From 8d908f2b522a8dd8db0b396d62ae546d87ff146a Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Tue, 11 Jun 2019 12:28:34 +0100
Subject: [PATCH] Import Debian changes 1.38.1-5
gvfs (1.38.1-5) unstable; urgency=high
* Team upload
* d/p/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch:
Add missing authentication, preventing a local attacker from connecting
to an abstract socket address learned from netstat(8) and issuing
arbitrary D-Bus method calls
* d/p/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch:
Harden private D-Bus connection by rejecting the more complicated
DBUS_COOKIE_SHA1 authentication mechanism and only accepting EXTERNAL.
gvfs (1.38.1-4) unstable; urgency=high
* Team upload
* Update from upstream gnome-3-30 branch to fix the admin backend
(Closes: #929755)
- Implement query_info_on_read/write to fix some race conditions
(CVE-2019-12448)
- Ensure that created files get the correct ownership (CVE-2019-12247)
- Ensure that copied files get the correct ownership (CVE-2019-12449)
* Remove obsolete version number from fuse dependency.
gvfs needs fuse (>= 2.8.4), but that version is older than oldstable,
so we can safely simplify to "Depends: fuse".
The versioned dependency is not satisfied by fuse3's unversioned
"Provides: fuse", but the unversioned dependency is. (Closes: #927221)
---
debian/changelog | 30 ++++
debian/control | 2 +-
debian/control.in | 2 +-
...ery_info_on_read-write-functionality.patch | 131 ++++++++++++++++++
.../admin-Allow-changing-file-owner.patch | 30 ++++
...ct-ownership-when-moving-to-file-uri.patch | 80 +++++++++++
...uid-to-ensure-correct-file-ownership.patch | 86 ++++++++++++
...-the-connecting-client-is-the-same-u.patch | 89 ++++++++++++
...-Only-accept-EXTERNAL-authentication.patch | 51 +++++++
debian/patches/ref-jobs-in-thread.patch | 8 +-
debian/patches/series | 6 +
11 files changed, 509 insertions(+), 6 deletions(-)
create mode 100644 debian/patches/admin-Add-query_info_on_read-write-functionality.patch
create mode 100644 debian/patches/admin-Allow-changing-file-owner.patch
create mode 100644 debian/patches/admin-Ensure-correct-ownership-when-moving-to-file-uri.patch
create mode 100644 debian/patches/admin-Use-fsuid-to-ensure-correct-file-ownership.patch
create mode 100644 debian/patches/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch
create mode 100644 debian/patches/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch
diff --git a/debian/changelog b/debian/changelog
index dfb63e1..9572d02 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,33 @@
+gvfs (1.38.1-5) unstable; urgency=high
+
+ * Team upload
+ * d/p/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch:
+ Add missing authentication, preventing a local attacker from connecting
+ to an abstract socket address learned from netstat(8) and issuing
+ arbitrary D-Bus method calls
+ * d/p/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch:
+ Harden private D-Bus connection by rejecting the more complicated
+ DBUS_COOKIE_SHA1 authentication mechanism and only accepting EXTERNAL.
+
+ -- Simon McVittie <smcv@debian.org> Tue, 11 Jun 2019 12:28:34 +0100
+
+gvfs (1.38.1-4) unstable; urgency=high
+
+ * Team upload
+ * Update from upstream gnome-3-30 branch to fix the admin backend
+ (Closes: #929755)
+ - Implement query_info_on_read/write to fix some race conditions
+ (CVE-2019-12448)
+ - Ensure that created files get the correct ownership (CVE-2019-12247)
+ - Ensure that copied files get the correct ownership (CVE-2019-12449)
+ * Remove obsolete version number from fuse dependency.
+ gvfs needs fuse (>= 2.8.4), but that version is older than oldstable,
+ so we can safely simplify to "Depends: fuse".
