Attachment 605596 Details for Bug 846904 – Patch for F17

[patch] Patch for F17

0001-Patch-for-the-gpg-cache-not-expiring.patch (text/plain), 6.65 KB, created by Stef Walter on 2012-08-20 08:22:07 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Stef Walter

Created: 2012-08-20 08:22:07 UTC

Size: 6.65 KB

patch

obsolete

>From 52aa8d47da38572151fe59e5cbdebf0e58468020 Mon Sep 17 00:00:00 2001
>From: Stef Walter <stefw@gnome.org>
>Date: Wed, 15 Aug 2012 22:15:04 +0200
>Subject: [PATCH] Patch for the gpg cache not expiring
>
> * This is a minor security issue
>
>See: https://bugzilla.gnome.org/show_bug.cgi?id=681081
>---
> gnome-keyring-3.4.1-fix-cache-option.patch   | 99 ++++++++++++++++++++++++++++
> gnome-keyring-3.4.1-mark-usage-on-item.patch | 27 ++++++++
> gnome-keyring.spec                           | 11 +++-
> 3 files changed, 136 insertions(+), 1 deletion(-)
> create mode 100644 gnome-keyring-3.4.1-fix-cache-option.patch
> create mode 100644 gnome-keyring-3.4.1-mark-usage-on-item.patch
>
>diff --git a/gnome-keyring-3.4.1-fix-cache-option.patch b/gnome-keyring-3.4.1-fix-cache-option.patch
>new file mode 100644
>index 0000000..60f4e14
>--- /dev/null
>+++ b/gnome-keyring-3.4.1-fix-cache-option.patch
>@@ -0,0 +1,99 @@
>+From 51606f299e5ee9d48096db0a5957efe26cbf7cc3 Mon Sep 17 00:00:00 2001
>+From: Stef Walter <stefw@gnome.org>
>+Date: Wed, 8 Aug 2012 06:06:58 +0200
>+Subject: [PATCH 1/2] gpg-agent: Hook up the TTL cache option
>+
>+ * So that when the gsettings gpg-cache-method is 'idle' or 'timeout'
>+   we use gpg-cache-ttl to control how long the passphrase is cached
>+   for.
>+ * This is a regression from 3.3.x
>+
>+https://bugzilla.gnome.org/show_bug.cgi?id=681081
>+---
>+ daemon/gpg-agent/gkd-gpg-agent-ops.c | 40 ++++++++++++++++++++++--------------
>+ 1 file changed, 25 insertions(+), 15 deletions(-)
>+
>+diff --git a/daemon/gpg-agent/gkd-gpg-agent-ops.c b/daemon/gpg-agent/gkd-gpg-agent-ops.c
>+index a0e8731..c8414fe 100644
>+--- a/daemon/gpg-agent/gkd-gpg-agent-ops.c
>++++ b/daemon/gpg-agent/gkd-gpg-agent-ops.c
>+@@ -322,17 +322,6 @@ load_unlock_options (GcrPrompt *prompt)
>+ 	g_free (method);
>+ }
>+ 
>+-static void
>+-save_unlock_options (GcrPrompt *prompt)
>+-{
>+-	GSettings *settings;
>+-
>+-	settings = gkd_gpg_agent_settings ();
>+-
>+-	if (gcr_prompt_get_choice_chosen (prompt))
>+-		g_settings_set_string (settings, "gpg-cache-method", GCR_UNLOCK_OPTION_ALWAYS);
>+-}
>+-
>+ static GcrPrompt *
>+ open_password_prompt (GckSession *session,
>+                       const gchar *keyid,
>+@@ -405,11 +394,14 @@ do_get_password (GckSession *session, const gchar *keyid, const gchar *errmsg,
>+                  const gchar *prompt_text, const gchar *description, gboolean confirm)
>+ {
>+ 	GckBuilder builder = GCK_BUILDER_INIT;
>++	GSettings *settings;
>+ 	GckAttributes *attrs;
>+ 	gchar *password = NULL;
>+ 	GcrPrompt *prompt;
>+ 	gboolean chosen;
>+ 	GError *error = NULL;
>++	gint lifetime;
>++	gchar *method;
>+ 
>+ 	g_assert (GCK_IS_SESSION (session));
>+ 
>+@@ -430,21 +422,39 @@ do_get_password (GckSession *session, const gchar *keyid, const gchar *errmsg,
>+ 	}
>+ 
>+ 	if (password != NULL && keyid != NULL) {
>++		settings = gkd_gpg_agent_settings ();
>+ 
>+ 		/* Load up the save options */
>+ 		chosen = gcr_prompt_get_choice_chosen (prompt);
>+ 
>+-		if (chosen)
>++		if (chosen) {
>++			g_settings_set_string (settings, "gpg-cache-method", GCR_UNLOCK_OPTION_ALWAYS);
>+ 			gck_builder_add_string (&builder, CKA_G_COLLECTION, "login");
>+-		else
>++
>++		} else {
>++			method = g_settings_get_string (settings, "gpg-cache-method");
>++			lifetime = g_settings_get_int (settings, "gpg-cache-ttl");
>++
