From 646a5c1cbfd95873950a87b5f75d52073a967023 Mon Sep 17 00:00:00 2001
From: Patrick J Volkerding <volkerdi@slackware.com>
Date: Mon, 28 May 2018 19:12:29 +0000
Subject: Mon May 28 19:12:29 UTC 2018

a/pkgtools-15.0-noarch-13.txz:  Rebuilt.
  installpkg: default line length for --terselength is the number of columns.
  removepkg: added --terse mode.
  upgradepkg: default line length for --terselength is the number of columns.
  upgradepkg: accept -option in addition to --option.
ap/vim-8.1.0026-x86_64-1.txz:  Upgraded.
d/bison-3.0.5-x86_64-1.txz:  Upgraded.
e/emacs-26.1-x86_64-1.txz:  Upgraded.
kde/kopete-4.14.3-x86_64-8.txz:  Rebuilt.
  Recompiled against libidn-1.35.
n/conntrack-tools-1.4.5-x86_64-1.txz:  Upgraded.
n/libnetfilter_conntrack-1.0.7-x86_64-1.txz:  Upgraded.
n/libnftnl-1.1.0-x86_64-1.txz:  Upgraded.
n/links-2.16-x86_64-2.txz:  Rebuilt.
  Rebuilt to enable X driver for -g mode.
n/lynx-2.8.9dev.19-x86_64-1.txz:  Upgraded.
n/nftables-0.8.5-x86_64-1.txz:  Upgraded.
n/p11-kit-0.23.11-x86_64-1.txz:  Upgraded.
n/ulogd-2.0.7-x86_64-1.txz:  Upgraded.
n/whois-5.3.1-x86_64-1.txz:  Upgraded.
xap/network-manager-applet-1.8.12-x86_64-1.txz:  Upgraded.
xap/vim-gvim-8.1.0026-x86_64-1.txz:  Upgraded.
---
 ...-Set-GIO_USE_VFS-local-in-the-environment.patch | 127 +++++++++++++++++++++
 1 file changed, 127 insertions(+)
 create mode 100644 source/l/polkit/0005-data-Set-GIO_USE_VFS-local-in-the-environment.patch

(limited to 'source/l/polkit/0005-data-Set-GIO_USE_VFS-local-in-the-environment.patch')

diff --git a/source/l/polkit/0005-data-Set-GIO_USE_VFS-local-in-the-environment.patch b/source/l/polkit/0005-data-Set-GIO_USE_VFS-local-in-the-environment.patch
new file mode 100644
index 000000000..b5d8ae0fe
--- /dev/null
+++ b/source/l/polkit/0005-data-Set-GIO_USE_VFS-local-in-the-environment.patch
@@ -0,0 +1,127 @@
+From daf3d5c2d15466a267221fcb099c59c870098e03 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <philip.withnall@collabora.co.uk>
+Date: Thu, 19 May 2016 10:08:08 +0100
+Subject: [PATCH 05/16] data: Set GIO_USE_VFS=local in the environment
+
+There is no need for polkit to ever use GVFS to load files from
+non-local sources, so it's best to avoid loading GVFS code, and to just
+rely on the local implementation in GIO instead. This reduces the attack
+surface of polkit.
+
+Implemented for the daemon, pkaction, pkcheck, pkexec and pkttyagent,
+because none of them need remote file access.
+
+https://bugs.freedesktop.org/show_bug.cgi?id=95487
+---
+ src/polkitbackend/polkitd.c | 4 ++++
+ src/programs/pkaction.c     | 4 ++++
+ src/programs/pkcheck.c      | 4 ++++
+ src/programs/pkexec.c       | 3 +++
+ src/programs/pkttyagent.c   | 4 ++++
+ 5 files changed, 19 insertions(+)
+
+diff --git a/src/polkitbackend/polkitd.c b/src/polkitbackend/polkitd.c
+index d1527fb..8d54ed7 100644
+--- a/src/polkitbackend/polkitd.c
++++ b/src/polkitbackend/polkitd.c
+@@ -22,6 +22,7 @@
+ #include "config.h"
+ 
+ #include <signal.h>
++#include <stdlib.h>
+ 
+ #include <glib-unix.h>
+ 
+@@ -169,6 +170,9 @@ main (int    argc,
+   sigint_id = 0;
+   registration_id = NULL;
+ 
++  /* Disable remote file access from GIO. */
++  setenv ("GIO_USE_VFS", "local", 1);
++
+   g_type_init ();
+ 
+   opt_context = g_option_context_new ("polkit system daemon");
+diff --git a/src/programs/pkaction.c b/src/programs/pkaction.c
+index f17a7dc..221662a 100644
+--- a/src/programs/pkaction.c
++++ b/src/programs/pkaction.c
+@@ -24,6 +24,7 @@
+ #endif
+ 
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <glib/gi18n.h>
+ #include <polkit/polkit.h>
+ 
+@@ -121,6 +122,9 @@ main (int argc, char *argv[])
+   actions = NULL;
+   ret = 1;
+ 
++  /* Disable remote file access from GIO. */
++  setenv ("GIO_USE_VFS", "local", 1);
++
+   g_type_init ();
+ 
+   opt_show_version = FALSE;
+diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c
+index 5781893..33db128 100644
+--- a/src/programs/pkcheck.c
++++ b/src/programs/pkcheck.c
+@@ -24,6 +24,7 @@
+ #endif
+ 
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <glib/gi18n.h>
+ #include <polkit/polkit.h>
+ #define POLKIT_AGENT_I_KNOW_API_IS_SUBJECT_TO_CHANGE
+@@ -362,6 +363,9 @@ main (int argc, char *argv[])
+   local_agent_handle = NULL;
+   ret = 126;
+ 
++  /* Disable remote file access from GIO. */
++  setenv ("GIO_USE_VFS", "local", 1);
++
+   g_type_init ();
+ 
+   details = polkit_details_new ();
+diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c
+index 50de92c..3b29b24 100644
+--- a/src/programs/pkexec.c
++++ b/src/programs/pkexec.c
+@@ -503,6 +503,9 @@ main (int argc, char *argv[])
+   opt_user = NULL;
+   local_agent_handle = NULL;
+ 
++  /* Disable remote file access from GIO. */
++  setenv ("GIO_USE_VFS", "local", 1);
++
+   /* check for correct invocation */
+   if (geteuid () != 0)
+     {
+diff --git a/src/programs/pkttyagent.c b/src/programs/pkttyagent.c
+index 423b728..8aac7dd 100644
+--- a/src/programs/pkttyagent.c
++++ b/src/programs/pkttyagent.c
+@@ -24,6 +24,7 @@
+ #endif
+ 
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <glib/gi18n.h>
+ #include <polkit/polkit.h>
+ #define POLKIT_AGENT_I_KNOW_API_IS_SUBJECT_TO_CHANGE
+@@ -74,6 +75,9 @@ main (int argc, char *argv[])
+   guint ret = 126;
+   GVariantBuilder builder;
+ 
++  /* Disable remote file access from GIO. */
++  setenv ("GIO_USE_VFS", "local", 1);
++
+   g_type_init ();
+ 
+   error = NULL;
+-- 
+2.13.0
+
-- 
cgit v1.2.3-79-gdb01