[gnome-keyring/f17] Patch for the gpg cache not expiring
Richard Hughes
rhughes at fedoraproject.org
Mon Aug 20 08:36:28 UTC 2012
commit 807308f73a241ecf14acfe8082bdb3150922d0c7
Author: Stef Walter <stefw at gnome.org>
Date: Wed Aug 15 22:15:04 2012 +0200
Patch for the gpg cache not expiring
* This is a minor security issue
See: https://bugzilla.gnome.org/show_bug.cgi?id=681081
Signed-off-by: Richard Hughes <richard at hughsie.com>
gnome-keyring-3.4.1-fix-cache-option.patch | 99 ++++++++++++++++++++++++++
gnome-keyring-3.4.1-mark-usage-on-item.patch | 27 +++++++
gnome-keyring.spec | 11 +++-
3 files changed, 136 insertions(+), 1 deletions(-)
---
diff --git a/gnome-keyring-3.4.1-fix-cache-option.patch b/gnome-keyring-3.4.1-fix-cache-option.patch
new file mode 100644
index 0000000..60f4e14
--- /dev/null
+++ b/gnome-keyring-3.4.1-fix-cache-option.patch
@@ -0,0 +1,99 @@
+From 51606f299e5ee9d48096db0a5957efe26cbf7cc3 Mon Sep 17 00:00:00 2001
+From: Stef Walter <stefw at gnome.org>
+Date: Wed, 8 Aug 2012 06:06:58 +0200
+Subject: [PATCH 1/2] gpg-agent: Hook up the TTL cache option
+
+ * So that when the gsettings gpg-cache-method is 'idle' or 'timeout'
+ we use gpg-cache-ttl to control how long the passphrase is cached
+ for.
+ * This is a regression from 3.3.x
+
+https://bugzilla.gnome.org/show_bug.cgi?id=681081
+---
+ daemon/gpg-agent/gkd-gpg-agent-ops.c | 40 ++++++++++++++++++++++--------------
+ 1 file changed, 25 insertions(+), 15 deletions(-)
+
+diff --git a/daemon/gpg-agent/gkd-gpg-agent-ops.c b/daemon/gpg-agent/gkd-gpg-agent-ops.c
+index a0e8731..c8414fe 100644
+--- a/daemon/gpg-agent/gkd-gpg-agent-ops.c
++++ b/daemon/gpg-agent/gkd-gpg-agent-ops.c
+@@ -322,17 +322,6 @@ load_unlock_options (GcrPrompt *prompt)
+ g_free (method);
+ }
+
+-static void
+-save_unlock_options (GcrPrompt *prompt)
+-{
+- GSettings *settings;
+-
+- settings = gkd_gpg_agent_settings ();
+-
+- if (gcr_prompt_get_choice_chosen (prompt))
+- g_settings_set_string (settings, "gpg-cache-method", GCR_UNLOCK_OPTION_ALWAYS);
+-}
+-
+ static GcrPrompt *
+ open_password_prompt (GckSession *session,
+ const gchar *keyid,
+@@ -405,11 +394,14 @@ do_get_password (GckSession *session, const gchar *keyid, const gchar *errmsg,
+ const gchar *prompt_text, const gchar *description, gboolean confirm)
+ {
+ GckBuilder builder = GCK_BUILDER_INIT;
++ GSettings *settings;
+ GckAttributes *attrs;
+ gchar *password = NULL;
+ GcrPrompt *prompt;
+ gboolean chosen;
+ GError *error = NULL;
++ gint lifetime;
++ gchar *method;
+
+ g_assert (GCK_IS_SESSION (session));
+
+@@ -430,21 +422,39 @@ do_get_password (GckSession *session, const gchar *keyid, const gchar *errmsg,
+ }
+
+ if (password != NULL && keyid != NULL) {
++ settings = gkd_gpg_agent_settings ();
+
+ /* Load up the save options */
+ chosen = gcr_prompt_get_choice_chosen (prompt);
+
+- if (chosen)
++ if (chosen) {
++ g_settings_set_string (settings, "gpg-cache-method", GCR_UNLOCK_OPTION_ALWAYS);
+ gck_builder_add_string (&builder, CKA_G_COLLECTION, "login");
+- else
++
++ } else {
++ method = g_settings_get_string (settings, "gpg-cache-method");
++ lifetime = g_settings_get_int (settings, "gpg-cache-ttl");
++
++ if (g_strcmp0 (method, GCR_UNLOCK_OPTION_IDLE) == 0) {
++ gck_builder_add_boolean (&builder, CKA_GNOME_TRANSIENT, TRUE);
