- Fix CVE-2013-4324 Insecure calling of polkit via

polkit_unix_process_new() (rhbz#1009540)

0001-spice-channel-Do-not-segfault-fault-if-peer_msg-was-.patch

@@ -1,8 +1,8 @@
-From b19acbca339a3a630f7f19e1fe5b7cc21fccd737 Mon Sep 17 00:00:00 2001
+From 5320ff4eaa5e25cc2d0b1f748dded6a931f632d8 Mon Sep 17 00:00:00 2001
 From: Dunrong Huang <riegamaths@gmail.com>
 Date: Mon, 11 Mar 2013 16:30:02 +0800
-Subject: [PATCH spice-gtk] spice-channel: Do not segfault fault if peer_msg
- was a NULL pointer
+Subject: [PATCH 1/2] spice-channel: Do not segfault fault if peer_msg was a
+ NULL pointer
 
 $ remote-viewer spice://192.168.0.233:111 # 111 is not a valid spice port
 (remote-viewer:29381): GSpice-WARNING **: incomplete link header (-104/16)
@@ -35,7 +35,7 @@ Signed-off-by: Dunrong Huang <riegamaths@gmail.com>
  1 file changed, 7 insertions(+), 5 deletions(-)
 
 diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
-index ce19634..7b9807b 100644
+index 2c559b7..b9d7f97 100644
 --- a/gtk/spice-channel.c
 +++ b/gtk/spice-channel.c
 @@ -1175,7 +1175,7 @@ static void spice_channel_switch_protocol(SpiceChannel *channel, gint version)
@@ -82,5 +82,5 @@ index ce19634..7b9807b 100644
      if (switch_tls)
          goto cleanup;
 -- 
-1.8.3.rc1.49.g8d97506
+1.8.3.1
 

0002-acl-helper-Use-ruid-of-invoker-rather-than-looking-u.patch

@@ -0,0 +1,32 @@
+From a1c11f19d166600174bba99b977dc8f9fdc2d6c7 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Wed, 21 Aug 2013 17:15:39 -0400
+Subject: [PATCH 2/2] acl helper: Use ruid of invoker rather than looking up
+ euid in /proc
+
+This way we avoid a race condition if the parent execve()s a setuid
+program (possibly this program).
+
+This is the same as the fix for pkexec which is CVE-2011-1485:
+See: https://bugzilla.redhat.com/show_bug.cgi?id=692922
+---
+ gtk/spice-client-glib-usb-acl-helper.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/gtk/spice-client-glib-usb-acl-helper.c b/gtk/spice-client-glib-usb-acl-helper.c
+index 93b9b3a..3ed6cad 100644
+--- a/gtk/spice-client-glib-usb-acl-helper.c
++++ b/gtk/spice-client-glib-usb-acl-helper.c
+@@ -348,7 +348,8 @@ int main(void)
+             FATAL_ERROR("Parent process was reaped by init(1)\n");
+             return 1;
+     }
+-    subject = polkit_unix_process_new(parent_pid);
++    /* Do what pkexec does */
++    subject = polkit_unix_process_new_for_owner(parent_pid, 0, getuid ());
+ 
+     stdin_unix_stream = g_unix_input_stream_new(STDIN_FILENO, 0);
+     stdin_stream = g_data_input_stream_new(stdin_unix_stream);
+-- 
+1.8.3.1
+

spice-gtk.spec

@@ -13,7 +13,7 @@
 
 Name:           spice-gtk
 Version:        0.18
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A GTK+ widget for SPICE clients
 
 Group:          System Environment/Libraries
@@ -22,6 +22,7 @@ URL:            http://spice-space.org/page/Spice-Gtk
 #VCS:           git:git://anongit.freedesktop.org/spice/spice-gtk
 Source0:        http://www.spice-space.org/download/gtk/%{name}-%{version}%{?_version_suffix}.tar.bz2
 Patch1:         0001-spice-channel-Do-not-segfault-fault-if-peer_msg-was-.patch
+Patch2:         0002-acl-helper-Use-ruid-of-invoker-rather-than-looking-u.patch
 
 BuildRequires: intltool
 BuildRequires: gtk2-devel >= 2.14
@@ -148,6 +149,7 @@ fi
 
 pushd spice-gtk-%{version}
 %patch1 -p1
+%patch2 -p1
 popd
 
 %if %{with_gtk3}
@@ -268,6 +270,10 @@ rm -rf %{buildroot}%{_datadir}/pkgconfig/spice-protocol.pc
 %{_bindir}/spicy-stats
 
 %changelog
+* Wed Sep 18 2013 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.18-3
+- Fix CVE-2013-4324 Insecure calling of polkit via
+  polkit_unix_process_new() (rhbz#1009540)
+
 * Fri Jun 21 2013 Marc-André Lureau <marcandre.lureau@redhat.com> - 0.18-2
 - Fix "incomplete link header" crash. Resolves: #901880