WARNING: couldn't connect to: /tmp/keyring-... (#783568 , gnome#665961)

Patch for the gpg cache not expiring
* This is a minor security issue See: https://bugzilla.gnome.org/show_bug.cgi?id=681081 Signed-off-by: Richard Hughes <richard@hughsie.com>
2012-11-09 08:26:54 -06:00 · 2012-08-20 09:32:36 +01:00 · 2012-04-24 18:16:08 +03:00 · 2012-04-16 16:21:57 +01:00 · 2012-03-26 17:51:54 +02:00 · 2012-03-26 17:50:29 +02:00
10 changed files with 223 additions and 140 deletions
--- a/.gitignore
+++ b/.gitignore
@ -24,3 +24,5 @@ gnome-keyring-2.31.4.tar.bz2
 /gnome-keyring-3.3.5.tar.xz
 /gnome-keyring-3.3.91.tar.xz
 /gnome-keyring-3.3.92.tar.xz
+/gnome-keyring-3.4.0.tar.xz
+/gnome-keyring-3.4.1.tar.xz
--- a/gnome-keyring-2.28.1-nopass.patch
+++ b/gnome-keyring-2.28.1-nopass.patch
@ -1,22 +0,0 @@
-diff -up gnome-keyring-2.28.1/pam/gkr-pam-module.c.nopass gnome-keyring-2.28.1/pam/gkr-pam-module.c
--- gnome-keyring-2.28.1/pam/gkr-pam-module.c.nopass	2009-09-25 21:55:50.000000000 -0400
-+++ gnome-keyring-2.28.1/pam/gkr-pam-module.c	2009-10-19 11:27:34.000000000 -0400
-@@ -878,6 +878,7 @@ pam_sm_authenticate (pam_handle_t *ph, i
- 
- 	started_daemon = 0;
- 
-+
- 	/* Should we start the daemon? */
- 	if (args & ARG_AUTO_START) {
- 		ret = start_daemon_if_necessary (ph, pwd, password, &started_daemon);
-@@ -944,8 +945,9 @@ pam_sm_open_session (pam_handle_t *ph, i
- 		 * different PAM callbacks from different processes.
- 		 * 
- 		 * No use complaining
-+		 * Do not start gnome-keyring, dbus will start it on login.
- 		 */
-		password = NULL;
-+		return PAM_SUCCESS;
- 	}
- 	
- 	started_daemon = 0;
--- a/gnome-keyring-3.1.2-caps-ext-check.patch
+++ b/gnome-keyring-3.1.2-caps-ext-check.patch
@ -1,49 +0,0 @@
-From fd0bf3d36f3295fbc7c6d4bed34e2d2849764e68 Mon Sep 17 00:00:00 2001
-From: Vincent Untz <vuntz@gnome.org>
-Date: Fri, 6 May 2011 14:14:21 +0200
-Subject: [PATCH] Improved checks for fs capabilities, and drop unneeded ones
-
-If we have fs capabilities, we first need to check that we really do
-have ipc_lock, and if that's the case we just keep ipc_lock and drop
-everything else.
-
-https://bugzilla.gnome.org/show_bug.cgi?id=649560
---
- daemon/gkd-capability.c |   19 +++++++++++++++++--
- 1 files changed, 17 insertions(+), 2 deletions(-)
-
-diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c
-index 5b47f4e..e15200a 100644
--- a/daemon/gkd-capability.c
-+++ b/daemon/gkd-capability.c
-@@ -71,11 +71,26 @@ gkd_capability_obtain_capability_and_drop_privileges (void)
- 				early_error ("failed dropping capabilities");
- 			break;
- 		case CAPNG_FAIL:
-		case CAPNG_NONE:
- 			early_error ("error getting process capabilities");
- 			break;
-+		case CAPNG_NONE:
-+			early_error ("insufficient process capabilities");
-+			break;
- 		case CAPNG_PARTIAL: /* File system based capabilities */
-                        break;
-+			if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) {
-+				early_error ("insufficient process capabilities");
-+				break;
-+			}
-+
-+			/* Drop all capabilities except ipc_lock */
-+			capng_clear (CAPNG_SELECT_BOTH);
-+			if (capng_update (CAPNG_ADD,
-+					  CAPNG_EFFECTIVE|CAPNG_PERMITTED,