++ gck_builder_add_ulong (&builder, CKA_G_DESTRUCT_IDLE, lifetime);
++
++ } else if (g_strcmp0 (method, GCR_UNLOCK_OPTION_TIMEOUT) == 0) {
++ gck_builder_add_boolean (&builder, CKA_GNOME_TRANSIENT, TRUE);
++ gck_builder_add_ulong (&builder, CKA_G_DESTRUCT_AFTER, lifetime);
++
++ } else if (g_strcmp0 (method, GCR_UNLOCK_OPTION_SESSION)){
++ g_message ("Unsupported gpg-cache-method setting: %s", method);
++ }
++
+ gck_builder_add_string (&builder, CKA_G_COLLECTION, "session");
++ g_free (method);
++ }
+
+ /* Now actually save the password */
+ attrs = gck_attributes_ref_sink (gck_builder_end (&builder));
+ do_save_password (session, keyid, description, password, attrs);
+ gck_attributes_unref (attrs);
+-
+- save_unlock_options (prompt);
+ }
+
+ g_clear_object (&prompt);
+--
+1.7.11.4
+
diff --git a/gnome-keyring-3.4.1-mark-usage-on-item.patch b/gnome-keyring-3.4.1-mark-usage-on-item.patch
new file mode 100644
index 0000000..1cf9b43
--- /dev/null
+++ b/gnome-keyring-3.4.1-mark-usage-on-item.patch
@@ -0,0 +1,27 @@
+From 5dff623470b859e332dbe12afb0dc57b292832d2 Mon Sep 17 00:00:00 2001
+From: Stef Walter <stefw at gnome.org>
+Date: Wed, 8 Aug 2012 15:08:22 +0200
+Subject: [PATCH 2/2] secret-store: Mark a secret item as 'used' when accessed
+
+ * This makes the gpg-agent idle feature work correctly
+
+https://bugzilla.gnome.org/show_bug.cgi?id=681081
+---
+ pkcs11/secret-store/gkm-secret-item.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/pkcs11/secret-store/gkm-secret-item.c b/pkcs11/secret-store/gkm-secret-item.c
+index d03c4a8..15791a9 100644
+--- a/pkcs11/secret-store/gkm-secret-item.c
++++ b/pkcs11/secret-store/gkm-secret-item.c
+@@ -224,6 +224,7 @@ gkm_secret_item_real_get_attribute (GkmObject *base, GkmSession *session, CK_ATT
+ identifier = gkm_secret_object_get_identifier (GKM_SECRET_OBJECT (self));
+ secret = gkm_secret_data_get_raw (sdata, identifier, &n_secret);
+ rv = gkm_attribute_set_data (attr, secret, n_secret);
++ gkm_object_mark_used (base);
+ g_object_unref (sdata);
+ return rv;
+
+--
+1.7.11.4
+
diff --git a/gnome-keyring.spec b/gnome-keyring.spec
index fd127ef..7c5a7fb 100644
--- a/gnome-keyring.spec
+++ b/gnome-keyring.spec
@@ -9,13 +9,16 @@
Summary: Framework for managing passwords and other secrets
Name: gnome-keyring
Version: 3.4.1
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Libraries
#VCS: git:git://git.gnome.org/gnome-keyring
Source: http://download.gnome.org/sources/gnome-keyring/3.4/gnome-keyring-%{version}.tar.xz
URL: http://www.gnome.org
+Patch0: gnome-keyring-3.4.1-fix-cache-option.patch
+Patch1: gnome-keyring-3.4.1-mark-usage-on-item.patch
+
BuildRequires: glib2-devel >= %{glib2_version}
BuildRequires: gtk3-devel >= %{gtk3_version}
BuildRequires: gcr-devel >= %{gcr_version}
@@ -60,6 +63,8 @@ automatically unlock the "login" keyring when the user logs in.
%prep
%setup -q -n gnome-keyring-%{version}
+%patch0 -p1
+%patch1 -p1
%build
%configure \
@@ -122,6 +127,10 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas >&/dev/null || :
%changelog
+* Wed Aug 15 2012 Stef Walter <stefw at redhat.com> - 3.4.1-3
+- Fix for minor security issue:
+ https://bugzilla.gnome.org/show_bug.cgi?id=681081
+
* Tue Apr 24 2012 Kalev Lember <kalevlember at gmail.com> - 3.4.1-2
- Silence rpm scriptlet output
More information about the scm-commits
mailing list