[gnome-keyring/f17] Patch for the gpg cache not expiring

Richard Hughes rhughes at fedoraproject.org
Mon Aug 20 08:36:28 UTC 2012 

commit 807308f73a241ecf14acfe8082bdb3150922d0c7
Author: Stef Walter <stefw at gnome.org>
Date:   Wed Aug 15 22:15:04 2012 +0200

    Patch for the gpg cache not expiring
    
     * This is a minor security issue
    
    See: https://bugzilla.gnome.org/show_bug.cgi?id=681081
    
    Signed-off-by: Richard Hughes <richard at hughsie.com>

 gnome-keyring-3.4.1-fix-cache-option.patch   |   99 ++++++++++++++++++++++++++
 gnome-keyring-3.4.1-mark-usage-on-item.patch |   27 +++++++
 gnome-keyring.spec                           |   11 +++-
 3 files changed, 136 insertions(+), 1 deletions(-)
---
diff --git a/gnome-keyring-3.4.1-fix-cache-option.patch b/gnome-keyring-3.4.1-fix-cache-option.patch
new file mode 100644
index 0000000..60f4e14
--- /dev/null
+++ b/gnome-keyring-3.4.1-fix-cache-option.patch
@@ -0,0 +1,99 @@
+From 51606f299e5ee9d48096db0a5957efe26cbf7cc3 Mon Sep 17 00:00:00 2001
+From: Stef Walter <stefw at gnome.org>
+Date: Wed, 8 Aug 2012 06:06:58 +0200
+Subject: [PATCH 1/2] gpg-agent: Hook up the TTL cache option
+
+ * So that when the gsettings gpg-cache-method is 'idle' or 'timeout'
+   we use gpg-cache-ttl to control how long the passphrase is cached
+   for.
+ * This is a regression from 3.3.x
+
+https://bugzilla.gnome.org/show_bug.cgi?id=681081
+---
+ daemon/gpg-agent/gkd-gpg-agent-ops.c | 40 ++++++++++++++++++++++--------------
+ 1 file changed, 25 insertions(+), 15 deletions(-)
+
+diff --git a/daemon/gpg-agent/gkd-gpg-agent-ops.c b/daemon/gpg-agent/gkd-gpg-agent-ops.c
+index a0e8731..c8414fe 100644
+--- a/daemon/gpg-agent/gkd-gpg-agent-ops.c
++++ b/daemon/gpg-agent/gkd-gpg-agent-ops.c
+@@ -322,17 +322,6 @@ load_unlock_options (GcrPrompt *prompt)
+ 	g_free (method);
+ }
+ 
+-static void
+-save_unlock_options (GcrPrompt *prompt)
+-{
+-	GSettings *settings;
+-
+-	settings = gkd_gpg_agent_settings ();
+-
+-	if (gcr_prompt_get_choice_chosen (prompt))
+-		g_settings_set_string (settings, "gpg-cache-method", GCR_UNLOCK_OPTION_ALWAYS);
+-}
+-
+ static GcrPrompt *
+ open_password_prompt (GckSession *session,
+                       const gchar *keyid,
+@@ -405,11 +394,14 @@ do_get_password (GckSession *session, const gchar *keyid, const gchar *errmsg,
+                  const gchar *prompt_text, const gchar *description, gboolean confirm)
+ {
+ 	GckBuilder builder = GCK_BUILDER_INIT;
++	GSettings *settings;
+ 	GckAttributes *attrs;
+ 	gchar *password = NULL;
+ 	GcrPrompt *prompt;
+ 	gboolean chosen;
+ 	GError *error = NULL;
++	gint lifetime;
++	gchar *method;
+ 
+ 	g_assert (GCK_IS_SESSION (session));
+ 
+@@ -430,21 +422,39 @@ do_get_password (GckSession *session, const gchar *keyid, const gchar *errmsg,
+ 	}
+ 
+ 	if (password != NULL && keyid != NULL) {
++		settings = gkd_gpg_agent_settings ();
+ 
+ 		/* Load up the save options */
+ 		chosen = gcr_prompt_get_choice_chosen (prompt);
+ 
+-		if (chosen)
++		if (chosen) {
++			g_settings_set_string (settings, "gpg-cache-method", GCR_UNLOCK_OPTION_ALWAYS);
+ 			gck_builder_add_string (&builder, CKA_G_COLLECTION, "login");
+-		else
++
++		} else {
++			method = g_settings_get_string (settings, "gpg-cache-method");
++			lifetime = g_settings_get_int (settings, "gpg-cache-ttl");
++
++			if (g_strcmp0 (method, GCR_UNLOCK_OPTION_IDLE) == 0) {
++				gck_builder_add_boolean (&builder, CKA_GNOME_TRANSIENT, TRUE);
