From 5090f150dae5a81fad0b8f183133189d18e38b97 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Fri, 30 Oct 2020 06:12:19 +0000 Subject: [PATCH] import spice-vdagent-0.20.0-2.el8 --- ...l-for-agent_owns_clipboard-and-clien.patch | 107 ++++++++++++ ...ntd-Automatically-release-agent_data.patch | 72 ++++++++ ...on-Pass-err-to-g_credentials_get_uni.patch | 34 ++++ ...check-for-vdagent_connection_get_pee.patch | 44 +++++ .../0009-vdagentd-Avoid-calling-chmod.patch | 49 ++++++ ...-file-transfer-IDs-allocation-and-us.patch | 84 +++++++++ ...ncontrolled-active_xfers-allocations.patch | 61 +++++++ ...2-Avoids-unlimited-agent-connections.patch | 50 ++++++ .../0013-Avoids-user-session-hijacking.patch | 144 +++++++++++++++ SOURCES/0014-Better-check-for-sessions.patch | 164 ++++++++++++++++++ ...it-number-of-agents-per-session-to-1.patch | 57 ++++++ ...ve_xfers-when-the-client-disconnects.patch | 27 +++ ...allow-to-use-an-already-used-file-xf.patch | 33 ++++ .../0018-Add-a-test-for-session_info.patch | 130 ++++++++++++++ SPECS/spice-vdagent.spec | 21 ++- 15 files changed, 1075 insertions(+), 2 deletions(-) create mode 100644 SOURCES/0005-vdagentd-Use-bool-for-agent_owns_clipboard-and-clien.patch create mode 100644 SOURCES/0006-vdagentd-Automatically-release-agent_data.patch create mode 100644 SOURCES/0007-vdagent-connection-Pass-err-to-g_credentials_get_uni.patch create mode 100644 SOURCES/0008-vdagentd-Better-check-for-vdagent_connection_get_pee.patch create mode 100644 SOURCES/0009-vdagentd-Avoid-calling-chmod.patch create mode 100644 SOURCES/0010-Avoids-unchecked-file-transfer-IDs-allocation-and-us.patch create mode 100644 SOURCES/0011-Avoids-uncontrolled-active_xfers-allocations.patch create mode 100644 SOURCES/0012-Avoids-unlimited-agent-connections.patch create mode 100644 SOURCES/0013-Avoids-user-session-hijacking.patch create mode 100644 SOURCES/0014-Better-check-for-sessions.patch create mode 100644 SOURCES/0015-vdagentd-Limit-number-of-agents-per-session-to-1.patch create mode 100644 SOURCES/0016-cleanup-active_xfers-when-the-client-disconnects.patch create mode 100644 SOURCES/0017-vdagentd-do-not-allow-to-use-an-already-used-file-xf.patch create mode 100644 SOURCES/0018-Add-a-test-for-session_info.patch diff --git a/SOURCES/0005-vdagentd-Use-bool-for-agent_owns_clipboard-and-clien.patch b/SOURCES/0005-vdagentd-Use-bool-for-agent_owns_clipboard-and-clien.patch new file mode 100644 index 0000000..7a5166a --- /dev/null +++ b/SOURCES/0005-vdagentd-Use-bool-for-agent_owns_clipboard-and-clien.patch @@ -0,0 +1,107 @@ +From 4bb11e214304209e37afe4bf324a7ce9e56f351c Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Mon, 21 Sep 2020 06:53:45 +0100 +Subject: [PATCH vd_agent_linux 05/17] vdagentd: Use bool for + agent_owns_clipboard and client_connected +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +More clear (instaed of 0/1) and save some bytes. + +Signed-off-by: Frediano Ziglio +Acked-by: Jakub Janků +--- + src/vdagentd/vdagentd.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c +index 753c9bf..051de74 100644 +--- a/src/vdagentd/vdagentd.c ++++ b/src/vdagentd/vdagentd.c +@@ -23,6 +23,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -77,9 +78,9 @@ static int capabilities_size = 0; + static const char *active_session = NULL; + static unsigned int session_count = 0; + static UdscsConnection *active_session_conn = NULL; +-static int agent_owns_clipboard[256] = { 0, }; ++static bool agent_owns_clipboard[256] = { false, }; + static int retval = 0; +-static int client_connected = 0; ++static bool client_connected = false; + static int max_clipboard = -1; + static uint32_t clipboard_serial[256]; + +@@ -155,7 +156,7 @@ static void do_client_disconnect(void) + if (client_connected) { + udscs_server_write_all(server, VDAGENTD_CLIENT_DISCONNECTED, 0, 0, + NULL, 0); +- client_connected = 0; ++ client_connected = false; + } + } + +@@ -239,7 +240,7 @@ static void do_client_capabilities(VirtioPort *vport, + do_client_disconnect(); + if (debug) + syslog(LOG_DEBUG, "New client connected"); +- client_connected = 1; ++ client_connected = true; + memset(clipboard_serial, 0, sizeof(clipboard_serial)); + send_capabilities(vport, 0); + } +@@ -286,7 +287,7 @@ static void do_client_clipboard(VirtioPort *vport, + } + + msg_type = VDAGENTD_CLIPBOARD_GRAB; +- agent_owns_clipboard[selection] = 0; ++ agent_owns_clipboard[selection] = false; + break; + case VD_AGENT_CLIPBOARD_REQUEST: { + VDAgentClipboardRequest *req = (VDAgentClipboardRequest *)data; +@@ -624,7 +625,7 @@ static void virtio_port_read_complete( + + static void virtio_port_error_cb(VDAgentConnection *conn, GError *err) + { +- gboolean old_client_connected = client_connected; ++ bool old_client_connected = client_connected; + syslog(LOG_CRIT, "AIIEEE lost spice client connection, reconnecting (err: %s)", + err ? err->message : ""); + g_clear_error(&err); +@@ -717,7 +718,7 @@ static void do_agent_clipboard(UdscsConnection *conn, + switch (header->type) { + case VDAGENTD_CLIPBOARD_GRAB: + msg_type = VD_AGENT_CLIPBOARD_GRAB; +- agent_owns_clipboard[selection] = 1; ++ agent_owns_clipboard[selection] = true; + break; + case VDAGENTD_CLIPBOARD_REQUEST: + msg_type = VD_AGENT_CLIPBOARD_REQUEST; +@@ -737,7 +738,7 @@ static void do_agent_clipboard(UdscsConnection *conn, + case VDAGENTD_CLIPBOARD_RELEASE: + msg_type = VD_AGENT_CLIPBOARD_RELEASE; + size = 0; +- agent_owns_clipboard[selection] = 0; ++ agent_owns_clipboard[selection] = false; + break; + default: + syslog(LOG_WARNING, "unexpected clipboard message type"); +@@ -851,7 +852,7 @@ static void release_clipboards(void) + vdagent_virtio_port_write(virtio_port, VDP_CLIENT_PORT, + VD_AGENT_CLIPBOARD_RELEASE, 0, &sel, 1); + } +- agent_owns_clipboard[sel] = 0; ++ agent_owns_clipboard[sel] = false; + } + } + +-- +2.26.2 + diff --git a/SOURCES/0006-vdagentd-Automatically-release-agent_data.patch b/SOURCES/0006-vdagentd-Automatically-release-agent_data.patch new file mode 100644 index 0000000..60cc939 --- /dev/null +++ b/SOURCES/0006-vdagentd-Automatically-release-agent_data.patch @@ -0,0 +1,72 @@ +From 21fbcf665a7ad6b761e9342d116657d5c2353592 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Mon, 21 Sep 2020 07:00:39 +0100 +Subject: [PATCH vd_agent_linux 06/17] vdagentd: Automatically release + "agent_data" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It's not guaranteed that agent_disconnect will release the connection +so avoid to have a dandling pointer. + +Signed-off-by: Frediano Ziglio +Acked-by: Jakub Janků +--- + src/vdagentd/vdagentd.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c +index 051de74..94b8681 100644 +--- a/src/vdagentd/vdagentd.c ++++ b/src/vdagentd/vdagentd.c +@@ -86,6 +86,13 @@ static uint32_t clipboard_serial[256]; + + static GMainLoop *loop; + ++static void agent_data_destroy(struct agent_data *agent_data) ++{ ++ g_free(agent_data->session); ++ g_free(agent_data->screen_info); ++ g_free(agent_data); ++} ++ + static void vdagentd_quit(gint exit_code) + { + retval = exit_code; +@@ -930,7 +937,7 @@ static void agent_connect(UdscsConnection *conn) + syslog(LOG_ERR, "Could not get peer PID, disconnecting new client: %s", + err->message); + g_error_free(err); +- g_free(agent_data); ++ agent_data_destroy(agent_data); + udscs_server_destroy_connection(server, conn); + return; + } +@@ -938,7 +945,8 @@ static void agent_connect(UdscsConnection *conn) + agent_data->session = session_info_session_for_pid(session_info, pid); + } + +- g_object_set_data(G_OBJECT(conn), "agent_data", agent_data); ++ g_object_set_data_full(G_OBJECT(conn), "agent_data", agent_data, ++ (GDestroyNotify) agent_data_destroy); + udscs_write(conn, VDAGENTD_VERSION, 0, 0, + (uint8_t *)VERSION, strlen(VERSION) + 1); + update_active_session_connection(conn); +@@ -951,13 +959,8 @@ static void agent_connect(UdscsConnection *conn) + + static void agent_disconnect(VDAgentConnection *conn, GError *err) + { +- struct agent_data *agent_data = g_object_get_data(G_OBJECT(conn), "agent_data"); +- + g_hash_table_foreach_remove(active_xfers, remove_active_xfers, conn); + +- g_clear_pointer(&agent_data->session, g_free); +- g_free(agent_data->screen_info); +- g_free(agent_data); + if (err) { + syslog(LOG_ERR, "%s", err->message); + g_error_free(err); +-- +2.26.2 + diff --git a/SOURCES/0007-vdagent-connection-Pass-err-to-g_credentials_get_uni.patch b/SOURCES/0007-vdagent-connection-Pass-err-to-g_credentials_get_uni.patch new file mode 100644 index 0000000..af45c33 --- /dev/null +++ b/SOURCES/0007-vdagent-connection-Pass-err-to-g_credentials_get_uni.patch @@ -0,0 +1,34 @@ +From ac89076d412f67aa7122a9fb786af32eb5f87d5d Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 22 Sep 2020 11:45:56 +0100 +Subject: [PATCH vd_agent_linux 07/17] vdagent-connection: Pass "err" to + g_credentials_get_unix_pid +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Allows to return detailed information if g_credentials_get_unix_pid +fails. + +Signed-off-by: Frediano Ziglio +Acked-by: Julien Ropé +--- + src/vdagent-connection.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/vdagent-connection.c b/src/vdagent-connection.c +index 8c023e2..b1d4db6 100644 +--- a/src/vdagent-connection.c ++++ b/src/vdagent-connection.c +@@ -155,7 +155,7 @@ gint vdagent_connection_get_peer_pid(VDAgentConnection *self, + sock = g_socket_connection_get_socket(G_SOCKET_CONNECTION(priv->io_stream)); + cred = g_socket_get_credentials(sock, err); + if (cred) { +- pid = g_credentials_get_unix_pid(cred, NULL); ++ pid = g_credentials_get_unix_pid(cred, err); + g_object_unref(cred); + } + +-- +2.26.2 + diff --git a/SOURCES/0008-vdagentd-Better-check-for-vdagent_connection_get_pee.patch b/SOURCES/0008-vdagentd-Better-check-for-vdagent_connection_get_pee.patch new file mode 100644 index 0000000..a23bb37 --- /dev/null +++ b/SOURCES/0008-vdagentd-Better-check-for-vdagent_connection_get_pee.patch @@ -0,0 +1,44 @@ +From 64289e71a1b2a9dc6868eb810cf93ca8c0644693 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Mon, 21 Sep 2020 16:42:26 +0100 +Subject: [PATCH vd_agent_linux 08/17] vdagentd: Better check for + vdagent_connection_get_peer_pid results +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The function can return -1 and leave "err" to NULL in some cases, +do not check only for "err". + +Signed-off-by: Frediano Ziglio +Acked-by: Julien Ropé +--- + src/vdagentd/vdagentd.