+ The versioned dependency is not satisfied by fuse3's unversioned
+ "Provides: fuse", but the unversioned dependency is. (Closes: #927221)
+
+ -- Simon McVittie <smcv@debian.org> Wed, 05 Jun 2019 08:34:17 +0100
+
gvfs (1.38.1-3) unstable; urgency=high
* Team upload
diff --git a/debian/control b/debian/control
index 059e268..3a685cb 100644
--- a/debian/control
+++ b/debian/control
@@ -158,7 +158,7 @@ Description: userspace virtual filesystem - servers
Package: gvfs-fuse
Architecture: kfreebsd-any linux-any
-Depends: fuse (>= 2.8.4) [linux-any],
+Depends: fuse [linux-any],
gvfs (= ${binary:Version}),
${misc:Depends},
${shlibs:Depends}
diff --git a/debian/control.in b/debian/control.in
index 08caeff..6ecfc9a 100644
--- a/debian/control.in
+++ b/debian/control.in
@@ -154,7 +154,7 @@ Description: userspace virtual filesystem - servers
Package: gvfs-fuse
Architecture: kfreebsd-any linux-any
-Depends: fuse (>= 2.8.4) [linux-any],
+Depends: fuse [linux-any],
gvfs (= ${binary:Version}),
${misc:Depends},
${shlibs:Depends}
diff --git a/debian/patches/admin-Add-query_info_on_read-write-functionality.patch b/debian/patches/admin-Add-query_info_on_read-write-functionality.patch
new file mode 100644
index 0000000..b2f41a2
--- /dev/null
+++ b/debian/patches/admin-Add-query_info_on_read-write-functionality.patch
@@ -0,0 +1,131 @@
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 23 May 2019 10:24:36 +0200
+Subject: admin: Add query_info_on_read/write functionality
+
+Admin backend doesn't implement query_info_on_read/write which might
+potentially lead to some race conditions which aren't really wanted
+especially in case of admin backend. For example, in file_copy_fallback(),
+g_file_query_info() is used if g_file_input_stream_query_info() is not
+supported, which in theory means that the info might be obtained from
+the different file then it is opened. Let's add this missing
+functionality to prevent this possibility.
+
+Origin: upstream, 1.38.2, commit:a1c2e7ecab0d6457fa2227d92e3569c08516eac5
+Bug-CVE: CVE-2019-12448
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929755
+---
+ daemon/gvfsbackendadmin.c | 79 ++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 67 insertions(+), 12 deletions(-)
+
+diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
+index 0f84900..c4e4dac 100644
+--- a/daemon/gvfsbackendadmin.c
++++ b/daemon/gvfsbackendadmin.c
+@@ -42,6 +42,8 @@
+ #include "gvfsjobopenforwrite.h"
+ #include "gvfsjobqueryattributes.h"
+ #include "gvfsjobqueryinfo.h"
++#include "gvfsjobqueryinforead.h"
++#include "gvfsjobqueryinfowrite.h"
+ #include "gvfsjobread.h"
+ #include "gvfsjobseekread.h"
+ #include "gvfsjobseekwrite.h"
+@@ -155,6 +157,19 @@ complete_job (GVfsJob *job,
+ g_vfs_job_succeeded (job);
+ }
+
++static void
++fix_file_info (GFileInfo *info)
++{
++ /* Override read/write flags, since the above call will use access()
++ * to determine permissions, which does not honor our privileged
++ * capabilities.
++ */
++ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE);
++ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE);
++ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE);
++ g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE);
++}
++
+ static void
+ do_query_info (GVfsBackend *backend,
+ GVfsJobQueryInfo *query_info_job,
+@@ -180,19 +195,57 @@ do_query_info (GVfsBackend *backend,
+ if (error != NULL)
+ goto out;
+
+- /* Override read/write flags, since the above call will use access()
+- * to determine permissions, which does not honor our privileged
+- * capabilities.