-+					  CAP_IPC_LOCK) != 0)
-+				early_error ("error dropping process capabilities");
-+			if (capng_apply (CAPNG_SELECT_BOTH) != 0)
-+				early_error ("error dropping process capabilities");
-+			break;
- 	}
- #endif /* HAVE_LIBCAPNG */
- }
-- 
-1.7.4.2
--- a/gnome-keyring-3.1.2-caps-warn-unavail.patch
+++ b/gnome-keyring-3.1.2-caps-warn-unavail.patch
@ -1,50 +0,0 @@
-From 156f6f318daa782cd209c90ed69a0d24595af5d1 Mon Sep 17 00:00:00 2001
-From: Vincent Untz <vuntz@gnome.org>
-Date: Fri, 6 May 2011 14:18:00 +0200
-Subject: [PATCH] Accept to run if ipc_lock capability is not available
-
-We print a warning about potential use of unsecure memory, but still
-run (and drop unneeded capabilities if we have some). This is better
-than nothing.
-
-https://bugzilla.gnome.org/show_bug.cgi?id=649560
---
- daemon/gkd-capability.c |   13 +++++++++++--
- 1 files changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/daemon/gkd-capability.c b/daemon/gkd-capability.c
-index e15200a..92c000c 100644
--- a/daemon/gkd-capability.c
-+++ b/daemon/gkd-capability.c
-@@ -42,6 +42,12 @@ early_error (const char *err_string)
- 	exit (1);
- }
- 
-+static void
-+early_warning (const char *warn_string)
-+{
-+	fprintf (stderr, "gnome-keyring-daemon: %s\n", warn_string);
-+}
-+
- #endif /* HAVE_LIPCAPNG */
- 
- /*
-@@ -74,11 +80,14 @@ gkd_capability_obtain_capability_and_drop_privileges (void)
- 			early_error ("error getting process capabilities");
- 			break;
- 		case CAPNG_NONE:
-			early_error ("insufficient process capabilities");
-+			early_warning ("insufficient process capabilities, unsecure memory might get used");
- 			break;
- 		case CAPNG_PARTIAL: /* File system based capabilities */
- 			if (!capng_have_capability (CAPNG_EFFECTIVE, CAP_IPC_LOCK)) {
-				early_error ("insufficient process capabilities");
-+				early_warning ("insufficient process capabilities, unsecure memory might get used");
-+				/* Drop all capabilities */
-+				capng_clear (CAPNG_SELECT_BOTH);
-+				capng_apply (CAPNG_SELECT_BOTH);
- 				break;
- 			}
- 
-- 
-1.7.4.2
--- a/gnome-keyring-3.4.1-fix-cache-option.patch
+++ b/gnome-keyring-3.4.1-fix-cache-option.patch
@ -0,0 +1,99 @@
+From 51606f299e5ee9d48096db0a5957efe26cbf7cc3 Mon Sep 17 00:00:00 2001
+From: Stef Walter <stefw@gnome.org>
+Date: Wed, 8 Aug 2012 06:06:58 +0200
+Subject: [PATCH 1/2] gpg-agent: Hook up the TTL cache option
+
+ * So that when the gsettings gpg-cache-method is 'idle' or 'timeout'
+   we use gpg-cache-ttl to control how long the passphrase is cached
+   for.
+ * This is a regression from 3.3.x
+
+https://bugzilla.gnome.org/show_bug.cgi?id=681081
+---
+ daemon/gpg-agent/gkd-gpg-agent-ops.c | 40 ++++++++++++++++++++++--------------
+ 1 file changed, 25 insertions(+), 15 deletions(-)
+
+diff --git a/daemon/gpg-agent/gkd-gpg-agent-ops.c b/daemon/gpg-agent/gkd-gpg-agent-ops.c
+index a0e8731..c8414fe 100644
+--- a/daemon/gpg-agent/gkd-gpg-agent-ops.c
+++ b/daemon/gpg-agent/gkd-gpg-agent-ops.c
+@@ -322,17 +322,6 @@ load_unlock_options (GcrPrompt *prompt)
+ 	g_free (method);
+ }
+ 
+-static void
+-save_unlock_options (GcrPrompt *prompt)
+-{
+-	GSettings *settings;