>++			if (g_strcmp0 (method, GCR_UNLOCK_OPTION_IDLE) == 0) {
>++				gck_builder_add_boolean (&builder, CKA_GNOME_TRANSIENT, TRUE);
>++				gck_builder_add_ulong (&builder, CKA_G_DESTRUCT_IDLE, lifetime);
>++
>++			} else if (g_strcmp0 (method, GCR_UNLOCK_OPTION_TIMEOUT) == 0) {
>++				gck_builder_add_boolean (&builder, CKA_GNOME_TRANSIENT, TRUE);
>++				gck_builder_add_ulong (&builder, CKA_G_DESTRUCT_AFTER, lifetime);
>++
>++			} else if (g_strcmp0 (method, GCR_UNLOCK_OPTION_SESSION)){
>++				g_message ("Unsupported gpg-cache-method setting: %s", method);
>++			}
>++
>+ 			gck_builder_add_string (&builder, CKA_G_COLLECTION, "session");
>++			g_free (method);
>++		}
>+ 
>+ 		/* Now actually save the password */
>+ 		attrs = gck_attributes_ref_sink (gck_builder_end (&builder));
>+ 		do_save_password (session, keyid, description, password, attrs);
>+ 		gck_attributes_unref (attrs);
>+-
>+-		save_unlock_options (prompt);
>+ 	}
>+ 
>+ 	g_clear_object (&prompt);
>+-- 
>+1.7.11.4
>+
>diff --git a/gnome-keyring-3.4.1-mark-usage-on-item.patch b/gnome-keyring-3.4.1-mark-usage-on-item.patch
>new file mode 100644
>index 0000000..1cf9b43
>--- /dev/null
>+++ b/gnome-keyring-3.4.1-mark-usage-on-item.patch
>@@ -0,0 +1,27 @@
>+From 5dff623470b859e332dbe12afb0dc57b292832d2 Mon Sep 17 00:00:00 2001
>+From: Stef Walter <stefw@gnome.org>
>+Date: Wed, 8 Aug 2012 15:08:22 +0200
>+Subject: [PATCH 2/2] secret-store: Mark a secret item as 'used' when accessed
>+
>+ * This makes the gpg-agent idle feature work correctly
>+
>+https://bugzilla.gnome.org/show_bug.cgi?id=681081
>+---
>+ pkcs11/secret-store/gkm-secret-item.c | 1 +
>+ 1 file changed, 1 insertion(+)
>+
>+diff --git a/pkcs11/secret-store/gkm-secret-item.c b/pkcs11/secret-store/gkm-secret-item.c
>+index d03c4a8..15791a9 100644
>+--- a/pkcs11/secret-store/gkm-secret-item.c
>++++ b/pkcs11/secret-store/gkm-secret-item.c
>+@@ -224,6 +224,7 @@ gkm_secret_item_real_get_attribute (GkmObject *base, GkmSession *session, CK_ATT
>+ 		identifier = gkm_secret_object_get_identifier (GKM_SECRET_OBJECT (self));
>+ 		secret = gkm_secret_data_get_raw (sdata, identifier, &n_secret);
>+ 		rv = gkm_attribute_set_data (attr, secret, n_secret);
>++		gkm_object_mark_used (base);
>+ 		g_object_unref (sdata);
>+ 		return rv;
>+ 
>+-- 
>+1.7.11.4
>+
>diff --git a/gnome-keyring.spec b/gnome-keyring.spec
>index fd127ef..7c5a7fb 100644
>--- a/gnome-keyring.spec
>+++ b/gnome-keyring.spec
>@@ -9,13 +9,16 @@
> Summary: Framework for managing passwords and other secrets
> Name: gnome-keyring
> Version: 3.4.1
>-Release: 2%{?dist}
>+Release: 3%{?dist}
> License: GPLv2+ and LGPLv2+
> Group: System Environment/Libraries
> #VCS: git:git://git.gnome.org/gnome-keyring
> Source: http://download.gnome.org/sources/gnome-keyring/3.4/gnome-keyring-%{version}.tar.xz
> URL: http://www.gnome.org
> 
>+Patch0:         gnome-keyring-3.4.1-fix-cache-option.patch
>+Patch1:		gnome-keyring-3.4.1-mark-usage-on-item.patch
>+
> BuildRequires: glib2-devel >= %{glib2_version}
> BuildRequires: gtk3-devel >= %{gtk3_version}
> BuildRequires: gcr-devel >= %{gcr_version}
>@@ -60,6 +63,8 @@ automatically unlock the "login" keyring when the user logs in.
> 
> %prep
> %setup -q -n gnome-keyring-%{version}
>+%patch0 -p1
>+%patch1 -p1
> 
> %build
> %configure \
>@@ -122,6 +127,10 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas >&/dev/null || :
> 
> 
> %changelog
>+* Wed Aug 15 2012 Stef Walter <stefw@redhat.com> - 3.4.1-3
>+- Fix for minor security issue:
>+  https://bugzilla.gnome.org/show_bug.cgi?id=681081
>+
> * Tue Apr 24 2012 Kalev Lember <kalevlember@gmail.com> - 3.4.1-2
> - Silence rpm scriptlet output
> 
>-- 
>1.7.11.4
>

Actions: View | Diff

Attachments on bug 846904: 605596