Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gvfs: security fixes #63486

Merged
merged 2 commits into from Jun 19, 2019
Merged

gvfs: security fixes #63486

merged 2 commits into from Jun 19, 2019

Conversation

worldofpeace
Copy link
Contributor

Motivation for this change

See commits

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@worldofpeace
gvfs: fix CVE-2019-1244{7.8.9}
02ea0d3 
This is a version of NixOS#63481 for master.

CVE-2019-12447:
daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid is
not used.

CVE-2019-12448:
daemon/gvfsbackendadmin.c has race conditions because the admin backend
doesn't implement query_info_on_read/write.

CVE-2019-12449:
daemon/gvfsbackendadmin.c mishandles a file's user and group ownership
during move (and copy with G_FILE_COPY_ALL_METADATA) operations
from admin:// to file:// URIs, because root privileges are unavailable.

Upstream MR: https://gitlab.gnome.org/GNOME/gvfs/merge_requests/48
@worldofpeace
gvfs: fix CVE-2019-12795
fae9e16 
This is a version of NixOS#63481 for master.

Vulnerability Description:
daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before
1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without
configuring an authorization rule. A local attacker could connect to this server
socket and issue D-Bus method calls. Note that the server socket only accepts
a single connection, so the attacker would have to discover the server and connect
to the socket before its owner does.

NixOS#63301
@worldofpeace worldofpeace added 1.severity: security 6.topic: GNOME GNOME desktop environment and its underlying platform labels Jun 18, 2019
@worldofpeace worldofpeace mentioned this pull request Jun 18, 2019
Merged
10 tasks
@jtojnar
Copy link
Contributor

jtojnar commented Jun 18, 2019
edited

Is https://gitlab.gnome.org/GNOME/gvfs/commit/a0da5f16feda323c29850c495acd86dfc8fbb262 not needed?

@ofborg ofborg bot added 11.by: package-maintainer 10.rebuild-darwin: 1-10 10.rebuild-linux: 11-100 and removed 6.topic: GNOME GNOME desktop environment and its underlying platform labels Jun 19, 2019
@worldofpeace
Copy link
Contributor Author

Is https://gitlab.gnome.org/GNOME/gvfs/commit/a0da5f16feda323c29850c495acd86dfc8fbb262 not needed?

I looked pretty close at the commits assigned for the CVE's and all the commits in https://gitlab.gnome.org/GNOME/gvfs/merge_requests/48/commits are assigned. Since it wasn't a part of the pr it's probably just another improvement.

@worldofpeace
Copy link
Contributor Author

@GrahamcOfBorg build gnome3.gvfs gvfs

@jtojnar
Copy link
Contributor

jtojnar commented Jun 19, 2019

Right, did not see it anywhere either. Not including is probably fine.

@worldofpeace worldofpeace merged commit 9d17311 into NixOS:master Jun 19, 2019
@worldofpeace worldofpeace deleted the gvfs/security-fixes-unstable branch June 19, 2019 02:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jtojnar jtojnar jtojnar approved these changes

@hedning hedning Awaiting requested review from hedning

Assignees
No one assigned
Labels
1.severity: security 10.rebuild-darwin: 1-10 10.rebuild-linux: 11-100 11.by: package-maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@worldofpeace @jtojnar