main/gvfs: backport fixes for a few CVEs

- CVE-2019-12795
- CVE-2019-12449
- CVE-2019-12447
- CVE-2019-12448

1 files changed, 93 insertions, 0 deletions

diff --git a/main/gvfs/CVE-2019-12795.patch b/main/gvfs/CVE-2019-12795.patch
new file mode 100644
index 0000000000..8d22342424
--- /dev/null
+++ b/main/gvfs/CVE-2019-12795.patch
@@ -0,0 +1,93 @@
+From e3808a1b4042761055b1d975333a8243d67b8bfe Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Wed, 5 Jun 2019 13:33:38 +0100
+Subject: [PATCH] gvfsdaemon: Check that the connecting client is the same user
+
+Otherwise, an attacker who learns the abstract socket address from
+netstat(8) or similar could connect to it and issue D-Bus method
+calls.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+---
+ daemon/gvfsdaemon.c | 36 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/daemon/gvfsdaemon.c b/daemon/gvfsdaemon.c
+index 406d4f8e..be148a7b 100644
+--- a/daemon/gvfsdaemon.c
++++ b/daemon/gvfsdaemon.c
+@@ -79,6 +79,7 @@ struct _GVfsDaemon
+   
+   gint mount_counter;
+   
++  GDBusAuthObserver *auth_observer;
+   GDBusConnection *conn;
+   GVfsDBusDaemon *daemon_skeleton;
+   GVfsDBusMountable *mountable_skeleton;
+@@ -171,6 +172,8 @@ g_vfs_daemon_finalize (GObject *object)
+     }
+   if (daemon->conn != NULL)
+     g_object_unref (daemon->conn);
++  if (daemon->auth_observer != NULL)
++    g_object_unref (daemon->auth_observer);
+   
+   g_hash_table_destroy (daemon->registered_paths);
+   g_hash_table_destroy (daemon->client_connections);
+@@ -236,6 +239,35 @@ name_vanished_handler (GDBusConnection *connection,
+   daemon->lost_main_daemon = TRUE;
+ }
+ 
++/*
++ * Authentication observer signal handler that authorizes connections
++ * from the same uid as this process. This matches the behaviour of a
++ * libdbus DBusServer/DBusConnection when no DBusAllowUnixUserFunction
++ * has been set, but is not the default in GDBus.
++ */
++static gboolean
++authorize_authenticated_peer_cb (GDBusAuthObserver *observer,
++                                 G_GNUC_UNUSED GIOStream *stream,
++                                 GCredentials *credentials,
++                                 G_GNUC_UNUSED gpointer user_data)
++{
++  gboolean authorized = FALSE;
++
++  if (credentials != NULL)
++    {
++      GCredentials *own_credentials;
++
++      own_credentials = g_credentials_new ();
++
++      if (g_credentials_is_same_user (credentials, own_credentials, NULL))
++        authorized = TRUE;
++
++      g_object_unref (own_credentials);
++    }
++
++  return authorized;
++}
++
+ static void
+ g_vfs_daemon_init (GVfsDaemon *daemon)
+ {
+@@ -265,6 +297,8 @@ g_vfs_daemon_init (GVfsDaemon *daemon)
+ 
+   daemon->conn = g_bus_get_sync (G_BUS_TYPE_SESSION, NULL, NULL);
+   g_assert (daemon->conn != NULL);
++  daemon->auth_observer = g_dbus_auth_observer_new ();
++  g_signal_connect (daemon->auth_observer, "authorize-authenticated-peer", G_CALLBACK (authorize_authenticated_peer_cb), NULL);
+ 
+   daemon->daemon_skeleton = gvfs_dbus_daemon_skeleton_new ();
+   g_signal_connect (daemon->daemon_skeleton, "handle-get-connection", G_CALLBACK (handle_get_connection), daemon);
+@@ -876,7 +910,7 @@ handle_get_connection (GVfsDBusDaemon *object,
+   server = g_dbus_server_new_sync (address1,
+                                    G_DBUS_SERVER_FLAGS_NONE,
+                                    guid,
+-                                   NULL, /* GDBusAuthObserver */
++                                   daemon->auth_observer,
+                                    NULL, /* GCancellable */
+                                    &error);
+   g_free (guid);
+-- 
+2.21.0
+
+