unchanged. + +Includes a unit test. + +Signed-off-by: Philip Withnall + +Fixes: #2325 +--- + gio/glocalfileoutputstream.c | 63 ++++++++++++++------- + gio/tests/file.c | 107 ++++++++++++++++++++++++++++++++++- + 2 files changed, 149 insertions(+), 21 deletions(-) + +diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c +index 6a70b2a04..4a7766f68 100644 +--- a/gio/glocalfileoutputstream.c ++++ b/gio/glocalfileoutputstream.c +@@ -779,16 +779,22 @@ handle_overwrite_open (const char *filename, + /* Could be a symlink, or it could be a regular ELOOP error, + * but then the next open will fail too. */ + is_symlink = TRUE; +- fd = g_open (filename, open_flags, mode); ++ if (!replace_destination_set) ++ fd = g_open (filename, open_flags, mode); + } +-#else +- fd = g_open (filename, open_flags, mode); +- errsv = errno; ++#else /* if !O_NOFOLLOW */ + /* This is racy, but we do it as soon as possible to minimize the race */ + is_symlink = g_file_test (filename, G_FILE_TEST_IS_SYMLINK); ++ ++ if (!is_symlink || !replace_destination_set) ++ { ++ fd = g_open (filename, open_flags, mode); ++ errsv = errno; ++ } + #endif + +- if (fd == -1) ++ if (fd == -1 && ++ (!is_symlink || !replace_destination_set)) + { + char *display_name = g_filename_display_name (filename); + g_set_error (error, G_IO_ERROR, +@@ -800,10 +806,17 @@ handle_overwrite_open (const char *filename, + } + + #ifdef G_OS_WIN32 +- res = GLIB_PRIVATE_CALL (g_win32_fstat) (fd, &original_stat); +-#else +- res = fstat (fd, &original_stat); ++#error This patch has not been ported to Windows, sorry + #endif ++ ++ if (!is_symlink) ++ { ++ res = fstat (fd, &original_stat); ++ } ++ else ++ { ++ res = lstat (filename, &original_stat); ++ } + errsv = errno; + + if (res != 0) +@@ -821,16 +834,27 @@ handle_overwrite_open (const char *filename, + if (!S_ISREG (original_stat.st_mode)) + { + if (S_ISDIR (original_stat.st_mode)) +- g_set_error_literal (error, +- G_IO_ERROR, +- G_IO_ERROR_IS_DIRECTORY, +- _("Target file is a directory")); +- else +- g_set_error_literal (error, +- G_IO_ERROR, +- G_IO_ERROR_NOT_REGULAR_FILE, +- _("Target file is not a regular file")); +- goto err_out; ++ { ++ g_set_error_literal (error, ++ G_IO_ERROR, ++ G_IO_ERROR_IS_DIRECTORY, ++ _("Target file is a directory")); ++ goto err_out; ++ } ++ else if (!is_symlink || ++#ifdef S_ISLNK ++ !S_ISLNK (original_stat.st_mode) ++#else ++ FALSE ++#endif ++ ) ++ { ++ g_set_error_literal (error, ++ G_IO_ERROR, ++ G_IO_ERROR_NOT_REGULAR_FILE, ++ _("Target file is not a regular file")); ++ goto err_out; ++ } + } + + if (etag != NULL) +@@ -911,7 +935,8 @@ handle_overwrite_open (const char *filename, + } + } + +- g_close (fd, NULL); ++ if (fd >= 0) ++ g_close (fd, NULL); + *temp_filename = tmp_filename; + return tmpfd; + } +diff --git a/gio/tests/file.c b/gio/tests/file.c +index 98eeb85d4..44db6e295 100644 +--- a/gio/tests/file.c ++++ b/gio/tests/file.c +@@ -671,8 +671,6 @@ test_replace_cancel (void) + guint count; + GError *error = NULL; + +- g_test_bug ("629301"); +- + path = g_dir_make_tmp ("g_file_replace_cancel_XXXXXX", &error); + g_assert_no_error (error); + tmpdir = g_file_new_for_path (path); +@@ -779,6 +777,110 @@ test_replace_cancel (void) + g_object_unref (tmpdir); + } + ++static void ++test_replace_symlink (void) ++{ ++#ifdef G_OS_UNIX ++ gchar *tmpdir_path = NULL; ++ GFile *tmpdir = NULL, *source_file = NULL, *target_file = NULL; ++ GFileOutputStream *stream = NULL; ++ const gchar *new_contents = "this is a test message which should be written to source and not target"; ++ gsize n_written; ++ GFileEnumerator *enumerator = NULL; ++ GFileInfo *info = NULL; ++ gchar *contents = NULL; ++ gsize length = 0; ++ GError *local_error = NULL; ++ ++ /* Create a fresh, empty working directory. */ ++ tmpdir_path = g_dir_make_tmp ("g_file_replace_symlink_XXXXXX", &local_error); ++ g_assert_no_error (local_error); ++ tmpdir = g_file_new_for_path (tmpdir_path); ++ ++ g_test_message ("Using temporary directory %s", tmpdir_path); ++ g_free (tmpdir_path); ++ ++ /* Create symlink `source` which points to `target`. */ ++ source_file = g_file_get_child (tmpdir, "source"); ++ target_file = g_file_get_child (tmpdir, "target"); ++ g_file_make_symbolic_link (source_file, "target", NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ /* Ensure that `target` doesn’t exist */ ++ g_assert_false (g_file_query_exists (target_file, NULL)); ++ ++ /* Replace the `source` symlink with a regular file using ++ * %G_FILE_CREATE_REPLACE_DESTINATION, which should replace it *without* ++ * following the symlink */ ++ stream = g_file_replace (source_file, NULL, FALSE /* no backup */, ++ G_FILE_CREATE_REPLACE_DESTINATION, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_output_stream_write_all (G_OUTPUT_STREAM (stream), new_contents, strlen (new_contents), ++ &n_written, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_cmpint (n_written, ==, strlen (new_contents)); ++ ++ g_output_stream_close (G_OUTPUT_STREAM (stream), NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_clear_object (&stream); ++ ++ /* At this point, there should still only be one file: `source`. It should ++ * now be a regular file. `target` should not exist. */ ++ enumerator = g_file_enumerate_children (tmpdir, ++ G_FILE_ATTRIBUTE_STANDARD_NAME "," ++ G_FILE_ATTRIBUTE_STANDARD_TYPE, ++ G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ info = g_file_enumerator_next_file (enumerator, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_nonnull (info); ++ ++ g_assert_cmpstr (g_file_info_get_name (info), ==, "source"); ++ g_assert_cmpint (g_file_info_get_file_type (info), ==, G_FILE_TYPE_REGULAR); ++ ++ g_clear_object (&info); ++ ++ info = g_file_enumerator_next_file (enumerator, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_null (info); ++ ++ g_file_enumerator_close (enumerator, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_clear_object (&enumerator); ++ ++ /* Double-check that `target` doesn’t exist */ ++ g_assert_false (g_file_query_exists (target_file, NULL)); ++ ++ /* Check the content of `source`. */ ++ g_file_load_contents (source_file, ++ NULL, ++ &contents, ++ &length, ++ NULL, ++ &local_error); ++ g_assert_no_error (local_error); ++ g_assert_cmpstr (contents, ==, new_contents); ++ g_assert_cmpuint (length, ==, strlen (new_contents)); ++ g_free (contents); ++ ++ /* Tidy up. */ ++ g_file_delete (source_file, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_file_delete (tmpdir, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_clear_object (&target_file); ++ g_clear_object (&source_file); ++ g_clear_object (&tmpdir); ++#else /* if !G_OS_UNIX */ ++ g_test_skip ("Symlink replacement tests can only be run on Unix") ++#endif ++} ++ + static void + on_file_deleted (GObject *object, + GAsyncResult *result, +@@ -1170,6 +1272,7 @@ main (int argc, char *argv[]) + g_test_add_data_func ("/file/async-create-delete/4096", GINT_TO_POINTER (4096), test_create_delete); + g_test_add_func ("/file/replace-load", test_replace_load); + g_test_add_func ("/file/replace-cancel", test_replace_cancel); ++ g_test_add_func ("/file/replace-symlink", test_replace_symlink); + g_test_add_func ("/file/async-delete", test_async_delete); + #ifdef G_OS_UNIX + g_test_add_func ("/file/copy-preserve-mode", test_copy_preserve_mode); +-- +2.31.1 + +From 7f0b0d7fd744ad2f51236444005db49c80a0293d Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 24 Feb 2021 17:42:24 +0000 +Subject: [PATCH 3/3] glocalfileoutputstream: Add a missing O_CLOEXEC flag to + replace() + +Signed-off-by: Philip Withnall +--- + gio/glocalfileoutputstream.