+-
+-	settings = gkd_gpg_agent_settings ();
+-
+-	if (gcr_prompt_get_choice_chosen (prompt))
+-		g_settings_set_string (settings, "gpg-cache-method", GCR_UNLOCK_OPTION_ALWAYS);
+-}
+-
+ static GcrPrompt *
+ open_password_prompt (GckSession *session,
+                       const gchar *keyid,
+@@ -405,11 +394,14 @@ do_get_password (GckSession *session, const gchar *keyid, const gchar *errmsg,
+                  const gchar *prompt_text, const gchar *description, gboolean confirm)
+ {
+ 	GckBuilder builder = GCK_BUILDER_INIT;
+	GSettings *settings;
+ 	GckAttributes *attrs;
+ 	gchar *password = NULL;
+ 	GcrPrompt *prompt;
+ 	gboolean chosen;
+ 	GError *error = NULL;
+	gint lifetime;
+	gchar *method;
+ 
+ 	g_assert (GCK_IS_SESSION (session));
+ 
+@@ -430,21 +422,39 @@ do_get_password (GckSession *session, const gchar *keyid, const gchar *errmsg,
+ 	}
+ 
+ 	if (password != NULL && keyid != NULL) {
+		settings = gkd_gpg_agent_settings ();
+ 
+ 		/* Load up the save options */
+ 		chosen = gcr_prompt_get_choice_chosen (prompt);
+ 
+-		if (chosen)
+		if (chosen) {
+			g_settings_set_string (settings, "gpg-cache-method", GCR_UNLOCK_OPTION_ALWAYS);
+ 			gck_builder_add_string (&builder, CKA_G_COLLECTION, "login");
+-		else
+
+		} else {
+			method = g_settings_get_string (settings, "gpg-cache-method");
+			lifetime = g_settings_get_int (settings, "gpg-cache-ttl");
+
+			if (g_strcmp0 (method, GCR_UNLOCK_OPTION_IDLE) == 0) {
+				gck_builder_add_boolean (&builder, CKA_GNOME_TRANSIENT, TRUE);
+				gck_builder_add_ulong (&builder, CKA_G_DESTRUCT_IDLE, lifetime);
+
+			} else if (g_strcmp0 (method, GCR_UNLOCK_OPTION_TIMEOUT) == 0) {
+				gck_builder_add_boolean (&builder, CKA_GNOME_TRANSIENT, TRUE);
+				gck_builder_add_ulong (&builder, CKA_G_DESTRUCT_AFTER, lifetime);
+
+			} else if (g_strcmp0 (method, GCR_UNLOCK_OPTION_SESSION)){
+				g_message ("Unsupported gpg-cache-method setting: %s", method);
+			}
+
+ 			gck_builder_add_string (&builder, CKA_G_COLLECTION, "session");
+			g_free (method);
+		}
+ 
+ 		/* Now actually save the password */
+ 		attrs = gck_attributes_ref_sink (gck_builder_end (&builder));
+ 		do_save_password (session, keyid, description, password, attrs);
+ 		gck_attributes_unref (attrs);
+-
+-		save_unlock_options (prompt);
+ 	}
+ 
+ 	g_clear_object (&prompt);
+-- 
+1.7.11.4
+
--- a/gnome-keyring-3.4.1-mark-usage-on-item.patch
+++ b/gnome-keyring-3.4.1-mark-usage-on-item.patch
@ -0,0 +1,27 @@
+From 5dff623470b859e332dbe12afb0dc57b292832d2 Mon Sep 17 00:00:00 2001
+From: Stef Walter <stefw@gnome.org>
+Date: Wed, 8 Aug 2012 15:08:22 +0200
+Subject: [PATCH 2/2] secret-store: Mark a secret item as 'used' when accessed
+
+ * This makes the gpg-agent idle feature work correctly
+
+https://bugzilla.gnome.org/show_bug.cgi?id=681081
+---
+ pkcs11/secret-store/gkm-secret-item.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/pkcs11/secret-store/gkm-secret-item.c b/pkcs11/secret-store/gkm-secret-item.c
+index d03c4a8..15791a9 100644
+--- a/pkcs11/secret-store/gkm-secret-item.c
+++ b/pkcs11/secret-store/gkm-secret-item.c
+@@ -224,6 +224,7 @@ gkm_secret_item_real_get_attribute (GkmObject *base, GkmSession *session, CK_ATT
