Skip to content
This repository was archived by the owner on Apr 12, 2021. It is now read-only.
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: d6da20c19493
Choose a base ref
...
head repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: be7c1a3e6b77
Choose a head ref
  • 3 commits
  • 1 file changed
  • 1 contributor

Commits on Jun 18, 2019

  1. gvfs: fix CVE-2019-1244{7.8.9} 

    CVE-2019-12447:
daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid is
not used.

CVE-2019-12448:
daemon/gvfsbackendadmin.c has race conditions because the admin backend
doesn't implement query_info_on_read/write.

CVE-2019-12449:
daemon/gvfsbackendadmin.c mishandles a file's user and group ownership
during move (and copy with G_FILE_COPY_ALL_METADATA) operations
from admin:// to file:// URIs, because root privileges are unavailable.

Upstream MR: https://gitlab.gnome.org/GNOME/gvfs/merge_requests/48
Closes #63067
    @worldofpeace
    worldofpeace committed Jun 18, 2019
    Copy the full SHA
    d2bfd7a View commit details

  2. gvfs: fix CVE-2019-12795 

    Vulnerability Description:
daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before
1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without
configuring an authorization rule. A local attacker could connect to this server
socket and issue D-Bus method calls. Note that the server socket only accepts
a single connection, so the attacker would have to discover the server and connect
to the socket before its owner does.

Closes #63301
    @worldofpeace
    worldofpeace committed Jun 18, 2019
    Copy the full SHA
    6ac7c77 View commit details

Commits on Jun 19, 2019

  1. Merge pull request #63481 from worldofpeace/gvfs/security-fixes 

    [19.03] gvfs: security fixes
    @worldofpeace
    worldofpeace authored Jun 19, 2019
    Copy the full SHA
    be7c1a3 View commit details
Showing with 28 additions and 1 deletion.
  1. +28 −1 pkgs/development/libraries/gvfs/default.nix
29 changes: 28 additions & 1 deletion pkgs/development/libraries/gvfs/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{ stdenv, fetchurl, meson, ninja, pkgconfig, gettext, gnome3, dbus
, glib, libgudev, udisks2, libgcrypt, libcap, polkit
, glib, libgudev, udisks2, libgcrypt, libcap, polkit, fetchpatch
, libgphoto2, avahi, libarchive, fuse, libcdio
, libxml2, libxslt, docbook_xsl, docbook_xml_dtd_42, samba, libmtp
, gnomeSupport ? false, gnome, gcr, wrapGAppsHook
@@ -18,6 +18,33 @@ in stdenv.mkDerivation rec {
sha256 = "0nw6mv5qq0d79d72x28db0vwihv4isny6m8q7vdim11ngk10hgwh";
};

patches = [
# CVE-2019-12448
(fetchpatch {
url = "https://gitlab.gnome.org/GNOME/gvfs/commit/a1c2e7ecab0d6457fa2227d92e3569c08516eac5.patch";
sha256 = "03fwlpj1vbi80661bbhzv8ddx3czkzv9i1q4h3gqyxi5f1i0xfz4";
})
# CVE-2019-12447
(fetchpatch {
url = "https://gitlab.gnome.org/GNOME/gvfs/commit/0f25dea30d01d920443ab72b0c254560ec40e14c.patch";
sha256 = "1p7c48nsx1lkv2qpkyrsm9qfa77xwd28gczwcpv2kbji3ws5qgj5";
})
(fetchpatch {
url = "https://gitlab.gnome.org/GNOME/gvfs/commit/272e6bdac33309672955e8f8bf1b8f5f1e51fa0a.patch";
sha256 = "0zxbhmgqxxw987ag8fh6yjzjn9jl55fqbn814jh9kwrk7x4prx9x";
})
# CVE-2019-12449
(fetchpatch {
url = "https://gitlab.gnome.org/GNOME/gvfs/commit/bed1e9685c9f65f6a3ff3b39dd8547db3e7e77f6.patch";
sha256 = "0hfybfaz2gfx3yyw5ymx6q0pqwkx2r1i7gzprfp80bplwslq0d4h";
})
# CVE-2019-12795
(fetchpatch {
url = "https://gitlab.gnome.org/GNOME/gvfs/commit/e3808a1b4042761055b1d975333a8243d67b8bfe.patch";
sha256 = "1lx6yxykx24mnq5izijqk744zj6rgww6ba76z0qjal4y0z3gsdqp";
})
];

postPatch = ''
# patchShebangs requires executable file
chmod +x codegen.py meson_post_install.py