+- */
+- g_file_info_set_attribute_boolean (real_info,
+- G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE);
+- g_file_info_set_attribute_boolean (real_info,
+- G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE);
+- g_file_info_set_attribute_boolean (real_info,
+- G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE);
+- g_file_info_set_attribute_boolean (real_info,
+- G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE);
++ fix_file_info (real_info);
++ g_file_info_copy_into (real_info, info);
++ g_object_unref (real_info);
++
++ out:
++ complete_job (job, error);
++}
++
++static void
++do_query_info_on_read (GVfsBackend *backend,
++ GVfsJobQueryInfoRead *query_info_job,
++ GVfsBackendHandle handle,
++ GFileInfo *info,
++ GFileAttributeMatcher *matcher)
++{
++ GVfsJob *job = G_VFS_JOB (query_info_job);
++ GFileInputStream *stream = handle;
++ GError *error = NULL;
++ GFileInfo *real_info;
++
++ real_info = g_file_input_stream_query_info (stream, query_info_job->attributes,
++ job->cancellable, &error);
++ if (error != NULL)
++ goto out;
++
++ fix_file_info (real_info);
++ g_file_info_copy_into (real_info, info);
++ g_object_unref (real_info);
++
++ out:
++ complete_job (job, error);
++}
++
++static void
++do_query_info_on_write (GVfsBackend *backend,
++ GVfsJobQueryInfoWrite *query_info_job,
++ GVfsBackendHandle handle,
++ GFileInfo *info,
++ GFileAttributeMatcher *matcher)
++{
++ GVfsJob *job = G_VFS_JOB (query_info_job);
++ GFileOutputStream *stream = handle;
++ GError *error = NULL;
++ GFileInfo *real_info;
++
++ real_info = g_file_output_stream_query_info (stream, query_info_job->attributes,
++ job->cancellable, &error);
++ if (error != NULL)
++ goto out;
+
++ fix_file_info (real_info);
+ g_file_info_copy_into (real_info, info);
+ g_object_unref (real_info);
+
+@@ -868,6 +921,8 @@ g_vfs_backend_admin_class_init (GVfsBackendAdminClass * klass)
+ backend_class->mount = do_mount;
+ backend_class->open_for_read = do_open_for_read;
+ backend_class->query_info = do_query_info;
++ backend_class->query_info_on_read = do_query_info_on_read;
++ backend_class->query_info_on_write = do_query_info_on_write;
+ backend_class->read = do_read;
+ backend_class->create = do_create;
+ backend_class->append_to = do_append_to;
diff --git a/debian/patches/admin-Allow-changing-file-owner.patch b/debian/patches/admin-Allow-changing-file-owner.patch
new file mode 100644
index 0000000..594f2e1
--- /dev/null
+++ b/debian/patches/admin-Allow-changing-file-owner.patch
@@ -0,0 +1,30 @@
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 23 May 2019 10:29:08 +0200
+Subject: admin: Allow changing file owner
+
+CAP_CHOWN is dropped together with other privilages and thus the backend
+can't change file owner. This might be probably e.g. in case of copy
+operation when G_FILE_COPY_ALL_METADATA is used. Let's keep CAP_CHOWN
+to fix this.
+
+Origin: upstream, 1.38.2, commit:0f25dea30d01d920443ab72b0c254560ec40e14c
+Bug-CVE: CVE-2019-12447
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929755
+---
+ daemon/gvfsbackendadmin.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
+index c4e4dac..2d949ae 100644
+--- a/daemon/gvfsbackendadmin.c
++++ b/daemon/gvfsbackendadmin.c
+@@ -968,7 +968,8 @@ g_vfs_backend_admin_init (GVfsBackendAdmin *self)
+
+ #define REQUIRED_CAPS (CAP_TO_MASK(CAP_FOWNER) | \
+ CAP_TO_MASK(CAP_DAC_OVERRIDE) | \
+- CAP_TO_MASK(CAP_DAC_READ_SEARCH))
++ CAP_TO_MASK(CAP_DAC_READ_SEARCH) | \
++ CAP_TO_MASK(CAP_CHOWN))
+
+ static void
+ acquire_caps (uid_t uid)
diff --git a/debian/patches/admin-Ensure-correct-ownership-when-moving-to-file-uri.patch b/debian/patches/admin-Ensure-correct-ownership-when-moving-to-file-uri.patch
new file mode 100644
index 0000000..a24ace8
--- /dev/null
+++ b/debian/patches/admin-Ensure-correct-ownership-when-moving-to-file-uri.patch
@@ -0,0 +1,80 @@
+From: Ondrej Holy <oholy@redhat.com>
+Date: Fri, 24 May 2019 09:43:43 +0200
+Subject: admin: Ensure correct ownership when moving to file:// uri
+
+User and group is not restored properly when moving (or copying with
+G_FILE_COPY_ALL_METADATA) from admin:// to file://, because it is handled
+by GIO fallback code, which doesn't run with root permissions. Let's
+handle this case with pull method to ensure correct ownership.