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c +index 4a7766f68..275770fa4 100644 +--- a/gio/glocalfileoutputstream.c ++++ b/gio/glocalfileoutputstream.c +@@ -56,6 +56,12 @@ + #define O_BINARY 0 + #endif + ++#ifndef O_CLOEXEC ++#define O_CLOEXEC 0 ++#else ++#define HAVE_O_CLOEXEC 1 ++#endif ++ + struct _GLocalFileOutputStreamPrivate { + char *tmp_filename; + char *original_filename; +@@ -1127,7 +1133,7 @@ _g_local_file_output_stream_replace (const char *filename, + sync_on_close = FALSE; + + /* If the file doesn't exist, create it */ +- open_flags = O_CREAT | O_EXCL | O_BINARY; ++ open_flags = O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC; + if (readable) + open_flags |= O_RDWR; + else +@@ -1157,8 +1163,11 @@ _g_local_file_output_stream_replace (const char *filename, + set_error_from_open_errno (filename, error); + return NULL; + } +- +- ++#if !defined(HAVE_O_CLOEXEC) && defined(F_SETFD) ++ else ++ fcntl (fd, F_SETFD, FD_CLOEXEC); ++#endif ++ + stream = g_object_new (G_TYPE_LOCAL_FILE_OUTPUT_STREAM, NULL); + stream->priv->fd = fd; + stream->priv->sync_on_close = sync_on_close; +-- +2.31.1 + diff --git a/SOURCES/ghmac-gnutls.patch b/SOURCES/ghmac-gnutls.patch index 6ba3313..8b5babb 100644 --- a/SOURCES/ghmac-gnutls.patch +++ b/SOURCES/ghmac-gnutls.patch @@ -1,7 +1,7 @@ -From 440a178c5aad19050a3d5b5d76881931138af680 Mon Sep 17 00:00:00 2001 +From c5cc0bb6f2d6e468c7402915a0a4e6799f0febdf Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 7 Jun 2019 18:44:43 +0000 -Subject: [PATCH 1/2] ghmac: Split off wrapper functions into ghmac-utils.c +Subject: [PATCH 1/3] ghmac: Split off wrapper functions into ghmac-utils.c Prep for adding a GnuTLS HMAC implementation; these are just utility functions that call the "core" API. @@ -14,7 +14,7 @@ utility functions that call the "core" API. create mode 100644 glib/ghmac-utils.c diff --git a/glib/Makefile.am b/glib/Makefile.am -index 8da549c7f..c367b09ad 100644 +index c0c3b92f0..43fa17051 100644 --- a/glib/Makefile.am +++ b/glib/Makefile.am @@ -126,6 +126,7 @@ libglib_2_0_la_SOURCES = \ @@ -297,7 +297,7 @@ index 9b58fd81c..7db38e34a 100644 - (const guchar *) str, length); -} diff --git a/glib/meson.build b/glib/meson.build -index 9df77b6f9..c7f28b5b6 100644 +index c81e99f9c..306a67f13 100644 --- a/glib/meson.build +++ b/glib/meson.build @@ -138,6 +138,7 @@ glib_sources = files( @@ -309,13 +309,12 @@ index 9df77b6f9..c7f28b5b6 100644 'ghostutils.c', 'giochannel.c', -- -2.21.0 +2.31.1 - -From 423355787ba9133b310c0b72708024b1428d7d14 Mon Sep 17 00:00:00 2001 +From 3befcf1eb31e0fa7a988b22a9c24240218cd4744 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 7 Jun 2019 19:36:54 +0000 -Subject: [PATCH 2/2] Add a gnutls backend for GHmac +Subject: [PATCH 2/3] Add a gnutls backend for GHmac For RHEL we want apps to use FIPS-certified crypto libraries, and HMAC apparently counts as "keyed" and hence needs to @@ -329,26 +328,53 @@ Most distributors ship glib-networking built with GnuTLS, and most apps use glib-networking, so this isn't a net-new library in most cases. -However, a fun wrinkle is that the GnuTLS HMAC API doesn't expose -the