+ 		identifier = gkm_secret_object_get_identifier (GKM_SECRET_OBJECT (self));
+ 		secret = gkm_secret_data_get_raw (sdata, identifier, &n_secret);
+ 		rv = gkm_attribute_set_data (attr, secret, n_secret);
+		gkm_object_mark_used (base);
+ 		g_object_unref (sdata);
+ 		return rv;
+ 
+-- 
+1.7.11.4
+
--- a/gnome-keyring-3.6.1-pkcs11_socket_nodebug_spam.patch
+++ b/gnome-keyring-3.6.1-pkcs11_socket_nodebug_spam.patch
@ -0,0 +1,62 @@
+From 370694b36f1ed6f26554ccc740da3b3e92aafded Mon Sep 17 00:00:00 2001
+From: Rex Dieter <rdieter@fedoraproject.org>
+Date: Fri, 17 Aug 2012 08:52:25 -0500
+Subject: [PATCH] only print debug message if no pkcs11 socket
+
+This is to handle the case of running gnome-keyring in environments
+not matching GNOME;Unity and avoid needless
+WARNING: couldn't connect to: /tmp/keyring-SqfLpI/pkcs11
+type errors
+
+https://bugzilla.gnome.org/show_bug.cgi?id=665961
+---
+ pkcs11/rpc-layer/gkm-rpc-module.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/pkcs11/rpc-layer/gkm-rpc-module.c b/pkcs11/rpc-layer/gkm-rpc-module.c
+index 240fd83..1b11d96 100644
+--- a/pkcs11/rpc-layer/gkm-rpc-module.c
+++ b/pkcs11/rpc-layer/gkm-rpc-module.c
+@@ -251,8 +251,13 @@ call_connect (CallState *cs)
+ 
+ 	if (connect (sock, (struct sockaddr*) &addr, sizeof (addr)) < 0) {
+ 		close (sock);
+-		warning (("couldn't connect to: %s: %s", pkcs11_socket_path, strerror (errno)));
+-		return CKR_DEVICE_ERROR;
+		if (errno == ENOENT) {
+			debug (("couldn't connect to: %s: %s", pkcs11_socket_path, strerror (errno)));
+			return CKR_DEVICE_REMOVED;
+		} else {
+			warning (("couldn't connect to: %s: %s", pkcs11_socket_path, strerror (errno)));
+			return CKR_DEVICE_ERROR;
+		}
+ 	}
+ 
+ 	if (egg_unix_credentials_write (sock) < 0) {
+@@ -1208,6 +1213,10 @@ rpc_C_Initialize (CK_VOID_PTR init_args)
+ 				if (ret == CKR_OK)
+ 					ret = call_run (cs);
+ 				call_done (cs, ret);
+
+			/* No daemon available */
+			} else if (ret == CKR_DEVICE_REMOVED) {
+				ret = CKR_OK;
+ 			}
+ 		}
+ 
+@@ -1248,8 +1257,13 @@ rpc_C_Finalize (CK_VOID_PTR reserved)
+ 				if (ret == CKR_OK)
+ 					ret = call_run (cs);
+ 				call_done (cs, ret);
+
+			/* No daemon available */
+			} else if (ret == CKR_DEVICE_REMOVED) {
+				ret = CKR_OK;
+ 			}
+ 
+
+ 			if (ret != CKR_OK)
+ 				warning (("finalizing the daemon returned an error: %d", ret));
+ 		}
+-- 
+1.7.12.1
--- a/gnome-keyring-error.patch
+++ b/gnome-keyring-error.patch
@ -1,13 +0,0 @@
--- gnome-keyring-3.3.4/daemon/dbus/gkd-secret-error.c	2011-12-19 02:51:11.000000000 -0500
-+++ foo/daemon/dbus/gkd-secret-error.c	2012-01-18 09:12:28.976906276 -0500
-@@ -60,7 +60,9 @@
- 
- 	g_return_val_if_fail (error != NULL, NULL);
- 
-	if (g_error_matches (error, GCK_ERROR, CKR_USER_NOT_LOGGED_IN)) {
-+	if (g_error_matches (error, GCK_ERROR, CKR_USER_NOT_LOGGED_IN) ||
-+            g_error_matches (error, GCK_ERROR, CKR_PIN_INCORRECT)) {
-+
- 		dbus_set_error (&derr, INTERNAL_ERROR_DENIED, "The password was invalid");
- 
- 	} else if (g_error_matches (error, GCK_ERROR, CKR_WRAPPED_KEY_INVALID) ||
--- a/gnome-keyring.spec
+++ b/gnome-keyring.spec
@ -8,14 +8,22 @@

