gvfs: fix CVE-2019-1244{7.8.9}

This is a version of #63481 for master. CVE-2019-12447: daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid is not used. CVE-2019-12448: daemon/gvfsbackendadmin.c has race conditions because the admin backend doesn't implement query_info_on_read/write. CVE-2019-12449: daemon/gvfsbackendadmin.c mishandles a file's user and group ownership during move (and copy with G_FILE_COPY_ALL_METADATA) operations from admin:// to file:// URIs, because root privileges are unavailable. Upstream MR: https://gitlab.gnome.org/GNOME/gvfs/merge_requests/48
NixOS · Jun 18, 2019 · 02ea0d3 · 02ea0d3
1 parent 6fa7263
commit 02ea0d3
Showing 1 changed file with 23 additions and 1 deletion.
diff --git a/pkgs/development/libraries/gvfs/default.nix b/pkgs/development/libraries/gvfs/default.nix
@@ -1,5 +1,5 @@
 { stdenv, fetchurl, meson, ninja, pkgconfig, gettext, gnome3, dbus
-, glib, libgudev, udisks2, libgcrypt, libcap, polkit
+, glib, libgudev, udisks2, libgcrypt, libcap, polkit, fetchpatch
 , libgphoto2, avahi, libarchive, fuse, libcdio
 , libxml2, libxslt, docbook_xsl, docbook_xml_dtd_42, samba, libmtp
 , gnomeSupport ? false, gnome, gcr, wrapGAppsHook
@@ -18,6 +18,28 @@ in stdenv.mkDerivation rec {
     sha256 = "1cfnzamr4mvgpf6yhm28lh9cafy9z6842s8jpbqnfizfxybg8ylj";
   };
 
+  patches = [
+    # CVE-2019-12448
+    (fetchpatch {
+      url = "https://gitlab.gnome.org/GNOME/gvfs/commit/464bbc7e4e7fdfc3cb426557562038408b6108c5.patch";
+      sha256 = "03fwlpj1vbi80661bbhzv8ddx3czkzv9i1q4h3gqyxi5f1i0xfz4";
+    })
+    # CVE-2019-12447
+    (fetchpatch {
+      url = "https://gitlab.gnome.org/GNOME/gvfs/commit/cf2f9c4020bbdd895485244b70e9442a80062cbe.patch";
+      sha256 = "1p7c48nsx1lkv2qpkyrsm9qfa77xwd28gczwcpv2kbji3ws5qgj5";
+    })
+    (fetchpatch {
+      url = "https://gitlab.gnome.org/GNOME/gvfs/commit/64156459a366d64ab19187455016929b1026189a.patch";
+      sha256 = "0zxbhmgqxxw987ag8fh6yjzjn9jl55fqbn814jh9kwrk7x4prx9x";
+    })
+    # CVE-2019-12449
+    (fetchpatch {
+      url = "https://gitlab.gnome.org/GNOME/gvfs/commit/ec939a01c278d1aaa47153f51b5c5f0887738dd9.patch";
+      sha256 = "0hfybfaz2gfx3yyw5ymx6q0pqwkx2r1i7gzprfp80bplwslq0d4h";
+    })
+  ];
+
   postPatch = ''
     # patchShebangs requires executable file
     chmod +x meson_post_install.py