diff --git a/SOURCES/admin-Add-query_info_on_read-write-functionality.patch b/SOURCES/admin-Add-query_info_on_read-write-functionality.patch new file mode 100644 index 0000000..b0a27e7 --- /dev/null +++ b/SOURCES/admin-Add-query_info_on_read-write-functionality.patch @@ -0,0 +1,127 @@ +From 5cd76d627f4d1982b6e77a0e271ef9301732d09e Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Thu, 23 May 2019 10:24:36 +0200 +Subject: [PATCH] admin: Add query_info_on_read/write functionality + +Admin backend doesn't implement query_info_on_read/write which might +potentially lead to some race conditions which aren't really wanted +especially in case of admin backend. Let's add this missing functionality. +--- + daemon/gvfsbackendadmin.c | 79 +++++++++++++++++++++++++++++++++------ + 1 file changed, 67 insertions(+), 12 deletions(-) + +diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c +index 65a979e7..23d16f16 100644 +--- a/daemon/gvfsbackendadmin.c ++++ b/daemon/gvfsbackendadmin.c +@@ -42,6 +42,8 @@ + #include "gvfsjobopenforwrite.h" + #include "gvfsjobqueryattributes.h" + #include "gvfsjobqueryinfo.h" ++#include "gvfsjobqueryinforead.h" ++#include "gvfsjobqueryinfowrite.h" + #include "gvfsjobread.h" + #include "gvfsjobseekread.h" + #include "gvfsjobseekwrite.h" +@@ -155,6 +157,19 @@ complete_job (GVfsJob *job, + g_vfs_job_succeeded (job); + } + ++static void ++fix_file_info (GFileInfo *info) ++{ ++ /* Override read/write flags, since the above call will use access() ++ * to determine permissions, which does not honor our privileged ++ * capabilities. ++ */ ++ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE); ++ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE); ++ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE); ++ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE); ++} ++ + static void + do_query_info (GVfsBackend *backend, + GVfsJobQueryInfo *query_info_job, +@@ -180,19 +195,57 @@ do_query_info (GVfsBackend *backend, + if (error != NULL) + goto out; + +- /* Override read/write flags, since the above call will use access() +- * to determine permissions, which does not honor our privileged +- * capabilities. +- */ +- g_file_info_set_attribute_boolean (real_info, +- G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE); +- g_file_info_set_attribute_boolean (real_info, +- G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE); +- g_file_info_set_attribute_boolean (real_info, +- G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE); +- g_file_info_set_attribute_boolean (real_info, +- G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE); ++ fix_file_info (real_info); ++ g_file_info_copy_into (real_info, info); ++ g_object_unref (real_info); ++ ++ out: ++ complete_job (job, error); ++} ++ ++static void ++do_query_info_on_read (GVfsBackend *backend, ++ GVfsJobQueryInfoRead *query_info_job, ++ GVfsBackendHandle handle, ++ GFileInfo *info, ++ GFileAttributeMatcher *matcher) ++{ ++ GVfsJob *job = G_VFS_JOB (query_info_job); ++ GFileInputStream *stream = handle; ++ GError *error = NULL; ++ GFileInfo *real_info; ++ ++ real_info = g_file_input_stream_query_info (stream, query_info_job->attributes, ++ job->cancellable, &error); ++ if (error != NULL) ++ goto out; ++ ++ fix_file_info (real_info); ++ g_file_info_copy_into (real_info, info); ++ g_object_unref (real_info); ++ ++ out: ++ complete_job (job, error); ++} ++ ++static void ++do_query_info_on_write (GVfsBackend *backend, ++ GVfsJobQueryInfoWrite *query_info_job, ++ GVfsBackendHandle handle, ++ GFileInfo *info, ++ GFileAttributeMatcher *matcher) ++{ ++ GVfsJob *job = G_VFS_JOB (query_info_job); ++ GFileOutputStream *stream = handle; ++ GError *error = NULL; ++ GFileInfo *real_info; ++ ++ real_info = g_file_output_stream_query_info (stream, query_info_job->attributes, ++ job->cancellable, &error); ++ if (error != NULL) ++ goto out; + ++ fix_file_info (real_info); + g_file_info_copy_into (real_info, info); + g_object_unref (real_info); + +@@ -868,6 +921,8 @@ g_vfs_backend_admin_class_init (GVfsBackendAdminClass * klass) + backend_class->mount = do_mount; + backend_class->open_for_read = do_open_for_read; + backend_class->query_info = do_query_info; ++ backend_class->query_info_on_read = do_query_info_on_read; ++ backend_class->query_info_on_write = do_query_info_on_write; + backend_class->read = do_read; + backend_class->create = do_create; + backend_class->append_to = do_append_to; +-- +2.23.0 + diff --git a/SOURCES/admin-Ensure-correct-ownership-when-moving-to-file-u.patch b/SOURCES/admin-Ensure-correct-ownership-when-moving-to-file-u.patch new file mode 100644 index 0000000..f5e483a --- /dev/null +++ b/SOURCES/admin-Ensure-correct-ownership-when-moving-to-file-u.patch @@ -0,0 +1,80 @@ +From d5dfd823c94045488aef8727c553f1e0f7666b90 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Fri, 24 May 2019 09:43:43 +0200 +Subject: [PATCH] admin: Ensure correct ownership when moving to file:// uri + +User and group is not restored properly when moving (or copying with +G_FILE_COPY_ALL_METADATA) from admin:// to file://, because it is handled +by GIO fallback code, which doesn't run with root permissions. Let's +handle this case with pull method to ensure correct ownership. +--- + daemon/gvfsbackendadmin.c | 46 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 46 insertions(+) + +diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c +index 32b51b1a..9a7e8295 100644 +--- a/daemon/gvfsbackendadmin.c ++++ b/daemon/gvfsbackendadmin.c +@@ -807,6 +807,51 @@ do_move (GVfsBackend *backend, + complete_job (job, error); + } + ++static void ++do_pull (GVfsBackend *backend, ++ GVfsJobPull *pull_job, ++ const char *source, ++ const char *local_path, ++ GFileCopyFlags flags, ++ gboolean remove_source, ++ GFileProgressCallback progress_callback, ++ gpointer progress_callback_data) ++{ ++ GVfsBackendAdmin *self = G_VFS_BACKEND_ADMIN (backend); ++ GVfsJob *job = G_VFS_JOB (pull_job); ++ GError *error = NULL; ++ GFile *src_file, *dst_file; ++ ++ /* Pull method is necessary when user/group needs to be restored, return ++ * G_IO_ERROR_NOT_SUPPORTED in other cases to proceed with the fallback code. ++ */ ++ if (!(flags & G_FILE_COPY_ALL_METADATA)) ++ { ++ g_vfs_job_failed_literal (G_VFS_JOB (job), G_IO_ERROR, ++ G_IO_ERROR_NOT_SUPPORTED, ++ _("Operation not supported")); ++ return; ++ } ++ ++ if (!check_permission (self, job)) ++ return; ++ ++ src_file = g_file_new_for_path (source); ++ dst_file = g_file_new_for_path (local_path); ++ ++ if (remove_source) ++ g_file_move (src_file, dst_file, flags, job->cancellable, ++ progress_callback, progress_callback_data, &error); ++ else ++ g_file_copy (src_file, dst_file, flags, job->cancellable, ++ progress_callback, progress_callback_data, &error); ++ ++ g_object_unref (src_file); ++ g_object_unref (dst_file); ++ ++ complete_job (job, error); ++} ++ + static void + do_query_settable_attributes (GVfsBackend *backend, + GVfsJobQueryAttributes *query_job, +@@ -927,6 +972,7 @@ g_vfs_backend_admin_class_init (GVfsBackendAdminClass * klass) + backend_class->set_attribute = do_set_attribute; + backend_class->delete = do_delete; + backend_class->move = do_move; ++ backend_class->pull = do_pull; + backend_class->query_settable_attributes = do_query_settable_attributes; + backend_class->query_writable_namespaces = do_query_writable_namespaces; + } +-- +2.23.0 + diff --git a/SOURCES/admin-Use-fsuid-to-ensure-correct-file-ownership.patch b/SOURCES/admin-Use-fsuid-to-ensure-correct-file-ownership.patch new file mode 100644 index 0000000..a911d1d --- /dev/null +++ b/SOURCES/admin-Use-fsuid-to-ensure-correct-file-ownership.patch @@ -0,0 +1,87 @@ +From d7d362995aa0cb8905c8d5c2a2a4c305d2ffff80 Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Thu, 23 May 2019 10:33:30 +0200 +Subject: [PATCH] admin: Use fsuid to ensure correct file ownership + +Files created over admin backend should be owned by root, but they are +owned by the user itself. This is because the daemon drops the uid to +make dbus connection work. Use fsuid and euid to fix this issue. + +Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/21 +--- + daemon/gvfsbackendadmin.c | 29 +++++++---------------------- + 1 file changed, 7 insertions(+), 22 deletions(-) + +diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c +index a74d09cf..32b51b1a 100644 +--- a/daemon/gvfsbackendadmin.c ++++ b/daemon/gvfsbackendadmin.c +@@ -157,19 +157,6 @@ complete_job (GVfsJob *job, + g_vfs_job_succeeded (job); + } + +-static void +-fix_file_info (GFileInfo *info) +-{ +- /* Override read/write flags, since the above call will use access() +- * to determine permissions, which does not honor our privileged +- * capabilities. +- */ +- g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE); +- g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE); +- g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE); +- g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE); +-} +- + static void + do_query_info (GVfsBackend *backend, + GVfsJobQueryInfo *query_info_job, +@@ -195,7 +182,6 @@ do_query_info (GVfsBackend *backend, + if (error != NULL) + goto out; + +- fix_file_info (real_info); + g_file_info_copy_into (real_info, info); + g_object_unref (real_info); + +@@ -220,7 +206,6 @@ do_query_info_on_read (GVfsBackend *backend, + if (error != NULL) + goto out; + +- fix_file_info (real_info); + g_file_info_copy_into (real_info, info); + g_object_unref (real_info); + +@@ -245,7 +230,6 @@ do_query_info_on_write (GVfsBackend *backend, + if (error != NULL) + goto out; + +- fix_file_info (real_info); + g_file_info_copy_into (real_info, info); + g_object_unref (real_info); + +@@ -977,14 +961,15 @@ acquire_caps (uid_t uid) + struct __user_cap_header_struct hdr; + struct __user_cap_data_struct data; + +- /* Tell kernel not clear capabilities when dropping root */ +- if (prctl (PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) +- g_error ("prctl(PR_SET_KEEPCAPS) failed"); +- +- /* Drop root uid, but retain the required permitted caps */ +- if (setuid (uid) < 0) ++ /* Set euid to user to make dbus work */ ++ if (seteuid (uid) < 0) + g_error ("unable to drop privs"); + ++ /* Set fsuid to still behave like root when working with files */ ++ setfsuid (0); ++ if (setfsuid (-1) != 0) ++ g_error ("setfsuid failed"); ++ + memset (&hdr, 0, sizeof(hdr)); + hdr.version = _LINUX_CAPABILITY_VERSION; + +-- +2.23.0 + diff --git a/SOURCES/udisks2-Fix-crashes-caused-by-missing-source-tag.patch b/SOURCES/udisks2-Fix-crashes-caused-by-missing-source-tag.patch new file mode 100644 index 0000000..07c0c97 --- /dev/null +++ b/SOURCES/udisks2-Fix-crashes-caused-by-missing-source-tag.patch @@ -0,0 +1,29 @@ +From 38831e4ea149a0b4731d123c63d8b493d30ad0be Mon Sep 17 00:00:00 2001 +From: Ondrej Holy +Date: Sat, 26 May 2018 08:16:02 +0200 +Subject: [PATCH] udisks2: Fix crashes caused by missing source tag + +GAsyncReadyCallback is never called from g_drive_stop, because +source_tag is not set, but checked. This obviously causes issues +for client applications. Add missing source_tag. + +Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/1 +--- + monitor/udisks2/gvfsudisks2drive.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/monitor/udisks2/gvfsudisks2drive.c b/monitor/udisks2/gvfsudisks2drive.c +index 52e9b75e..87656688 100644 +--- a/monitor/udisks2/gvfsudisks2drive.c ++++ b/monitor/udisks2/gvfsudisks2drive.c +@@ -915,6 +915,7 @@ gvfs_udisks2_drive_stop (GDrive *_drive, + GTask *task; + + task = g_task_new (drive, cancellable, callback, user_data); ++ g_task_set_source_tag (task, gvfs_udisks2_drive_stop); + + /* This information is needed in GVfsDdisks2Volume when apps have + * open files on the device ... we need to know if the button should +-- +2.23.0 + diff --git a/SPECS/gvfs.spec b/SPECS/gvfs.spec index 0f72956..0d4cfa8 100644 --- a/SPECS/gvfs.spec +++ b/SPECS/gvfs.spec @@ -25,7 +25,7 @@ Name: gvfs Version: 1.36.2 -Release: 6%{?dist} +Release: 8%{?dist} Summary: Backends for the gio framework in GLib License: GPLv3 and LGPLv2+ and BSD and MPLv2.0 @@ -48,6 +48,18 @@ Patch4: daemon-Prevent-spawning-new-daemons-if-outgoing-oper.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1739116 Patch5: smbbrowse-Force-NT1-protocol-version-for-workgroup-s.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1754506 +Patch6: admin-Add-query_info_on_read-write-functionality.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1752926 +Patch7: admin-Use-fsuid-to-ensure-correct-file-ownership.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1753972 +Patch8: admin-Ensure-correct-ownership-when-moving-to-file-u.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1759075 +Patch9: udisks2-Fix-crashes-caused-by-missing-source-tag.patch + BuildRequires: pkgconfig BuildRequires: pkgconfig(glib-2.0) >= %{glib2_version} BuildRequires: pkgconfig(dbus-glib-1) @@ -61,7 +73,9 @@ BuildRequires: pkgconfig(avahi-glib) >= %{avahi_version} BuildRequires: pkgconfig(libsecret-1) BuildRequires: gettext-devel >= %{gettext_version} BuildRequires: pkgconfig(udisks2) >= %{udisks2_version} +%if ! 0%{?rhel} BuildRequires: pkgconfig(libbluray) +%endif BuildRequires: systemd-devel >= %{systemd_version} BuildRequires: pkgconfig(libxslt) BuildRequires: docbook-style-xsl @@ -242,6 +256,7 @@ autoreconf -fi --enable-installed-tests \ %if 0%{?rhel} --disable-nfs \ + --disable-bluray \ %endif %{nil} make %{?_smp_mflags} V=1 @@ -423,6 +438,15 @@ killall -USR1 gvfsd >&/dev/null || : %{_datadir}/installed-tests %changelog +* Tue Oct 8 2019 Ondrej Holy - 1.36.2-8 +- Fix udisks2 volume monitor crashes when stopping drive (rhbz#1759075) + +* Thu Sep 19 2019 Ondrej Holy - 1.36.2-7 +- Remove libbluray support (#1747972) +- CVE-2019-12448: Add query_info_on_read/write functionality (rhbz#1754506) +- CVE-2019-12447: Use fsuid to ensure correct file ownership (rhbz#1752926) +- CVE-2019-12449: Ensure correct ownership when moving to file:// uri (rhbz#1753972) + * Fri Aug 09 2019 Ondrej Holy - 1.36.2-6 - Prevent spawning new daemons if outgoing operation exists (#1739117) - Force NT1 protocol version for workgroup support (#1739116)