Patch for the gpg cache not expiring
* This is a minor security issue See: https://bugzilla.gnome.org/show_bug.cgi?id=681081 Signed-off-by: Richard Hughes <richard@hughsie.com>
This commit is contained in:
parent
fcec2f7e94
commit
807308f73a
|
@ -0,0 +1,99 @@
|
|||
From 51606f299e5ee9d48096db0a5957efe26cbf7cc3 Mon Sep 17 00:00:00 2001
|
||||
From: Stef Walter <stefw@gnome.org>
|
||||
Date: Wed, 8 Aug 2012 06:06:58 +0200
|
||||
Subject: [PATCH 1/2] gpg-agent: Hook up the TTL cache option
|
||||
|
||||
* So that when the gsettings gpg-cache-method is 'idle' or 'timeout'
|
||||
we use gpg-cache-ttl to control how long the passphrase is cached
|
||||
for.
|
||||
* This is a regression from 3.3.x
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=681081
|
||||
---
|
||||
daemon/gpg-agent/gkd-gpg-agent-ops.c | 40 ++++++++++++++++++++++--------------
|
||||
1 file changed, 25 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/daemon/gpg-agent/gkd-gpg-agent-ops.c b/daemon/gpg-agent/gkd-gpg-agent-ops.c
|
||||
index a0e8731..c8414fe 100644
|
||||
--- a/daemon/gpg-agent/gkd-gpg-agent-ops.c
|
||||
+++ b/daemon/gpg-agent/gkd-gpg-agent-ops.c
|
||||
@@ -322,17 +322,6 @@ load_unlock_options (GcrPrompt *prompt)
|
||||
g_free (method);
|
||||
}
|
||||
|
||||
-static void
|
||||
-save_unlock_options (GcrPrompt *prompt)
|
||||
-{
|
||||
- GSettings *settings;
|
||||
-
|
||||
- settings = gkd_gpg_agent_settings ();
|
||||
-
|
||||
- if (gcr_prompt_get_choice_chosen (prompt))
|
||||
- g_settings_set_string (settings, "gpg-cache-method", GCR_UNLOCK_OPTION_ALWAYS);
|
||||
-}
|
||||
-
|
||||
static GcrPrompt *
|
||||
open_password_prompt (GckSession *session,
|
||||
const gchar *keyid,
|
||||
@@ -405,11 +394,14 @@ do_get_password (GckSession *session, const gchar *keyid, const gchar *errmsg,
|
||||
const gchar *prompt_text, const gchar *description, gboolean confirm)
|
||||
{
|
||||
GckBuilder builder = GCK_BUILDER_INIT;
|
||||
+ GSettings *settings;
|
||||
GckAttributes *attrs;
|
||||
gchar *password = NULL;
|
||||
GcrPrompt *prompt;
|
||||
gboolean chosen;
|
||||
GError *error = NULL;
|
||||
+ gint lifetime;
|
||||
+ gchar *method;
|
||||
|
||||
g_assert (GCK_IS_SESSION (session));
|
||||
|
||||
@@ -430,21 +422,39 @@ do_get_password (GckSession *session, const gchar *keyid, const gchar *errmsg,
|
||||
}
|
||||
|
||||
if (password != NULL && keyid != NULL) {
|
||||
+ settings = gkd_gpg_agent_settings ();
|
||||
|
||||
/* Load up the save options */
|
||||
chosen = gcr_prompt_get_choice_chosen (prompt);
|
||||
|
||||
- if (chosen)
|
||||
+ if (chosen) {
|
||||
+ g_settings_set_string (settings, "gpg-cache-method", GCR_UNLOCK_OPTION_ALWAYS);
|
||||
gck_builder_add_string (&builder, CKA_G_COLLECTION, "login");
|
||||
- else
|
||||
+
|
||||
+ } else {
|
||||
+ method = g_settings_get_string (settings, "gpg-cache-method");
|
||||
+ lifetime = g_settings_get_int (settings, "gpg-cache-ttl");
|
||||
+
|
||||
+ if (g_strcmp0 (method, GCR_UNLOCK_OPTION_IDLE) == 0) {
|
||||
+ gck_builder_add_boolean (&builder, CKA_GNOME_TRANSIENT, TRUE);
|
||||
+ gck_builder_add_ulong (&builder, CKA_G_DESTRUCT_IDLE, lifetime);
|
||||
+
|
||||
+ } else if (g_strcmp0 (method, GCR_UNLOCK_OPTION_TIMEOUT) == 0) {
|
||||
+ gck_builder_add_boolean (&builder, CKA_GNOME_TRANSIENT, TRUE);
|
||||