necessary bits to implement `g_hmac_copy()`; OpenSSL does. -I chose to just make that abort for now since I didn't find -apps using it. +======================================================================= + +mcatanzaro note: + +I've updated Colin's original patch with several enhancements: + +Implement g_hmac_copy() using gnutls_hmac_copy(), which didn't exist +when Colin developed this patch. + +Removed use of GSlice + +Better error checking in g_hmac_new(). It is possible for +gnutls_hmac_init() to fail if running in FIPS mode and an MD5 digest is +requested. In this case, we should return NULL rather than returning a +broken GHmac with a NULL gnutls_hmac_hd_t. This was leading to a later +null pointer dereference inside gnutls_hmac_update(). Applications are +responsible for checking to ensure the return value of g_hmac_new() is +not NULL since it is annotated as nullable. Added documentation to +indicate this possibility. + +Properly handle length -1 in g_hmac_update(). This means we've been +given a NUL-terminated string and should use strlen(). GnuTLS doesn't +accept -1, so let's call strlen() ourselves. + +Crash the application with g_error() if gnutls_hmac() fails for any +reason. This is necessary because g_hmac_update() is not fallible, so we +have no way to indicate error. Crashing seems better than returning the +wrong result later when g_hmac_get_string() or g_hmac_get_digest() is +later called. (Those functions are also not fallible.) Fortunately, I +don't think this error should actually be hit in practice. + +https://gitlab.gnome.org/GNOME/glib/-/merge_requests/903 --- - glib/Makefile.am | 9 ++- - glib/gchecksum.c | 9 +-- - glib/gchecksumprivate.h | 32 +++++++++ - glib/ghmac-gnutls.c | 151 ++++++++++++++++++++++++++++++++++++++++ - glib/ghmac.c | 1 + + glib/Makefile.am | 8 +- + glib/gchecksum.c | 9 +- + glib/gchecksumprivate.h | 32 +++++++ + glib/ghmac-gnutls.c | 182 ++++++++++++++++++++++++++++++++++++++++ + glib/ghmac.c | 13 +++ glib/meson.build | 10 ++- - glib/tests/hmac.c | 6 ++ meson.build | 7 ++ meson_options.txt | 5 ++ - 9 files changed, 221 insertions(+), 9 deletions(-) + 8 files changed, 258 insertions(+), 8 deletions(-) create mode 100644 glib/gchecksumprivate.h create mode 100644 glib/ghmac-gnutls.c diff --git a/glib/Makefile.am b/glib/Makefile.am -index c367b09ad..b0a721ad0 100644 +index 43fa17051..1175bbe40 100644 --- a/glib/Makefile.am +++ b/glib/Makefile.am @@ -125,7 +125,7 @@ libglib_2_0_la_SOURCES = \ @@ -360,7 +386,7 @@ index c367b09ad..b0a721ad0 100644 ghmac-utils.c \ ghook.c \ ghostutils.c \ -@@ -352,11 +352,14 @@ pcre_lib = pcre/libpcre.la +@@ -352,11 +352,15 @@ pcre_lib = pcre/libpcre.la pcre_inc = endif @@ -372,8 +398,8 @@ index c367b09ad..b0a721ad0 100644 libglib_2_0_la_LIBADD = libcharset/libcharset.la $(printf_la) @GIO@ @GSPAWN@ @PLATFORMDEP@ @ICONV_LIBS@ @G_LIBS_EXTRA@ $(pcre_lib) $(G_THREAD_LIBS_EXTRA) $(G_THREAD_LIBS_FOR_GTHREAD) $(LIBSYSTEMD_LIBS) libglib_2_0_la_DEPENDENCIES = libcharset/libcharset.la $(printf_la) @GIO@ @GSPAWN@ @PLATFORMDEP@ $(glib_win32_res) $(glib_def) --libglib_2_0_la_LDFLAGS = $(GLIB_LINK_FLAGS) \ -+libglib_2_0_la_LDFLAGS = $(GLIB_LINK_FLAGS) $(gnutls_libs) \ + libglib_2_0_la_LDFLAGS = $(GLIB_LINK_FLAGS) \ ++ $(gnutls_libs) \ $(glib_win32_res_ldflag) \ -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) \ -export-dynamic $(no_undefined) @@ -452,10 +478,10 @@ index 000000000..86c7a3b61 \ No newline at end of file diff --git a/glib/ghmac-gnutls.c b/glib/ghmac-gnutls.c new file mode 100644 -index 000000000..3b4dfb872 +index 000000000..522b9b302 --- /dev/null +++ b/glib/ghmac-gnutls.c -@@ -0,0 +1,160 @@ +@@ -0,0 +1,182 @@ +/* ghmac.h - data hashing functions + * + * Copyright (C) 2011 Collabora Ltd. @@ -506,9 +532,11 @@ index 000000000..3b4dfb872 + gsize key_len) +{ + gnutls_mac_algorithm_t algo; -+ GHmac *hmac = g_slice_new0 (GHmac); ++ GHmac *hmac = g_new0 (GHmac, 1); ++ int ret; ++ + hmac->ref_count = 1; -+ hmac->digest_type = digest_type; ++ hmac->digest_type = digest_type; + + switch (digest_type) + { @@ -531,7 +559,15 @@ index 000000000..3b4dfb872 + g_return_val_if_reached (NULL); + } + -+ gnutls_hmac_init (&hmac->hmac, algo, key, key_len); ++ ret = gnutls_hmac_init (&hmac->hmac, algo, key, key_len); ++ if (ret != 0) ++ { ++ /* There is no way to report an error here, but one possible cause of ++ * failure is that the requested digest may be disabled by FIPS mode. ++ */ ++ g_free (hmac->hmac); ++ return NULL; ++ } + + return hmac; +} @@ -543,11 +579,15 @@ index 000000000..3b4dfb872 + + g_return_val_if_fail (hmac != NULL, NULL); + -+ copy = g_slice_new0 (GHmac); ++ copy = g_new0 (GHmac, 1); + copy->ref_count = 1; + copy->digest_type = hmac->digest_type; + copy->hmac = gnutls_hmac_copy (hmac->hmac); + ++ /* g_hmac_copy is not allowed to fail, so we'll have to crash on error. */ ++ if (!copy->hmac) ++ g_error ("gnutls_hmac_copy failed"); ++ + return copy; +} + @@ -570,7 +610,7 @@ index 000000000..3b4dfb872 + { + gnutls_hmac_deinit (hmac->hmac, NULL); + g_free (hmac->digest_str); -+ g_slice_free (GHmac, hmac); ++ g_free (hmac); + } +} + @@ -580,10 +620,18 @@ index 000000000..3b4dfb872 + const guchar *data, + gssize length) +{ ++ int ret; ++ + g_return_if_fail (hmac != NULL); + g_return_if_fail (length == 0 || data != NULL); + -+ gnutls_hmac (hmac->hmac, data, length); ++ if (length == -1) ++ length = strlen ((const char *)data); ++ ++ /* g_hmac_update is not allowed to fail, so we'll have to crash on error. */ ++ ret = gnutls_hmac (hmac->hmac, data, length); ++ if (ret != 0) ++ g_error ("gnutls_hmac failed: %s", gnutls_strerror (ret)); +} + +const gchar * @@ -617,7 +665,7 @@ index 000000000..3b4dfb872 + *digest_len = g_checksum_type_get_length (hmac->digest_type); +} diff --git a/glib/ghmac.c b/glib/ghmac.c -index 7db38e34a..b12eb07c4 100644 +index 7db38e34a..b03a5aea7 100644 --- a/glib/ghmac.c +++ b/glib/ghmac.c @@ -33,6 +33,7 @@ @@ -628,11 +676,38 @@ index 7db38e34a..b12eb07c4 100644 /** * SECTION:hmac +@@ -84,6 +85,18 @@ struct _GHmac + * Support for digests of type %G_CHECKSUM_SHA512 has been added in GLib 2.42. + * Support for %G_CHECKSUM_SHA384 was added in GLib 2.52. + * ++ * Note that #GHmac creation may fail, in which case this function will ++ * return %NULL. Since there is no error parameter, it is not possible ++ * to indicate why. ++ * ++ * In Fedora, CentOS Stream, and Red Hat Enterprise Linux, GLib is ++ * configured to use GnuTLS to implement #GHmac in order to support FIPS ++ * compliance. This introduces additional failure possibilities that are ++ * not present in upstream GLib. For example, the creation of a #GHmac ++ * will fail if @digest_type is %G_CHECKSUM_MD5 and the system is ++ * running in FIPS mode. #GHmac creation may also fail if GLib is unable ++ * to load GnuTLS. ++ * + * Returns: the newly created #GHmac, or %NULL. + * Use g_hmac_unref() to free the memory allocated by it. + * diff --git a/glib/meson.build b/glib/meson.build -index c7f28b5b6..a2f9da81c 100644 +index 306a67f13..07d41456d 100644 --- a/glib/meson.build +++ b/glib/meson.build -@@ -137,7 +137,6 @@ glib_sources = files( +@@ -127,6 +127,7 @@ glib_sources = files( + 