+
+Origin: upstream, 1.38.2, commit:bed1e9685c9f65f6a3ff3b39dd8547db3e7e77f6
+Bug-CVE: CVE-2019-12449
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929755
+---
+ daemon/gvfsbackendadmin.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 46 insertions(+)
+
+diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
+index 71946a0..392824c 100644
+--- a/daemon/gvfsbackendadmin.c
++++ b/daemon/gvfsbackendadmin.c
+@@ -807,6 +807,51 @@ do_move (GVfsBackend *backend,
+ complete_job (job, error);
+ }
+
++static void
++do_pull (GVfsBackend *backend,
++ GVfsJobPull *pull_job,
++ const char *source,
++ const char *local_path,
++ GFileCopyFlags flags,
++ gboolean remove_source,
++ GFileProgressCallback progress_callback,
++ gpointer progress_callback_data)
++{
++ GVfsBackendAdmin *self = G_VFS_BACKEND_ADMIN (backend);
++ GVfsJob *job = G_VFS_JOB (pull_job);
++ GError *error = NULL;
++ GFile *src_file, *dst_file;
++
++ /* Pull method is necessary when user/group needs to be restored, return
++ * G_IO_ERROR_NOT_SUPPORTED in other cases to proceed with the fallback code.
++ */
++ if (!(flags & G_FILE_COPY_ALL_METADATA))
++ {
++ g_vfs_job_failed_literal (G_VFS_JOB (job), G_IO_ERROR,
++ G_IO_ERROR_NOT_SUPPORTED,
++ _("Operation not supported"));
++ return;
++ }
++
++ if (!check_permission (self, job))
++ return;
++
++ src_file = g_file_new_for_path (source);
++ dst_file = g_file_new_for_path (local_path);
++
++ if (remove_source)
++ g_file_move (src_file, dst_file, flags, job->cancellable,
++ progress_callback, progress_callback_data, &error);
++ else
++ g_file_copy (src_file, dst_file, flags, job->cancellable,
++ progress_callback, progress_callback_data, &error);
++
++ g_object_unref (src_file);
++ g_object_unref (dst_file);
++
++ complete_job (job, error);
++}
++
+ static void
+ do_query_settable_attributes (GVfsBackend *backend,
+ GVfsJobQueryAttributes *query_job,
+@@ -927,6 +972,7 @@ g_vfs_backend_admin_class_init (GVfsBackendAdminClass * klass)
+ backend_class->set_attribute = do_set_attribute;
+ backend_class->delete = do_delete;
+ backend_class->move = do_move;
++ backend_class->pull = do_pull;
+ backend_class->query_settable_attributes = do_query_settable_attributes;
+ backend_class->query_writable_namespaces = do_query_writable_namespaces;
+ }
diff --git a/debian/patches/admin-Use-fsuid-to-ensure-correct-file-ownership.patch b/debian/patches/admin-Use-fsuid-to-ensure-correct-file-ownership.patch
new file mode 100644
index 0000000..40d02b1
--- /dev/null
+++ b/debian/patches/admin-Use-fsuid-to-ensure-correct-file-ownership.patch
@@ -0,0 +1,86 @@
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 23 May 2019 10:33:30 +0200
+Subject: admin: Use fsuid to ensure correct file ownership
+
+Files created over admin backend should be owned by root, but they are
+owned by the user itself. This is because the daemon drops the uid to
+make dbus connection work. Use fsuid and euid to fix this issue.