+ gck_builder_add_ulong (&builder, CKA_G_DESTRUCT_AFTER, lifetime);
|
||||
+
|
||||
+ } else if (g_strcmp0 (method, GCR_UNLOCK_OPTION_SESSION)){
|
||||
+ g_message ("Unsupported gpg-cache-method setting: %s", method);
|
||||
+ }
|
||||
+
|
||||
gck_builder_add_string (&builder, CKA_G_COLLECTION, "session");
|
||||
+ g_free (method);
|
||||
+ }
|
||||
|
||||
/* Now actually save the password */
|
||||
attrs = gck_attributes_ref_sink (gck_builder_end (&builder));
|
||||
do_save_password (session, keyid, description, password, attrs);
|
||||
gck_attributes_unref (attrs);
|
||||
-
|
||||
- save_unlock_options (prompt);
|
||||
}
|
||||
|
||||
g_clear_object (&prompt);
|
||||
--
|
||||
1.7.11.4
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
From 5dff623470b859e332dbe12afb0dc57b292832d2 Mon Sep 17 00:00:00 2001
|
||||
From: Stef Walter <stefw@gnome.org>
|
||||
Date: Wed, 8 Aug 2012 15:08:22 +0200
|
||||
Subject: [PATCH 2/2] secret-store: Mark a secret item as 'used' when accessed
|
||||
|
||||
* This makes the gpg-agent idle feature work correctly
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=681081
|
||||
---
|
||||
pkcs11/secret-store/gkm-secret-item.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/pkcs11/secret-store/gkm-secret-item.c b/pkcs11/secret-store/gkm-secret-item.c
|
||||
index d03c4a8..15791a9 100644
|
||||
--- a/pkcs11/secret-store/gkm-secret-item.c
|
||||
+++ b/pkcs11/secret-store/gkm-secret-item.c
|
||||
@@ -224,6 +224,7 @@ gkm_secret_item_real_get_attribute (GkmObject *base, GkmSession *session, CK_ATT
|
||||
identifier = gkm_secret_object_get_identifier (GKM_SECRET_OBJECT (self));
|
||||
secret = gkm_secret_data_get_raw (sdata, identifier, &n_secret);
|
||||
rv = gkm_attribute_set_data (attr, secret, n_secret);
|
||||
+ gkm_object_mark_used (base);
|
||||
g_object_unref (sdata);
|
||||
return rv;
|
||||
|
||||
--
|
||||
1.7.11.4
|
||||
|
|
@ -9,13 +9,16 @@
|
|||
Summary: Framework for managing passwords and other secrets
|
||||
Name: gnome-keyring
|
||||
Version: 3.4.1
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
Group: System Environment/Libraries
|
||||
#VCS: git:git://git.gnome.org/gnome-keyring
|
||||
Source: http://download.gnome.org/sources/gnome-keyring/3.4/gnome-keyring-%{version}.tar.xz
|
||||
URL: http://www.gnome.org
|
||||
|
||||
Patch0: gnome-keyring-3.4.1-fix-cache-option.patch
|
||||
Patch1: gnome-keyring-3.4.1-mark-usage-on-item.patch
|
||||
|
||||
BuildRequires: glib2-devel >= %{glib2_version}
|
||||
BuildRequires: gtk3-devel >= %{gtk3_version}
|
||||
BuildRequires: gcr-devel >= %{gcr_version}
|
||||
|
@ -60,6 +63,8 @@ automatically unlock the "login" keyring when the user logs in.
|
|||
|
||||
%prep
|
||||
%setup -q -n gnome-keyring-%{version}
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
|
||||
%build
|
||||
%configure \
|
||||
|
@ -122,6 +127,10 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas >&/dev/null || :
|
|||
|
||||
|
||||
%changelog
|
||||
* Wed Aug 15 2012 Stef Walter <stefw@redhat.com> - 3.4.1-3
|
||||
- Fix for minor security issue:
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=681081
|
||||
|
||||
* Tue Apr 24 2012 Kalev Lember <kalevlember@gmail.com> - 3.4.1-2
|
||||
- Silence rpm scriptlet output
|
||||
|
||||
|
|
Loading…
Reference in New Issue