'gbytes.c', + 'gcharset.c', + 'gchecksum.c', ++ 'gchecksumprivate.h', + 'gconvert.c', + 'gdataset.c', + 'gdate.c', +@@ -137,7 +138,6 @@ glib_sources = files( 'gfileutils.c', 'ggettext.c', 'ghash.c', @@ -640,15 +715,7 @@ index c7f28b5b6..a2f9da81c 100644 'ghmac-utils.c', 'ghook.c', 'ghostutils.c', -@@ -185,6 +184,7 @@ glib_sources = files( - 'gunidecomp.c', - 'gurifuncs.c', - 'gutils.c', -+ 'gchecksumprivate.h', - 'guuid.c', - 'gvariant.c', - 'gvariant-core.c', -@@ -222,6 +222,12 @@ else +@@ -223,6 +223,12 @@ else glib_dtrace_hdr = [] endif @@ -661,17 +728,17 @@ index c7f28b5b6..a2f9da81c 100644 pcre_static_args = [] if use_pcre_static_flag -@@ -238,7 +244,7 @@ libglib = library('glib-2.0', +@@ -239,7 +245,7 @@ libglib = library('glib-2.0', link_args : platform_ldflags + noseh_link_args, include_directories : configinc, link_with : [charset_lib, gnulib_lib], - dependencies : [pcre, thread_dep, libintl, librt] + libiconv + platform_deps, -+ dependencies : [pcre, thread_dep, libintl, librt] + libiconv + platform_deps + libgnutls_dep, ++ dependencies : [pcre, thread_dep, libintl, librt] + libgnutls_dep + libiconv + platform_deps, c_args : ['-DG_LOG_DOMAIN="GLib"', '-DGLIB_COMPILATION'] + pcre_static_args + glib_hidden_visibility_args ) diff --git a/meson.build b/meson.build -index 0cefee51d..81b16b004 100644 +index 0cefee51d..eaf8d3900 100644 --- a/meson.build +++ b/meson.build @@ -1596,6 +1596,13 @@ if host_system == 'linux' and get_option('libmount') @@ -705,5 +772,63 @@ index 4504c6858..d18c42a36 100644 type : 'boolean', value : false, -- -2.21.0 +2.31.1 +From 87280b23902290dcf843a42d06cedeef571a673f Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro +Date: Thu, 1 Jul 2021 15:51:26 -0500 +Subject: [PATCH 3/3] Add more tests for GHmac + +This will test a few problems that we hit recently: + +g_hmac_copy() is broken, https://bugzilla.redhat.com/show_bug.cgi?id=1786538 + +Crash in g_hmac_update() in FIPS mode, https://bugzilla.redhat.com/show_bug.cgi?id=1971533 + +Crash when passing -1 length to g_hmac_update() (discovered in #1971533) +--- + glib/tests/hmac.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/glib/tests/hmac.c b/glib/tests/hmac.c +index 3ac3206df..16b2fac9c 100644 +--- a/glib/tests/hmac.c ++++ b/glib/tests/hmac.c +@@ -493,6 +493,27 @@ test_hmac_for_bytes (void) + g_bytes_unref (data); + } + ++static void ++test_ghmac_gnutls_regressions (void) ++{ ++ GHmac *hmac; ++ GHmac *copy; ++ ++ hmac = g_hmac_new (G_CHECKSUM_SHA256, (const guchar *)"abc123", sizeof ("abc123")); ++ g_assert_nonnull (hmac); ++ ++ /* Ensure g_hmac_update() does not crash when called with -1. */ ++ g_hmac_update (hmac, (const guchar *)"You win again, gravity!", -1); ++ ++ /* Ensure g_hmac_copy() does not crash. */ ++ copy = g_hmac_copy (hmac); ++ g_assert_nonnull (hmac); ++ g_hmac_unref (hmac); ++ ++ g_assert_cmpstr (g_hmac_get_string (copy), ==, "795ba6900bcb22e8ce65c2ec02db4e85697da921deb960ee3143bf88a4a60f83"); ++ g_hmac_unref (copy); ++} ++ + int + main (int argc, + char **argv) +@@ -545,6 +566,7 @@ main (int argc, + g_test_add_func ("/hmac/for-data", test_hmac_for_data); + g_test_add_func ("/hmac/for-string", test_hmac_for_string); + g_test_add_func ("/hmac/for-bytes", test_hmac_for_bytes); ++ g_test_add_func ("/hmac/ghmac-gnutls-regressions", test_ghmac_gnutls_regressions); + + return g_test_run (); + } +-- +2.31.1 diff --git a/SOURCES/0001-tests-Allocate-gvariant-data-from-the-heap-to-guaran.patch b/SOURCES/gvariant-tests.patch similarity index 66% rename from SOURCES/0001-tests-Allocate-gvariant-data-from-the-heap-to-guaran.patch