+
+Bug: https://gitlab.gnome.org/GNOME/gvfs/issues/21
+Origin: upstream, 1.38.2, commit:272e6bdac33309672955e8f8bf1b8f5f1e51fa0a
+Bug-CVE: CVE-2019-12447
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929755
+---
+ daemon/gvfsbackendadmin.c | 29 +++++++----------------------
+ 1 file changed, 7 insertions(+), 22 deletions(-)
+
+diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
+index 2d949ae..71946a0 100644
+--- a/daemon/gvfsbackendadmin.c
++++ b/daemon/gvfsbackendadmin.c
+@@ -157,19 +157,6 @@ complete_job (GVfsJob *job,
+ g_vfs_job_succeeded (job);
+ }
+
+-static void
+-fix_file_info (GFileInfo *info)
+-{
+- /* Override read/write flags, since the above call will use access()
+- * to determine permissions, which does not honor our privileged
+- * capabilities.
+- */
+- g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_READ, TRUE);
+- g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_WRITE, TRUE);
+- g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_DELETE, TRUE);
+- g_file_info_set_attribute_boolean (info, G_FILE_ATTRIBUTE_ACCESS_CAN_RENAME, TRUE);
+-}
+-
+ static void
+ do_query_info (GVfsBackend *backend,
+ GVfsJobQueryInfo *query_info_job,
+@@ -195,7 +182,6 @@ do_query_info (GVfsBackend *backend,
+ if (error != NULL)
+ goto out;
+
+- fix_file_info (real_info);
+ g_file_info_copy_into (real_info, info);
+ g_object_unref (real_info);
+
+@@ -220,7 +206,6 @@ do_query_info_on_read (GVfsBackend *backend,
+ if (error != NULL)
+ goto out;
+
+- fix_file_info (real_info);
+ g_file_info_copy_into (real_info, info);
+ g_object_unref (real_info);
+
+@@ -245,7 +230,6 @@ do_query_info_on_write (GVfsBackend *backend,
+ if (error != NULL)
+ goto out;
+
+- fix_file_info (real_info);
+ g_file_info_copy_into (real_info, info);
+ g_object_unref (real_info);
+
+@@ -977,14 +961,15 @@ acquire_caps (uid_t uid)
+ struct __user_cap_header_struct hdr;
+ struct __user_cap_data_struct data;
+
+- /* Tell kernel not clear capabilities when dropping root */
+- if (prctl (PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0)
+- g_error ("prctl(PR_SET_KEEPCAPS) failed");
+-
+- /* Drop root uid, but retain the required permitted caps */
+- if (setuid (uid) < 0)
++ /* Set euid to user to make dbus work */
++ if (seteuid (uid) < 0)
+ g_error ("unable to drop privs");
+
++ /* Set fsuid to still behave like root when working with files */
++ setfsuid (0);
++ if (setfsuid (-1) != 0)
++ g_error ("setfsuid failed");
++
+ memset (&hdr, 0, sizeof(hdr));
+ hdr.version = _LINUX_CAPABILITY_VERSION;
+
diff --git a/debian/patches/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch b/debian/patches/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch
new file mode 100644
index 0000000..9d8e4d6
--- /dev/null
+++ b/debian/patches/gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch
@@ -0,0 +1,89 @@
+From: Simon McVittie <smcv@collabora.com>
+Date: Wed, 5 Jun 2019 13:33:38 +0100
+Subject: gvfsdaemon: Check that the connecting client is the same user
+
+Otherwise, an attacker who learns the abstract socket address from
+netstat(8) or similar could connect to it and issue D-Bus method
+calls.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+Applied-upstream: 1.38.3, commit:e3808a1b4042761055b1d975333a8243d67b8bfe
+---
+ daemon/gvfsdaemon.c | 36 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c
+index 406d4f8..be148a7 100644
+--- a/daemon/gvfsdaemon.c
++++ b/daemon/gvfsdaemon.c
+@@ -79,6 +79,7 @@ struct _GVfsDaemon
+
+ gint mount_counter;
+
++ GDBusAuthObserver *auth_observer;
+ GDBusConnection *conn;
+ GVfsDBusDaemon *daemon_skeleton;
+ GVfsDBusMountable *mountable_skeleton;
+@@ -171,6 +172,8 @@ g_vfs_daemon_finalize (GObject *object)
+ }
+ if (daemon->conn != NULL)
+ g_object_unref (daemon->conn);
++ if (daemon->auth_observer != NULL)
++ g_object_unref (daemon->auth_observer);
+
+ g_hash_table_destroy (daemon->registered_paths);
+ g_hash_table_destroy (daemon->client_connections);
+@@ -236,6 +239,35 @@ name_vanished_handler (GDBusConnection *connection,
+ daemon->lost_main_daemon = TRUE;
+ }
+
++/*
++ * Authentication observer signal handler that authorizes connections
++ * from the same uid as this process. This matches the behaviour of a
++ * libdbus DBusServer/DBusConnection when no DBusAllowUnixUserFunction
++ * has been set, but is not the default in GDBus.