++				gck_builder_add_ulong (&builder, CKA_G_DESTRUCT_IDLE, lifetime);
++
++			} else if (g_strcmp0 (method, GCR_UNLOCK_OPTION_TIMEOUT) == 0) {
++				gck_builder_add_boolean (&builder, CKA_GNOME_TRANSIENT, TRUE);
++				gck_builder_add_ulong (&builder, CKA_G_DESTRUCT_AFTER, lifetime);
++
++			} else if (g_strcmp0 (method, GCR_UNLOCK_OPTION_SESSION)){
++				g_message ("Unsupported gpg-cache-method setting: %s", method);
++			}
++
+ 			gck_builder_add_string (&builder, CKA_G_COLLECTION, "session");
++			g_free (method);
++		}
+ 
+ 		/* Now actually save the password */
+ 		attrs = gck_attributes_ref_sink (gck_builder_end (&builder));
+ 		do_save_password (session, keyid, description, password, attrs);
+ 		gck_attributes_unref (attrs);
+-
+-		save_unlock_options (prompt);
+ 	}
+ 
+ 	g_clear_object (&prompt);
+-- 
+1.7.11.4
+
diff --git a/gnome-keyring-3.4.1-mark-usage-on-item.patch b/gnome-keyring-3.4.1-mark-usage-on-item.patch
new file mode 100644
index 0000000..1cf9b43
--- /dev/null
+++ b/gnome-keyring-3.4.1-mark-usage-on-item.patch
@@ -0,0 +1,27 @@
+From 5dff623470b859e332dbe12afb0dc57b292832d2 Mon Sep 17 00:00:00 2001
+From: Stef Walter <stefw at gnome.org>
+Date: Wed, 8 Aug 2012 15:08:22 +0200
+Subject: [PATCH 2/2] secret-store: Mark a secret item as 'used' when accessed
+
+ * This makes the gpg-agent idle feature work correctly
+
+https://bugzilla.gnome.org/show_bug.cgi?id=681081
+---
+ pkcs11/secret-store/gkm-secret-item.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/pkcs11/secret-store/gkm-secret-item.c b/pkcs11/secret-store/gkm-secret-item.c
+index d03c4a8..15791a9 100644
+--- a/pkcs11/secret-store/gkm-secret-item.c
++++ b/pkcs11/secret-store/gkm-secret-item.c
+@@ -224,6 +224,7 @@ gkm_secret_item_real_get_attribute (GkmObject *base, GkmSession *session, CK_ATT
+ 		identifier = gkm_secret_object_get_identifier (GKM_SECRET_OBJECT (self));
+ 		secret = gkm_secret_data_get_raw (sdata, identifier, &n_secret);
+ 		rv = gkm_attribute_set_data (attr, secret, n_secret);
++		gkm_object_mark_used (base);
+ 		g_object_unref (sdata);
+ 		return rv;
+ 
+-- 
+1.7.11.4
+
diff --git a/gnome-keyring.spec b/gnome-keyring.spec
index fd127ef..7c5a7fb 100644
--- a/gnome-keyring.spec
+++ b/gnome-keyring.spec
@@ -9,13 +9,16 @@
 Summary: Framework for managing passwords and other secrets
 Name: gnome-keyring
 Version: 3.4.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Libraries
 #VCS: git:git://git.gnome.org/gnome-keyring
 Source: http://download.gnome.org/sources/gnome-keyring/3.4/gnome-keyring-%{version}.tar.xz
 URL: http://www.gnome.org
 
+Patch0:         gnome-keyring-3.4.1-fix-cache-option.patch
+Patch1:		gnome-keyring-3.4.1-mark-usage-on-item.patch
+
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: gtk3-devel >= %{gtk3_version}
 BuildRequires: gcr-devel >= %{gcr_version}
@@ -60,6 +63,8 @@ automatically unlock the "login" keyring when the user logs in.
 
 %prep
 %setup -q -n gnome-keyring-%{version}
+%patch0 -p1
+%patch1 -p1
 
 %build
 %configure \
@@ -122,6 +127,10 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas >&/dev/null || :
 
 
 %changelog
+* Wed Aug 15 2012 Stef Walter <stefw at redhat.com> - 3.4.1-3
+- Fix for minor security issue:
+  https://bugzilla.gnome.org/show_bug.cgi?id=681081
+
 * Tue Apr 24 2012 Kalev Lember <kalevlember at gmail.com> - 3.4.1-2
 - Silence rpm scriptlet output

More information about the scm-commits mailing list