rename to SOURCES/gvariant-tests.patch index 9107242..5381817 100644 --- a/SOURCES/0001-tests-Allocate-gvariant-data-from-the-heap-to-guaran.patch +++ b/SOURCES/gvariant-tests.patch @@ -94,3 +94,49 @@ index 6e417f6c1..a7b19826d 100644 -- 2.19.1 +From 4ef58e5661849317a1110c9b93957f2c608677dd Mon Sep 17 00:00:00 2001 +From: Simon McVittie +Date: Thu, 3 Jan 2019 08:21:40 +0000 +Subject: [PATCH 2/2] gvariant test: Also force alignment for tuple test data + +glib!552 (commit 9eed22b3) fixed this for the tests that failed on i686, +but this additional test failed on Debian's s390x port +(IBM z/Architecture, 64-bit big-endian). + +Signed-off-by: Simon McVittie +--- + glib/tests/gvariant.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/glib/tests/gvariant.c b/glib/tests/gvariant.c +index a7b19826d..c4a996c1f 100644 +--- a/glib/tests/gvariant.c ++++ b/glib/tests/gvariant.c +@@ -4820,6 +4820,7 @@ test_normal_checking_array_offsets (void) + static void + test_normal_checking_tuple_offsets (void) + { ++ gpointer aligned_data; + const guint8 data[] = { + 0x07, 0xe5, 0x00, 0x07, 0x00, 0x07, + '(', 'a', 's', 'a', 's', 'a', 's', 'a', 's', 'a', 's', 'a', 's', ')', +@@ -4828,13 +4829,15 @@ test_normal_checking_tuple_offsets (void) + GVariant *variant = NULL; + GVariant *normal_variant = NULL; + +- variant = g_variant_new_from_data (G_VARIANT_TYPE_VARIANT, data, size, +- FALSE, NULL, NULL); ++ aligned_data = g_memdup (data, size); /* guarantee alignment */ ++ variant = g_variant_new_from_data (G_VARIANT_TYPE_VARIANT, aligned_data, ++ size, FALSE, NULL, NULL); + g_assert_nonnull (variant); + + normal_variant = g_variant_get_normal_form (variant); + g_assert_nonnull (normal_variant); + ++ g_free (aligned_data); + g_variant_unref (normal_variant); + g_variant_unref (variant); + } +-- +2.19.1 diff --git a/SPECS/glib2.spec b/SPECS/glib2.spec index 9cbca0e..57c539c 100644 --- a/SPECS/glib2.spec +++ b/SPECS/glib2.spec @@ -5,7 +5,7 @@ Name: glib2 Version: 2.56.4 -Release: 10%{?dist}.1 +Release: 156%{?dist} Summary: A library of handy utility functions License: LGPLv2+ @@ -37,50 +37,71 @@ BuildRequires: python3-devel # for GIO content-type support Recommends: shared-mime-info -# Downstream patches -Patch01: 0001-gdbus-unix-addresses-test-don-t-g_debug-when-also-te.patch - -# Backported from git master -Patch10: 0001-codegen-Change-pointer-casting-to-remove-type-punnin.patch -Patch11: 0001-spawn-add-shebang-line-to-script.patch -Patch12: 0001-build-sys-Pass-CFLAGS-to-DTRACE.patch -Patch13: 0001-gfile-Limit-access-to-files-when-copying.patch - -# Backported from git glib-2-56 branch -Patch20: 0001-tests-Allocate-gvariant-data-from-the-heap-to-guaran.patch -Patch21: 0002-gvariant-test-Also-force-alignment-for-tuple-test-da.patch - -# Backported from 2.58 (for 3.32 GNOME rebase) -Patch30: backport-per-desktop-overrides.patch - -# https://gitlab.gnome.org/GNOME/glib/merge_requests/903 +# Implement RHEL 8 core crypto components policy # https://bugzilla.redhat.com/show_bug.cgi?id=1630260 -Patch37: ghmac-gnutls.patch +# https://gitlab.gnome.org/GNOME/glib/merge_requests/903 +Patch0: ghmac-gnutls.patch -# Backported from git -Patch40: 0001-gdbus-codegen-honor-Property.EmitsChangedSignal-anno.patch +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/50 +Patch1: 50.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/309 +Patch2: 309.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/403 +Patch3: 409.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/546 +Patch4: 546.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/876 +Patch5: CVE-2019-12450.