 Summary: Framework for managing passwords and other secrets
 Name: gnome-keyring
-Version: 3.3.92
-Release: 1%{?dist}
+Version: 3.4.1
+Release: 4%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Libraries
 #VCS: git:git://git.gnome.org/gnome-keyring
-Source: http://download.gnome.org/sources/gnome-keyring/3.3/gnome-keyring-%{version}.tar.xz
+Source: http://download.gnome.org/sources/gnome-keyring/3.4/gnome-keyring-%{version}.tar.xz
 URL: http://www.gnome.org

+Patch0:         gnome-keyring-3.4.1-fix-cache-option.patch
+Patch1:		gnome-keyring-3.4.1-mark-usage-on-item.patch
+
+## upstream patches
+# https://bugzilla.redhat.com/show_bug.cgi?id=783568
+# https://bugzilla.gnome.org/show_bug.cgi?id=665961
+Patch100: gnome-keyring-3.6.1-pkcs11_socket_nodebug_spam.patch
+
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: gtk3-devel >= %{gtk3_version}
 BuildRequires: gcr-devel >= %{gcr_version}
@ -60,6 +68,9 @@ automatically unlock the "login" keyring when the user logs in.

 %prep
 %setup -q -n gnome-keyring-%{version}
+%patch0 -p1
+%patch1 -p1
+%patch100 -p1 -b .pkcs11_socket_nodebug_spam

 %build
 %configure \
@ -91,12 +102,12 @@ update-mime-database %{_datadir}/mime &> /dev/null || :
 if [ $1 -eq 0 ]; then
  touch --no-create %{_datadir}/icons/hicolor >&/dev/null || :
  gtk-update-icon-cache %{_datadir}/icons/hicolor >&/dev/null || :
-  glib-compile-schemas %{_datadir}/glib-2.0/schemas
+  glib-compile-schemas %{_datadir}/glib-2.0/schemas >&/dev/null || :
 fi

 %posttrans
 gtk-update-icon-cache %{_datadir}/icons/hicolor >&/dev/null || :
-glib-compile-schemas %{_datadir}/glib-2.0/schemas
+glib-compile-schemas %{_datadir}/glib-2.0/schemas >&/dev/null || :


 %files -f gnome-keyring.lang
@ -122,6 +133,22 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas


 %changelog
+* Fri Nov 09 2012 Rex Dieter <rdieter@fedoraproject.org> 3.4.1-4
+- WARNING: couldn't connect to: /tmp/keyring-... (#783568, gnome#665961)
+
+* Wed Aug 15 2012 Stef Walter <stefw@redhat.com> - 3.4.1-3
+- Fix for minor security issue:
+  https://bugzilla.gnome.org/show_bug.cgi?id=681081
+
+* Tue Apr 24 2012 Kalev Lember <kalevlember@gmail.com> - 3.4.1-2
+- Silence rpm scriptlet output
+
+* Mon Apr 16 2012 Richard Hughes <hughsient@gmail.com> - 3.4.1-1
+- Update to 3.4.1
+
+* Wed Mar 26 2012 Debarshi Ray <rishi@fedoraproject.org> - 3.4.0-1
+- Update to 3.4.0
+
 * Wed Mar 21 2012 Kalev Lember <kalevlember@gmail.com> - 3.3.92-1
 - Update to 3.3.92

--- a/2
+++ b/2
@ -1 +1 @@
-4e21b5bb46730c1c18f8a3709a7d4914  gnome-keyring-3.3.92.tar.xz
+607b334b43300465d18676dbc4d97de9  gnome-keyring-3.4.1.tar.xz
Author	SHA1	Message	Date
Rex Dieter	6b9c0c198a	WARNING: couldn't connect to: /tmp/keyring-... (#783568 , gnome#665961)	2012-11-09 08:26:54 -06:00
Stef Walter	807308f73a	Patch for the gpg cache not expiring * This is a minor security issue See: https://bugzilla.gnome.org/show_bug.cgi?id=681081 Signed-off-by: Richard Hughes <richard@hughsie.com>	2012-08-20 09:32:36 +01:00
Kalev Lember	fcec2f7e94	Silence rpm scriptlet output Redirect it to /dev/null; end users aren't supposed to see the warnings generated by e.g. glib-compile-schemas. http://fedoraproject.org/wiki/Packaging:ScriptletSnippets	2012-04-24 18:16:08 +03:00
Richard Hughes	dc8ad988a0	Update to 3.4.1	2012-04-16 16:21:57 +01:00
Debarshi Ray	b94c021f12	Update to 3.4.0	2012-03-26 17:51:54 +02:00
Debarshi Ray	b209f28a14	Remove unused patch	2012-03-26 17:50:29 +02:00