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c +index 94b8681..12cbbd0 100644 +--- a/src/vdagentd/vdagentd.c ++++ b/src/vdagentd/vdagentd.c +@@ -933,10 +933,14 @@ static void agent_connect(UdscsConnection *conn) + + if (session_info) { + pid = vdagent_connection_get_peer_pid(VDAGENT_CONNECTION(conn), &err); +- if (err) { +- syslog(LOG_ERR, "Could not get peer PID, disconnecting new client: %s", +- err->message); +- g_error_free(err); ++ if (err || pid <= 0) { ++ static const char msg[] = "Could not get peer PID, disconnecting new client"; ++ if (err) { ++ syslog(LOG_ERR, "%s: %s", msg, err->message); ++ g_error_free(err); ++ } else { ++ syslog(LOG_ERR, "%s", msg); ++ } + agent_data_destroy(agent_data); + udscs_server_destroy_connection(server, conn); + return; +-- +2.26.2 + diff --git a/SOURCES/0009-vdagentd-Avoid-calling-chmod.patch b/SOURCES/0009-vdagentd-Avoid-calling-chmod.patch new file mode 100644 index 0000000..adf00fd --- /dev/null +++ b/SOURCES/0009-vdagentd-Avoid-calling-chmod.patch @@ -0,0 +1,49 @@ +From dd46157d3faa95a12fc6f04cd2515f200e3ca465 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Thu, 24 Sep 2020 12:13:24 +0100 +Subject: [PATCH vd_agent_linux 09/17] vdagentd: Avoid calling chmod + +Create the socket with the right permissions using umask. +This also prevents possible symlink exploitation in case socket +path is not secure. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/vdagentd/vdagentd.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c +index 12cbbd0..eddfcf6 100644 +--- a/src/vdagentd/vdagentd.c ++++ b/src/vdagentd/vdagentd.c +@@ -1211,7 +1211,9 @@ int main(int argc, char *argv[]) + /* systemd socket activation not enabled, create our own */ + #endif /* WITH_SYSTEMD_SOCKET_ACTIVATION */ + { ++ mode_t mode = umask(0111); + udscs_server_listen_to_address(server, vdagentd_socket, &err); ++ umask(mode); + } + + if (err) { +@@ -1222,16 +1224,6 @@ int main(int argc, char *argv[]) + return 1; + } + +- /* no need to set permissions on a socket that was provided by systemd */ +- if (own_socket) { +- if (chmod(vdagentd_socket, 0666)) { +- syslog(LOG_CRIT, "Fatal could not change permissions on %s: %m", +- vdagentd_socket); +- udscs_destroy_server(server); +- return 1; +- } +- } +- + #ifdef WITH_STATIC_UINPUT + uinput = vdagentd_uinput_create(uinput_device, 1024, 768, NULL, 0, + debug > 1, uinput_fake); +-- +2.26.2 + diff --git a/SOURCES/0010-Avoids-unchecked-file-transfer-IDs-allocation-and-us.patch b/SOURCES/0010-Avoids-unchecked-file-transfer-IDs-allocation-and-us.patch new file mode 100644 index 0000000..16e1bfd --- /dev/null +++ b/SOURCES/0010-Avoids-unchecked-file-transfer-IDs-allocation-and-us.patch @@ -0,0 +1,84 @@ +From 956608c1344f185e39294004b64906a7e1b5c14c Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Sat, 19 Sep 2020 15:13:42 +0100 +Subject: [PATCH vd_agent_linux 10/17] Avoids unchecked file transfer IDs + allocation and usage + +Avoid agents allocating file transfers. +The "active_xfers" entries are now inserted when client start sending +files. +Also different agents cannot mess with other agent transfers as a +transfer is bound to a single agent. + +This issue was reported by SUSE security team. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/vdagentd/vdagentd.c | 28 ++++++++++++++++++++++------ + 1 file changed, 22 insertions(+), 6 deletions(-) + +diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c +index eddfcf6..8961a99 100644 +--- a/src/vdagentd/vdagentd.c ++++ b/src/vdagentd/vdagentd.c +@@ -381,9 +381,11 @@ static void do_client_file_xfer(VirtioPort *vport, + s->id, VD_AGENT_FILE_XFER_STATUS_SESSION_LOCKED, NULL, 0); + return; + } +- udscs_write(active_session_conn, VDAGENTD_FILE_XFER_START, 0, 0, +- data, message_header->size); +- return; ++ msg_type = VDAGENTD_FILE_XFER_START; ++ id = s->id; ++ // associate the id with the active connection ++ g_hash_table_insert(active_xfers, GUINT_TO_POINTER(id), active_session_conn); ++ break; + } + case VD_AGENT_FILE_XFER_STATUS: { + VDAgentFileXferStatusMessage *s = (VDAgentFileXferStatusMessage *)data; +@@ -408,6 +410,12 @@ static void do_client_file_xfer(VirtioPort *vport, + return; + } + udscs_write(conn, msg_type, 0, 0, data, message_header->size); ++ ++ // client told that transfer is ended, agents too stop the transfer ++ // and release resources ++ if (message_header->type == VD_AGENT_FILE_XFER_STATUS) { ++ g_hash_table_remove(active_xfers, GUINT_TO_POINTER(id)); ++ } + } + + static void forward_data_to_session_agent(uint32_t type, uint8_t *data, size_t size) +@@ -1015,6 +1023,15 @@ static void do_agent_file_xfer_status(UdscsConnection *conn, + const gchar *log_msg = NULL; + guint data_size = 0; + ++ UdscsConnection *task_conn = g_hash_table_lookup(active_xfers, task_id); ++ if (task_conn == NULL || task_conn != conn) { ++ // Protect against misbehaving agent. ++ // Ignore the message, but do not disconnect the agent, to protect against ++ // a misbehaving client that tries to disconnect a good agent ++ // e.g. by sending a new task and immediately cancelling it. ++ return; ++ } ++ + /* header->arg1 = file xfer task id, header->arg2 = file xfer status */ + switch (header->arg2) { + case VD_AGENT_FILE_XFER_STATUS_NOT_ENOUGH_SPACE: +@@ -1029,10 +1046,9 @@ static void do_agent_file_xfer_status(UdscsConnection *conn, + send_file_xfer_status(virtio_port, log_msg, header->arg1, header->arg2, + data, data_size); + +- if (header->arg2 == VD_AGENT_FILE_XFER_STATUS_CAN_SEND_DATA) +- g_hash_table_insert(active_xfers, task_id, conn); +- else ++ if (header->arg2 != VD_AGENT_FILE_XFER_STATUS_CAN_SEND_DATA) { + g_hash_table_remove(active_xfers, task_id); ++ } + } + + static void agent_read_complete(UdscsConnection *conn, +-- +2.26.2 + diff --git a/SOURCES/0011-Avoids-uncontrolled-active_xfers-allocations.patch b/SOURCES/0011-Avoids-uncontrolled-active_xfers-allocations.patch new file mode 100644 index 0000000..d278e62 --- /dev/null +++ b/SOURCES/0011-Avoids-uncontrolled-active_xfers-allocations.patch @@ -0,0 +1,61 @@ +From b173eba1698138f92b08d4deeaac4d2979a67bbf Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Fri, 2 Oct 2020 12:27:59 +0100 +Subject: [PATCH vd_agent_linux 11/17] Avoids uncontrolled "active_xfers" + allocations + +Limit the number of active file transfers possibly causing DoSes +consuming memory in "active_xfers". + +This issue was reported by SUSE security team. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/vdagentd/vdagentd.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c +index 8961a99..b31941d 100644 +--- a/src/vdagentd/vdagentd.c ++++ b/src/vdagentd/vdagentd.c +@@ -47,6 +47,14 @@ + + #define DEFAULT_UINPUT_DEVICE "/dev/uinput" + ++// Maximum number of transfers active at any time. ++// Avoid DoS from client. ++// As each transfer could likely end up taking a file descriptor ++// it is good to have a limit less than the number of file descriptors ++// in the process (by default 1024). The daemon do not open file ++// descriptors for the transfers but the agents do. ++#define MAX_ACTIVE_TRANSFERS 128 ++ + struct agent_data { + char *session; + int width; +@@ -380,6 +388,21 @@ static void do_client_file_xfer(VirtioPort *vport, + "Cancelling client file-xfer request %u", + s->id, VD_AGENT_FILE_XFER_STATUS_SESSION_LOCKED, NULL, 0); + return; ++ } else if (g_hash_table_size(active_xfers) >= MAX_ACTIVE_TRANSFERS) { ++ VDAgentFileXferStatusError error = { ++ GUINT32_TO_LE(VD_AGENT_FILE_XFER_STATUS_ERROR_GLIB_IO), ++ GUINT32_TO_LE(G_IO_ERROR_TOO_MANY_OPEN_FILES), ++ }; ++ size_t detail_size = sizeof(error); ++ if (!VD_AGENT_HAS_CAPABILITY(capabilities, capabilities_size, ++ VD_AGENT_CAP_FILE_XFER_DETAILED_ERRORS)) { ++ detail_size = 0; ++ } ++ send_file_xfer_status(vport, ++ "Too many transfers ongoing. " ++ "Cancelling client file-xfer request %u", ++ s->id, VD_AGENT_FILE_XFER_STATUS_ERROR, (void*) &error, detail_size); ++ return; + } + msg_type = VDAGENTD_FILE_XFER_START; + id = s->id; +-- +2.26.2 + diff --git a/SOURCES/0012-Avoids-unlimited-agent-connections.patch b/SOURCES/0012-Avoids-unlimited-agent-connections.patch new file mode 100644 index 0000000..7bd215f --- /dev/null +++ b/SOURCES/0012-Avoids-unlimited-agent-connections.patch @@ -0,0 +1,50 @@ +From 6e5b9924b172be4f33c7fc264a8ff1d6109b79fe Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Sun, 20 Sep 2020 08:05:37 +0100 +Subject: [PATCH vd_agent_linux 12/17] Avoids unlimited agent connections + +Limit the number of agents that can be connected. +Avoids reaching the maximum number of files in a process. +Beside one file descriptor per agent the daemon open just some +other fixed number of files. + +This issue was reported by SUSE security team. + +Signed-off-by: Frediano Ziglio +--- + src/udscs.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/udscs.c b/src/udscs.c +index 7c99eed..3df67b3 100644 +--- a/src/udscs.c ++++ b/src/udscs.c +@@ -30,6 +30,12 @@ + #include "vdagentd-proto-strings.h" + #include "vdagent-connection.h" + ++// Maximum number of connected agents. ++// Avoid DoS from agents. ++// As each connection end up taking a file descriptor is good to have a limit ++// less than the number of file descriptors in the process (by default 1024). ++#define MAX_CONNECTED_AGENTS 128 ++ + struct _UdscsConnection { + VDAgentConnection parent_instance; + int debug; +@@ -254,6 +260,12 @@ static gboolean udscs_server_accept_cb(GSocketService *service, + struct udscs_server *server = user_data; + UdscsConnection *new_conn; + ++ /* prevents DoS having too many agents attached */ ++ if (g_list_length(server->connections) >= MAX_CONNECTED_AGENTS) { ++ syslog(LOG_ERR, "Too many agents connected"); ++ return TRUE; ++ } ++ + new_conn = g_object_new(UDSCS_TYPE_CONNECTION, NULL); + new_conn->debug = server->debug; + new_conn->read_callback = server->read_callback; +-- +2.26.2 + diff --git a/SOURCES/0013-Avoids-user-session-hijacking.patch b/SOURCES/0013-Avoids-user-session-hijacking.patch new file mode 100644 index 0000000..e78771d --- /dev/null +++ b/SOURCES/0013-Avoids-user-session-hijacking.patch @@ -0,0 +1,144 @@ +From 5d9881309d0aeeebbc177d8af6dc26aa2ba56cfc Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Sun, 20 Sep 2020 08:06:16 +0100 +Subject: [PATCH vd_agent_linux 13/17] Avoids user session hijacking + +Avoids user hijacking sessions by reusing PID. +In theory an attacker could: +- open a connection to the daemon; +- fork and exit the process but keep the file descriptor open + (inheriting or duplicating it in forked process); +- force OS to recycle the initial PID, by creating many short lived + processes. +Daemon would detect the old PID as having the new session. +Check the user to avoid such replacements. + +This issue was reported by SUSE security team. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/vdagent-connection.c | 13 +++++++------ + src/vdagent-connection.h | 13 +++++++++---- + src/vdagentd/vdagentd.c | 31 +++++++++++++++++++++++++++---- + 3 files changed, 43 insertions(+), 14 deletions(-) + +diff --git a/src/vdagent-connection.c b/src/vdagent-connection.c +index b1d4db6..fb331be 100644 +--- a/src/vdagent-connection.c ++++ b/src/vdagent-connection.c +@@ -142,24 +142,25 @@ void vdagent_connection_destroy(gpointer p) + g_object_unref(self); + } + +-gint vdagent_connection_get_peer_pid(VDAgentConnection *self, +- GError **err) ++PidUid vdagent_connection_get_peer_pid_uid(VDAgentConnection *self, ++ GError **err) + { + VDAgentConnectionPrivate *priv = vdagent_connection_get_instance_private(self); + GSocket *sock; + GCredentials *cred; +- gint pid = -1; ++ PidUid pid_uid = { -1, -1 }; + +- g_return_val_if_fail(G_IS_SOCKET_CONNECTION(priv->io_stream), pid); ++ g_return_val_if_fail(G_IS_SOCKET_CONNECTION(priv->io_stream), pid_uid); + + sock = g_socket_connection_get_socket(G_SOCKET_CONNECTION(priv->io_stream)); + cred = g_socket_get_credentials(sock, err); + if (cred) { +- pid = g_credentials_get_unix_pid(cred, err); ++ pid_uid.pid = g_credentials_get_unix_pid(cred, err); ++ pid_uid.uid = g_credentials_get_unix_user(cred, err); + g_object_unref(cred); + } + +- return pid; ++ return pid_uid; + } + + /* Performs single write operation, +diff --git a/src/vdagent-connection.h b/src/vdagent-connection.h +index 9d5a212..c515a79 100644 +--- a/src/vdagent-connection.h ++++ b/src/vdagent-connection.h +@@ -92,10 +92,15 @@ void vdagent_connection_write(VDAgentConnection *self, + /* Synchronously write all queued messages to the output stream. */ + void vdagent_connection_flush(VDAgentConnection *self); + +-/* Returns the PID of the foreign process connected to the socket +- * or -1 with @err set. */ +-gint vdagent_connection_get_peer_pid(VDAgentConnection *self, +- GError **err); ++typedef struct PidUid { ++ pid_t pid; ++ uid_t uid; ++} PidUid; ++ ++/* Returns the PID and UID of the foreign process connected to the socket ++ * or fill @err set. */ ++PidUid vdagent_connection_get_peer_pid_uid(VDAgentConnection *self, ++ GError **err); + + G_END_DECLS + +diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c +index b31941d..e98fbe5 100644 +--- a/src/vdagentd/vdagentd.c ++++ b/src/vdagentd/vdagentd.c +@@ -955,16 +955,28 @@ static gboolean remove_active_xfers(gpointer key, gpointer value, gpointer conn) + return 0; + } + ++/* Check a given process has a given UID */ ++static bool check_uid_of_pid(pid_t pid, uid_t uid) ++{ ++ char fn[128]; ++ struct stat st; ++ ++ snprintf(fn, sizeof(fn), "/proc/%u/status", (unsigned) pid); ++ if (stat(fn, &st) != 0 || st.st_uid != uid) { ++ return false; ++ } ++ return true; ++} ++ + static void agent_connect(UdscsConnection *conn) + { + struct agent_data *agent_data; + agent_data = g_new0(struct agent_data, 1); + GError *err = NULL; +- gint pid; + + if (session_info) { +- pid = vdagent_connection_get_peer_pid(VDAGENT_CONNECTION(conn), &err); +- if (err || pid <= 0) { ++ PidUid pid_uid = vdagent_connection_get_peer_pid_uid(VDAGENT_CONNECTION(conn), &err); ++ if (err || pid_uid.pid <= 0) { + static const char msg[] = "Could not get peer PID, disconnecting new client"; + if (err) { + syslog(LOG_ERR, "%s: %s", msg, err->message); +@@ -977,7 +989,18 @@ static void agent_connect(UdscsConnection *conn) + return; + } + +- agent_data->session = session_info_session_for_pid(session_info, pid); ++ agent_data->session = session_info_session_for_pid(session_info, pid_uid.pid); ++ ++ /* Check that the UID of the PID did not change, this should be done after ++ * computing the session to avoid race conditions. ++ * This can happen as vdagent_connection_get_peer_pid_uid get information ++ * from the time of creating the socket, but the process in the meantime ++ * have been replaced */ ++ if (!check_uid_of_pid(pid_uid.pid, pid_uid.uid)) { ++ agent_data_destroy(agent_data); ++ udscs_server_destroy_connection(server, conn); ++ return; ++ } + } + + g_object_set_data_full(G_OBJECT(conn), "agent_data", agent_data, +-- +2.26.2 + diff --git a/SOURCES/0014-Better-check-for-sessions.patch b/SOURCES/0014-Better-check-for-sessions.patch new file mode 100644 index 0000000..11c98f3 --- /dev/null +++ b/SOURCES/0014-Better-check-for-sessions.patch @@ -0,0 +1,164 @@ +From dc4d1b8e3e315933c82b23b2806a9cf973e78e78 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Mon, 21 Sep 2020 07:06:09 +0100 +Subject: [PATCH vd_agent_linux 14/17] Better check for sessions + +Do not allow other users to hijack a session checking that +the process is launched by the owner of the session. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/vdagentd/console-kit.c | 67 +++++++++++++++++++++++++++++++ + src/vdagentd/dummy-session-info.c | 5 +++ + src/vdagentd/session-info.h | 3 ++ + src/vdagentd/systemd-login.c | 9 +++++ + src/vdagentd/vdagentd.c | 10 ++++- + 5 files changed, 93 insertions(+), 1 deletion(-) + +diff --git a/src/vdagentd/console-kit.c b/src/vdagentd/console-kit.c +index fc630f1..09a8402 100644 +--- a/src/vdagentd/console-kit.c ++++ b/src/vdagentd/console-kit.c +@@ -568,3 +568,70 @@ exit: + } + return ret; + } ++ ++uid_t session_info_uid_for_session(struct session_info *info, const char *session) ++{ ++ DBusError error; ++ DBusMessage *message = NULL; ++ DBusMessage *reply = NULL; ++ uint32_t uid; ++ uid_t ret = -1; ++ const char *err_msg; ++ ++ g_return_val_if_fail(info != NULL, ret); ++ g_return_val_if_fail(info->connection != NULL, ret); ++ g_return_val_if_fail(info->active_session != NULL, ret); ++ ++ dbus_error_init(&error); ++ ++ err_msg = "(console-kit) Unable to create dbus message for GetUnixUser"; ++ message = dbus_message_new_method_call(INTERFACE_CONSOLE_KIT, ++ session, ++ INTERFACE_CONSOLE_KIT_SESSION, ++ "GetUnixUser"); ++ if (message == NULL) { ++ goto exit; ++ } ++ ++ err_msg = "(console-kit) GetUnixUser failed"; ++ reply = dbus_connection_send_with_reply_and_block(info->connection, ++ message, ++ -1, ++ &error); ++ if (reply == NULL || dbus_error_is_set(&error)) { ++ goto exit; ++ } ++ ++ dbus_error_init(&error); ++ err_msg = "(console-kit) fail to get session-type from reply"; ++ if (!dbus_message_get_args(reply, ++ &error, ++ DBUS_TYPE_UINT32, &uid, ++ DBUS_TYPE_INVALID)) { ++ goto exit; ++ } ++ ++ if (info->verbose) { ++ syslog(LOG_DEBUG, "(console-kit) unix user is '%u'", (unsigned) uid); ++ } ++ ++ err_msg = NULL; ++ ret = uid; ++ ++exit: ++ if (err_msg) { ++ if (dbus_error_is_set(&error)) { ++ syslog(LOG_ERR, "%s: %s", err_msg, error.message); ++ dbus_error_free(&error); ++ } else { ++ syslog(LOG_ERR, "%s", err_msg); ++ } ++ } ++ if (reply != NULL) { ++ dbus_message_unref(reply); ++ } ++ if (message != NULL) { ++ dbus_message_unref(message); ++ } ++ return ret; ++} +diff --git a/src/vdagentd/dummy-session-info.c b/src/vdagentd/dummy-session-info.c +index 7fd1eea..137c01a 100644 +--- a/src/vdagentd/dummy-session-info.c ++++ b/src/vdagentd/dummy-session-info.c +@@ -55,3 +55,8 @@ gboolean session_info_session_is_locked(G_GNUC_UNUSED struct session_info *si) + { + return FALSE; + } ++ ++uid_t session_info_uid_for_session(struct session_info *si, const char *session) ++{ ++ return -1; ++} +diff --git a/src/vdagentd/session-info.h b/src/vdagentd/session-info.h +index c8edb86..96aa8d3 100644 +--- a/src/vdagentd/session-info.h ++++ b/src/vdagentd/session-info.h +@@ -40,4 +40,7 @@ char *session_info_session_for_pid(struct session_info *ck, uint32_t pid); + gboolean session_info_session_is_locked(struct session_info *si); + gboolean session_info_is_user(struct session_info *si); + ++/* get owner of a given session */ ++uid_t session_info_uid_for_session(struct session_info *si, const char *session); ++ + #endif +diff --git a/src/vdagentd/systemd-login.c b/src/vdagentd/systemd-login.c +index 0b8f3c1..0e1ff3f 100644 +--- a/src/vdagentd/systemd-login.c ++++ b/src/vdagentd/systemd-login.c +@@ -392,3 +392,12 @@ gboolean session_info_is_user(struct session_info *si) + + return ret; + } ++ ++uid_t session_info_uid_for_session(struct session_info *si, const char *session) ++{ ++ uid_t ret = -1; ++ if (sd_session_get_uid(session, &ret) < 0) { ++ return -1; ++ } ++ return ret; ++} +diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c +index e98fbe5..bb39340 100644 +--- a/src/vdagentd/vdagentd.c ++++ b/src/vdagentd/vdagentd.c +@@ -991,12 +991,20 @@ static void agent_connect(UdscsConnection *conn) + + agent_data->session = session_info_session_for_pid(session_info, pid_uid.pid); + ++ uid_t session_uid = session_info_uid_for_session(session_info, agent_data->session); ++ + /* Check that the UID of the PID did not change, this should be done after + * computing the session to avoid race conditions. + * This can happen as vdagent_connection_get_peer_pid_uid get information + * from the time of creating the socket, but the process in the meantime + * have been replaced */ +- if (!check_uid_of_pid(pid_uid.pid, pid_uid.uid)) { ++ if (!check_uid_of_pid(pid_uid.pid, pid_uid.uid) || ++ /* Check that the user launching the Agent is the same as session one ++ * or root user. ++ * This prevents session hijacks from other users. */ ++ (pid_uid.uid != 0 && pid_uid.uid != session_uid)) { ++ syslog(LOG_ERR, "UID mismatch: UID=%u PID=%u suid=%u", pid_uid.uid, ++ pid_uid.pid, session_uid); + agent_data_destroy(agent_data); + udscs_server_destroy_connection(server, conn); + return; +-- +2.26.2 + diff --git a/SOURCES/0015-vdagentd-Limit-number-of-agents-per-session-to-1.patch b/SOURCES/0015-vdagentd-Limit-number-of-agents-per-session-to-1.patch new file mode 100644 index 0000000..a273246 --- /dev/null +++ b/SOURCES/0015-vdagentd-Limit-number-of-agents-per-session-to-1.patch @@ -0,0 +1,57 @@ +From 570b15e0ea71950ff14ddc2bf667e9e361720939 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Thu, 24 Sep 2020 12:13:44 +0100 +Subject: [PATCH vd_agent_linux 15/17] vdagentd: Limit number of agents per + session to 1 + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/vdagentd/vdagentd.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c +index bb39340..5ef547e 100644 +--- a/src/vdagentd/vdagentd.c ++++ b/src/vdagentd/vdagentd.c +@@ -955,6 +955,20 @@ static gboolean remove_active_xfers(gpointer key, gpointer value, gpointer conn) + return 0; + } + ++/* Check if this connection matches the passed session */ ++static int connection_matches_session(UdscsConnection *conn, void *priv) ++{ ++ const char *session = priv; ++ const struct agent_data *agent_data = g_object_get_data(G_OBJECT(conn), "agent_data"); ++ ++ if (!agent_data || !agent_data->session || ++ strcmp(agent_data->session, session) != 0) { ++ return 0; ++ } ++ ++ return 1; ++} ++ + /* Check a given process has a given UID */ + static bool check_uid_of_pid(pid_t pid, uid_t uid) + { +@@ -1007,6 +1021,16 @@ static void agent_connect(UdscsConnection *conn) + udscs_server_destroy_connection(server, conn); + return; + } ++ ++ // Check there are no other connection for this session ++ // Note that "conn" is not counted as "agent_data" is still not attached to it ++ if (udscs_server_for_all_clients(server, connection_matches_session, ++ agent_data->session) > 0) { ++ syslog(LOG_ERR, "An agent is already connected for this session"); ++ agent_data_destroy(agent_data); ++ udscs_server_destroy_connection(server, conn); ++ return; ++ } + } + + g_object_set_data_full(G_OBJECT(conn), "agent_data", agent_data, +-- +2.26.2 + diff --git a/SOURCES/0016-cleanup-active_xfers-when-the-client-disconnects.patch b/SOURCES/0016-cleanup-active_xfers-when-the-client-disconnects.patch new file mode 100644 index 0000000..5dcc163 --- /dev/null +++ b/SOURCES/0016-cleanup-active_xfers-when-the-client-disconnects.patch @@ -0,0 +1,27 @@ +From 1153bb8906377e155dccf730762b83f00a8d47c2 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Wed, 7 Oct 2020 19:34:57 +0300 +Subject: [PATCH vd_agent_linux 16/17] cleanup active_xfers when the client + disconnects + +Signed-off-by: Uri Lublin +Acked-by: Frediano Ziglio +--- + src/vdagentd/vdagentd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c +index 5ef547e..9243cfb 100644 +--- a/src/vdagentd/vdagentd.c ++++ b/src/vdagentd/vdagentd.c +@@ -168,6 +168,7 @@ static void send_capabilities(VirtioPort *vport, + + static void do_client_disconnect(void) + { ++ g_hash_table_remove_all(active_xfers); + if (client_connected) { + udscs_server_write_all(server, VDAGENTD_CLIENT_DISCONNECTED, 0, 0, + NULL, 0); +-- +2.26.2 + diff --git a/SOURCES/0017-vdagentd-do-not-allow-to-use-an-already-used-file-xf.patch b/SOURCES/0017-vdagentd-do-not-allow-to-use-an-already-used-file-xf.patch new file mode 100644 index 0000000..3d0b2e5 --- /dev/null +++ b/SOURCES/0017-vdagentd-do-not-allow-to-use-an-already-used-file-xf.patch @@ -0,0 +1,33 @@ +From 12708a0fc9f3da1d1cc492bb3a49844b02e76b40 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Sun, 11 Oct 2020 20:59:17 +0300 +Subject: [PATCH vd_agent_linux 17/17] vdagentd: do not allow to use an already + used file-xfer id + +Signed-off-by: Uri Lublin +Acked-by: Frediano Ziglio +--- + src/vdagentd/vdagentd.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c +index 9243cfb..279e7c3 100644 +--- a/src/vdagentd/vdagentd.c ++++ b/src/vdagentd/vdagentd.c +@@ -404,6 +404,13 @@ static void do_client_file_xfer(VirtioPort *vport, + "Cancelling client file-xfer request %u", + s->id, VD_AGENT_FILE_XFER_STATUS_ERROR, (void*) &error, detail_size); + return; ++ } else if (g_hash_table_lookup(active_xfers, GUINT_TO_POINTER(s->id)) != NULL) { ++ // id is already used -- client is confused ++ send_file_xfer_status(vport, ++ "File transfer ID is already used. " ++ "Cancelling client file-xfer request %u", ++ s->id, VD_AGENT_FILE_XFER_STATUS_ERROR, NULL, 0); ++ return; + } + msg_type = VDAGENTD_FILE_XFER_START; + id = s->id; +-- +2.26.2 + diff --git a/SOURCES/0018-Add-a-test-for-session_info.patch b/SOURCES/0018-Add-a-test-for-session_info.patch new file mode 100644 index 0000000..6956628 --- /dev/null +++ b/SOURCES/0018-Add-a-test-for-session_info.patch @@ -0,0 +1,130 @@ +From a77b09e5d77e5cf1d4fdd38d018ecf164cd01df9 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 20 Oct 2020 16:38:37 +0100 +Subject: [PATCH 10/10] Add a test for session_info + +Test from Uri, integrated in test suite. + +Signed-off-by: Uri Lublin +Signed-off-by: Frediano Ziglio +--- + Makefile.am | 30 ++++++++++++++++++++ + tests/test-session-info.c | 58 +++++++++++++++++++++++++++++++++++++++ + 2 files changed, 88 insertions(+) + create mode 100644 tests/test-session-info.c + +diff --git a/Makefile.am b/Makefile.am +index 575ba52..f4c65b4 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -109,13 +109,43 @@ src_spice_vdagentd_SOURCES = \ + src/vdagentd/virtio-port.h \ + $(NULL) + ++tests_test_session_info_CFLAGS = \ ++ $(DBUS_CFLAGS) \ ++ $(LIBSYSTEMD_DAEMON_CFLAGS) \ ++ $(LIBSYSTEMD_LOGIN_CFLAGS) \ ++ $(SPICE_CFLAGS) \ ++ $(GIO2_CFLAGS) \ ++ -I$(srcdir)/src \ ++ -I$(srcdir)/src/vdagentd \ ++ -DUDSCS_NO_SERVER \ ++ $(NULL) ++ ++tests_test_session_info_LDADD = \ ++ $(DBUS_LIBS) \ ++ $(LIBSYSTEMD_DAEMON_LIBS) \ ++ $(LIBSYSTEMD_LOGIN_LIBS) \ ++ $(SPICE_LIBS) \ ++ $(GIO2_LIBS) \ ++ $(NULL) ++ ++tests_test_session_info_SOURCES = \ ++ $(common_sources) \ ++ src/vdagentd/session-info.h \ ++ tests/test-session-info.c \ ++ $(NULL) ++ ++check_PROGRAMS += tests/test-session-info ++ + if HAVE_CONSOLE_KIT + src_spice_vdagentd_SOURCES += src/vdagentd/console-kit.c ++tests_test_session_info_SOURCES += src/vdagentd/console-kit.c + else + if HAVE_LIBSYSTEMD_LOGIN + src_spice_vdagentd_SOURCES += src/vdagentd/systemd-login.c ++tests_test_session_info_SOURCES += src/vdagentd/systemd-login.c + else + src_spice_vdagentd_SOURCES += src/vdagentd/dummy-session-info.c ++tests_test_session_info_SOURCES += src/vdagentd/dummy-session-info.c + endif + endif + +diff --git a/tests/test-session-info.c b/tests/test-session-info.c +new file mode 100644 +index 0000000..dae3ec6 +--- /dev/null ++++ b/tests/test-session-info.c +@@ -0,0 +1,58 @@ ++/* test-session-info.c - test session info ++ ++ Copyright 2020 Red Hat, Inc. ++ ++ This program is free software: you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation, either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++#include ++ ++#undef NDEBUG ++#include ++#include ++#include ++#include ++ ++#include "session-info.h" ++ ++int main(int argc, char *argv[]) ++{ ++ int pid, uid, ck_uid; ++ ++ pid = (int)getpid(); ++ ++ struct session_info *session_info = session_info_create(1); ++ if (session_info == NULL) { ++ return 1; ++ } ++ ++ char *session = session_info_session_for_pid(session_info, pid); ++ if (session == NULL) { ++ session_info_destroy(session_info); ++ return 2; ++ } ++ ck_uid = session_info_uid_for_session(session_info, session); ++ ++ free(session); ++ session_info_destroy(session_info); ++ ++ uid = getuid(); ++ printf("MAIN: uid is %d, ck_uid is %d\n", uid, ck_uid); ++ ++ if (uid != ck_uid) { ++ fprintf(stderr, "MAIN: uid (%d) does not match console-kit uid %d\n", uid, ck_uid); ++ return 3; ++ } ++ ++ return 0; ++} +-- +2.28.0 + diff --git a/SPECS/spice-vdagent.spec b/SPECS/spice-vdagent.spec index 3149b1a..f043a70 100644 --- a/SPECS/spice-vdagent.spec +++ b/SPECS/spice-vdagent.spec @@ -1,6 +1,6 @@ Name: spice-vdagent Version: 0.20.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Agent for Spice guests Group: Applications/System License: GPLv3+ @@ -12,6 +12,20 @@ Patch0001: 0001-vdagentd-work-around-GLib-s-fork-issues.patch Patch0002: 0002-vdagentd-init-static-uinput-before-fork.patch Patch0003: 0003-systemd-login-Avoid-a-crash-on-container.patch Patch0004: 0004-Fix-possible-compile-error-using-former-GLib2-versio.patch +Patch0005: 0005-vdagentd-Use-bool-for-agent_owns_clipboard-and-clien.patch +Patch0006: 0006-vdagentd-Automatically-release-agent_data.patch +Patch0007: 0007-vdagent-connection-Pass-err-to-g_credentials_get_uni.patch +Patch0008: 0008-vdagentd-Better-check-for-vdagent_connection_get_pee.patch +Patch0009: 0009-vdagentd-Avoid-calling-chmod.patch +Patch0010: 0010-Avoids-unchecked-file-transfer-IDs-allocation-and-us.patch +Patch0011: 0011-Avoids-uncontrolled-active_xfers-allocations.patch +Patch0012: 0012-Avoids-unlimited-agent-connections.patch +Patch0013: 0013-Avoids-user-session-hijacking.patch +Patch0014: 0014-Better-check-for-sessions.patch +Patch0015: 0015-vdagentd-Limit-number-of-agents-per-session-to-1.patch +Patch0016: 0016-cleanup-active_xfers-when-the-client-disconnects.patch +Patch0017: 0017-vdagentd-do-not-allow-to-use-an-already-used-file-xf.patch +Patch0018: 0018-Add-a-test-for-session_info.patch BuildRequires: git-core gnupg2 BuildRequires: systemd-devel @@ -77,7 +91,10 @@ make install DESTDIR=$RPM_BUILD_ROOT V=2 %changelog -* Mon May 15 2020 Victor Toso 0.20.0-1 +* Mon Oct 19 2020 Frediano Ziglio 0.20.0-2 +- Resolves: CVE-2020-25650, CVE-2020-25651, CVE-2020-25652, CVE-2020-25653 + +* Fri May 15 2020 Victor Toso 0.20.0-1 - Update to 0.20.0 - Backport fixes post-release Resolves: rhbz#1817476