From 02ea0d3959ba5a8f2108d3bc8f5a57635d758713 Mon Sep 17 00:00:00 2001
From: worldofpeace <worldofpeace@protonmail.ch>
Date: Tue, 18 Jun 2019 19:45:23 -0400
Subject: gvfs: fix CVE-2019-1244{7.8.9}

This is a version of #63481 for master.

CVE-2019-12447:
daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid is
not used.

CVE-2019-12448:
daemon/gvfsbackendadmin.c has race conditions because the admin backend
doesn't implement query_info_on_read/write.

CVE-2019-12449:
daemon/gvfsbackendadmin.c mishandles a file's user and group ownership
during move (and copy with G_FILE_COPY_ALL_METADATA) operations
from admin:// to file:// URIs, because root privileges are unavailable.

Upstream MR: https://gitlab.gnome.org/GNOME/gvfs/merge_requests/48
---
 pkgs/development/libraries/gvfs/default.nix | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

(limited to 'pkgs/development/libraries/gvfs')

diff --git a/pkgs/development/libraries/gvfs/default.nix b/pkgs/development/libraries/gvfs/default.nix
index d9163c97cb7..a238efb4bdb 100644
--- a/pkgs/development/libraries/gvfs/default.nix
+++ b/pkgs/development/libraries/gvfs/default.nix
@@ -1,5 +1,5 @@
 { stdenv, fetchurl, meson, ninja, pkgconfig, gettext, gnome3, dbus
-, glib, libgudev, udisks2, libgcrypt, libcap, polkit
+, glib, libgudev, udisks2, libgcrypt, libcap, polkit, fetchpatch
 , libgphoto2, avahi, libarchive, fuse, libcdio
 , libxml2, libxslt, docbook_xsl, docbook_xml_dtd_42, samba, libmtp
 , gnomeSupport ? false, gnome, gcr, wrapGAppsHook
@@ -18,6 +18,28 @@ in stdenv.mkDerivation rec {
     sha256 = "1cfnzamr4mvgpf6yhm28lh9cafy9z6842s8jpbqnfizfxybg8ylj";
   };
 
+  patches = [
+    # CVE-2019-12448
+    (fetchpatch {
+      url = "https://gitlab.gnome.org/GNOME/gvfs/commit/464bbc7e4e7fdfc3cb426557562038408b6108c5.patch";
+      sha256 = "03fwlpj1vbi80661bbhzv8ddx3czkzv9i1q4h3gqyxi5f1i0xfz4";
+    })
+    # CVE-2019-12447
+    (fetchpatch {
+      url = "https://gitlab.gnome.org/GNOME/gvfs/commit/cf2f9c4020bbdd895485244b70e9442a80062cbe.patch";
+      sha256 = "1p7c48nsx1lkv2qpkyrsm9qfa77xwd28gczwcpv2kbji3ws5qgj5";
+    })
+    (fetchpatch {
+      url = "https://gitlab.gnome.org/GNOME/gvfs/commit/64156459a366d64ab19187455016929b1026189a.patch";
+      sha256 = "0zxbhmgqxxw987ag8fh6yjzjn9jl55fqbn814jh9kwrk7x4prx9x";
+    })
+    # CVE-2019-12449
+    (fetchpatch {
+      url = "https://gitlab.gnome.org/GNOME/gvfs/commit/ec939a01c278d1aaa47153f51b5c5f0887738dd9.patch";
+      sha256 = "0hfybfaz2gfx3yyw5ymx6q0pqwkx2r1i7gzprfp80bplwslq0d4h";
+    })
+  ];
+
   postPatch = ''
     # patchShebangs requires executable file
     chmod +x meson_post_install.py
-- 
cgit 1.4.1