++ */
++static gboolean
++authorize_authenticated_peer_cb (GDBusAuthObserver *observer,
++ G_GNUC_UNUSED GIOStream *stream,
++ GCredentials *credentials,
++ G_GNUC_UNUSED gpointer user_data)
++{
++ gboolean authorized = FALSE;
++
++ if (credentials != NULL)
++ {
++ GCredentials *own_credentials;
++
++ own_credentials = g_credentials_new ();
++
++ if (g_credentials_is_same_user (credentials, own_credentials, NULL))
++ authorized = TRUE;
++
++ g_object_unref (own_credentials);
++ }
++
++ return authorized;
++}
++
+ static void
+ g_vfs_daemon_init (GVfsDaemon *daemon)
+ {
+@@ -265,6 +297,8 @@ g_vfs_daemon_init (GVfsDaemon *daemon)
+
+ daemon->conn = g_bus_get_sync (G_BUS_TYPE_SESSION, NULL, NULL);
+ g_assert (daemon->conn != NULL);
++ daemon->auth_observer = g_dbus_auth_observer_new ();
++ g_signal_connect (daemon->auth_observer, "authorize-authenticated-peer", G_CALLBACK (authorize_authenticated_peer_cb), NULL);
+
+ daemon->daemon_skeleton = gvfs_dbus_daemon_skeleton_new ();
+ g_signal_connect (daemon->daemon_skeleton, "handle-get-connection", G_CALLBACK (handle_get_connection), daemon);
+@@ -876,7 +910,7 @@ handle_get_connection (GVfsDBusDaemon *object,
+ server = g_dbus_server_new_sync (address1,
+ G_DBUS_SERVER_FLAGS_NONE,
+ guid,
+- NULL, /* GDBusAuthObserver */
++ daemon->auth_observer,
+ NULL, /* GCancellable */
+ &error);
+ g_free (guid);
diff --git a/debian/patches/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch b/debian/patches/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch
new file mode 100644
index 0000000..e78086f
--- /dev/null
+++ b/debian/patches/gvfsdaemon-Only-accept-EXTERNAL-authentication.patch
@@ -0,0 +1,51 @@
+From: Simon McVittie <smcv@collabora.com>
+Date: Wed, 5 Jun 2019 13:36:52 +0100
+Subject: gvfsdaemon: Only accept EXTERNAL authentication
+
+EXTERNAL is the mechanism recommended in the D-Bus Specification for
+all platforms where it is supported (including Linux, *BSD, Solaris
+and Hurd), and is the only mechanism allowed by the session or system
+dbus-daemon in their default configurations. It is considerably simpler
+than DBUS_COOKIE_SHA1 and relies on fewer assumptions.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+Applied-upstream: 1.38.3, commit:756edf6692aa245faedc9573bf88bfe78af3ead3
+---
+ daemon/gvfsdaemon.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c
+index be148a7..0946f41 100644
+--- a/daemon/gvfsdaemon.c
++++ b/daemon/gvfsdaemon.c
+@@ -239,6 +239,22 @@ name_vanished_handler (GDBusConnection *connection,
+ daemon->lost_main_daemon = TRUE;
+ }
+
++/*
++ * Authentication observer signal handler that rejects all authentication
++ * mechanisms except for EXTERNAL (credentials-passing), which is the
++ * recommended authentication mechanism for AF_UNIX sockets.
