diff --git a/0001-spice-channel-Do-not-segfault-fault-if-peer_msg-was-.patch b/0001-spice-channel-Do-not-segfault-fault-if-peer_msg-was-.patch index 80eb2e3..f6cf16b 100644 --- a/0001-spice-channel-Do-not-segfault-fault-if-peer_msg-was-.patch +++ b/0001-spice-channel-Do-not-segfault-fault-if-peer_msg-was-.patch @@ -1,8 +1,8 @@ -From b19acbca339a3a630f7f19e1fe5b7cc21fccd737 Mon Sep 17 00:00:00 2001 +From 5320ff4eaa5e25cc2d0b1f748dded6a931f632d8 Mon Sep 17 00:00:00 2001 From: Dunrong Huang Date: Mon, 11 Mar 2013 16:30:02 +0800 -Subject: [PATCH spice-gtk] spice-channel: Do not segfault fault if peer_msg - was a NULL pointer +Subject: [PATCH 1/2] spice-channel: Do not segfault fault if peer_msg was a + NULL pointer $ remote-viewer spice://192.168.0.233:111 # 111 is not a valid spice port (remote-viewer:29381): GSpice-WARNING **: incomplete link header (-104/16) @@ -35,7 +35,7 @@ Signed-off-by: Dunrong Huang 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c -index ce19634..7b9807b 100644 +index 2c559b7..b9d7f97 100644 --- a/gtk/spice-channel.c +++ b/gtk/spice-channel.c @@ -1175,7 +1175,7 @@ static void spice_channel_switch_protocol(SpiceChannel *channel, gint version) @@ -82,5 +82,5 @@ index ce19634..7b9807b 100644 if (switch_tls) goto cleanup; -- -1.8.3.rc1.49.g8d97506 +1.8.3.1 diff --git a/0002-acl-helper-Use-ruid-of-invoker-rather-than-looking-u.patch b/0002-acl-helper-Use-ruid-of-invoker-rather-than-looking-u.patch new file mode 100644 index 0000000..7af5c54 --- /dev/null +++ b/0002-acl-helper-Use-ruid-of-invoker-rather-than-looking-u.patch @@ -0,0 +1,32 @@ +From a1c11f19d166600174bba99b977dc8f9fdc2d6c7 Mon Sep 17 00:00:00 2001 +From: Colin Walters +Date: Wed, 21 Aug 2013 17:15:39 -0400 +Subject: [PATCH 2/2] acl helper: Use ruid of invoker rather than looking up + euid in /proc + +This way we avoid a race condition if the parent execve()s a setuid +program (possibly this program). + +This is the same as the fix for pkexec which is CVE-2011-1485: +See: https://bugzilla.redhat.com/show_bug.cgi?id=692922 +--- + gtk/spice-client-glib-usb-acl-helper.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/gtk/spice-client-glib-usb-acl-helper.c b/gtk/spice-client-glib-usb-acl-helper.c +index 93b9b3a..3ed6cad 100644 +--- a/gtk/spice-client-glib-usb-acl-helper.c ++++ b/gtk/spice-client-glib-usb-acl-helper.c +@@ -348,7 +348,8 @@ int main(void) + FATAL_ERROR("Parent process was reaped by init(1)\n"); + return 1; + } +- subject = polkit_unix_process_new(parent_pid); ++ /* Do what pkexec does */ ++ subject = polkit_unix_process_new_for_owner(parent_pid, 0, getuid ()); + + stdin_unix_stream = g_unix_input_stream_new(STDIN_FILENO, 0); + stdin_stream = g_data_input_stream_new(stdin_unix_stream); +-- +1.8.3.1 + diff --git a/spice-gtk.spec b/spice-gtk.spec index ae95996..5f03471 100644 --- a/spice-gtk.spec +++ b/spice-gtk.spec @@ -13,7 +13,7 @@ Name: spice-gtk Version: 0.18 -Release: 2%{?dist} +Release: 3%{?dist} Summary: A GTK+ widget for SPICE clients Group: System Environment/Libraries @@ -22,6 +22,7 @@ URL: http://spice-space.org/page/Spice-Gtk #VCS: git:git://anongit.freedesktop.org/spice/spice-gtk Source0: http://www.spice-space.org/download/gtk/%{name}-%{version}%{?_version_suffix}.tar.bz2 Patch1: 0001-spice-channel-Do-not-segfault-fault-if-peer_msg-was-.patch +Patch2: 0002-acl-helper-Use-ruid-of-invoker-rather-than-looking-u.patch BuildRequires: intltool BuildRequires: gtk2-devel >= 2.14 @@ -148,6 +149,7 @@ fi pushd spice-gtk-%{version} %patch1 -p1 +%patch2 -p1 popd %if %{with_gtk3} @@ -268,6 +270,10 @@ rm -rf %{buildroot}%{_datadir}/pkgconfig/spice-protocol.pc %{_bindir}/spicy-stats %changelog +* Wed Sep 18 2013 Marc-André Lureau - 0.18-3 +- Fix CVE-2013-4324 Insecure calling of polkit via + polkit_unix_process_new() (rhbz#1009540) + * Fri Jun 21 2013 Marc-André Lureau - 0.18-2 - Fix "incomplete link header" crash. Resolves: #901880