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/552 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/569 +Patch6: gvariant-tests.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/105 +Patch7: 105.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/532 +Patch8: 532.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1777213 -Patch50: 0001-gcredentialsprivate-Document-the-various-private-mac.patch -Patch51: 0001-GDBus-prefer-getsockopt-style-credentials-passing-AP.patch -Patch52: 0001-credentials-Invalid-Linux-struct-ucred-means-no-info.patch +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1176 +Patch9: 1176.patch -# Mostly from https://gitlab.gnome.org/GNOME/glib/-/commits/master/gio/gkeyfilesettingsbackend.c -Patch60: keyfile-backend.patch -# https://gitlab.gnome.org/GNOME/glib/-/issues/1658 -Patch61: CVE-2019-13012.patch +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/450 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/603 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/974 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/984 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/985 +Patch10: keyfile-backend.patch +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/604 +Patch11: CVE-2019-13012.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1942 +Patch12: CVE-2021-27218.patch # https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1927 # https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2000 -Patch70: CVE-2021-27219.patch -# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1944 -Patch71: CVE-2021-27218.patch +Patch13: CVE-2021-27219.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1981 +Patch14: CVE-2021-28153.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1938284 +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1369 +Patch15: 1369.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1948988 # https://gitlab.gnome.org/GNOME/glib/-/merge_requests/873 # https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1353 # https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1691 -Patch80: gmain-corruption.patch +Patch16: gmain-corruption.patch + +# https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1713 +Patch17: 1713.patch %description GLib is the low-level core library that forms the basis for projects @@ -279,15 +300,34 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %{_datadir}/installed-tests %changelog -* Mon Jul 26 2021 Michael Catanzaro - 2.56.4-10.1 -- Fix CVE-2021-27218 - Resolves: #1974888 +* Thu Jul 01 2021 Michael Catanzaro - 2.56.4-15 +- Fix test failure introduced in previous update +- Related: #1971533 -* Thu May 20 2021 Michael Catanzaro - 2.56.4-10 +* Wed Jun 23 2021 Michael Catanzaro - 2.56.4-14 +- Refresh GHmac patchset +- Resolves: #1971533 + +* Thu May 20 2021 Michael Catanzaro - 2.56.4-13 +- Rename and consolidate existing patches for better maintainability +- Refresh CVE-2021-27219 patcheset, using better-targeted fixes + Resolves: #1939108 + +* Wed May 05 2021 Michael Catanzaro - 2.56.4-12 - Fix various problems in GMainContext - Resolves: #1953553 + Resolves: #1948988 + +* Tue May 04 2021 Michael Catanzaro - 2.56.4-11 +- Remove CHARSETALIASDIR environment variable + Resolves: #1938284 + +* Wed Mar 31 2021 Michael Catanzaro - 2.56.4-10 +- Fix CVE-2021-27218 + Resolves: #1939072 - Fix CVE-2021-27219 - Resolves: #1960600 + Resolves: #1939108 +- Fix CVE-2021-28153 + Resolves: #1939118 * Tue Nov 10 2020 Michael Catanzaro - 2.56.4-9 - Update GHmac patch to implement g_hmac_copy()