++ */
++static gboolean
++allow_mechanism_cb (GDBusAuthObserver *observer,
++ const gchar *mechanism,
++ G_GNUC_UNUSED gpointer user_data)
++{
++ if (g_strcmp0 (mechanism, "EXTERNAL") == 0)
++ return TRUE;
++
++ return FALSE;
++}
++
+ /*
+ * Authentication observer signal handler that authorizes connections
+ * from the same uid as this process. This matches the behaviour of a
+@@ -298,6 +314,7 @@ g_vfs_daemon_init (GVfsDaemon *daemon)
+ daemon->conn = g_bus_get_sync (G_BUS_TYPE_SESSION, NULL, NULL);
+ g_assert (daemon->conn != NULL);
+ daemon->auth_observer = g_dbus_auth_observer_new ();
++ g_signal_connect (daemon->auth_observer, "allow-mechanism", G_CALLBACK (allow_mechanism_cb), NULL);
+ g_signal_connect (daemon->auth_observer, "authorize-authenticated-peer", G_CALLBACK (authorize_authenticated_peer_cb), NULL);
+
+ daemon->daemon_skeleton = gvfs_dbus_daemon_skeleton_new ();
diff --git a/debian/patches/ref-jobs-in-thread.patch b/debian/patches/ref-jobs-in-thread.patch
index bdd7ba9..c8be2f4 100644
--- a/debian/patches/ref-jobs-in-thread.patch
+++ b/debian/patches/ref-jobs-in-thread.patch
@@ -39,10 +39,10 @@ index c0c26da..fa490f6 100644
}
diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c
-index 406d4f8..61e5904 100644
+index 0946f41..e35d7f7 100644
--- a/daemon/gvfsdaemon.c
+++ b/daemon/gvfsdaemon.c
-@@ -206,6 +206,7 @@ job_handler_callback (gpointer data,
+@@ -209,6 +209,7 @@ job_handler_callback (gpointer data,
GVfsJob *job = G_VFS_JOB (data);
g_vfs_job_run (job);
@@ -50,7 +50,7 @@ index 406d4f8..61e5904 100644
}
static void
-@@ -597,7 +598,8 @@ g_vfs_daemon_queue_job (GVfsDaemon *daemon,
+@@ -648,7 +649,8 @@ g_vfs_daemon_queue_job (GVfsDaemon *daemon,
if (!g_vfs_job_try (job))
{
/* Couldn't finish / run async, queue worker thread */
@@ -60,7 +60,7 @@ index 406d4f8..61e5904 100644
}
}
-@@ -1118,7 +1120,8 @@ void
+@@ -1169,7 +1171,8 @@ void
g_vfs_daemon_run_job_in_thread (GVfsDaemon *daemon,
GVfsJob *job)
{
diff --git a/debian/patches/series b/debian/patches/series
index 6738f40..2f69af8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,6 +6,12 @@ Update-Basque-translation.patch
udisks2-Restore-support-of-comment-x-gvfs-option.patch
admin-Prevent-access-if-any-authentication-agent-isn-t-av.patch
mtp-Don-t-retry-reading-an-event-after-failure.patch
+admin-Add-query_info_on_read-write-functionality.patch
+admin-Allow-changing-file-owner.patch
+admin-Use-fsuid-to-ensure-correct-file-ownership.patch
+admin-Ensure-correct-ownership-when-moving-to-file-uri.patch
+gvfsdaemon-Check-that-the-connecting-client-is-the-same-u.patch
+gvfsdaemon-Only-accept-EXTERNAL-authentication.patch
02_polkit_sudo_group.patch
metadata-nuke-junk-data.patch
dont-crash-on-null-job.patch
--
GitLab