SECURITY fix for CVE-2012-3466, from upstream.

2012-08-13 09:26:32 +00:00 · 2012-08-13 09:26:32 +00:00 · fbfe3ddfe0
commit fbfe3ddfe0
parent eecd8d3faf
4 changed files with 126 additions and 1 deletions
--- a/x11/gnome/keyring/Makefile
+++ b/x11/gnome/keyring/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.76 2012/04/17 12:34:46 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.77 2012/08/13 09:26:32 ajacoutot Exp $

 SHARED_ONLY=	Yes

@ -6,6 +6,7 @@ COMMENT=	password agent for the GNOME project

 GNOME_PROJECT=	gnome-keyring
 GNOME_VERSION=	3.4.1
+REVISION=	0

 HOMEPAGE=	https://live.gnome.org/GnomeKeyring

--- a/x11/gnome/keyring/patches/patch-daemon_gpg-agent_gkd-gpg-agent-ops_c
+++ b/x11/gnome/keyring/patches/patch-daemon_gpg-agent_gkd-gpg-agent-ops_c
@ -0,0 +1,86 @@
+$OpenBSD: patch-daemon_gpg-agent_gkd-gpg-agent-ops_c,v 1.1 2012/08/13 09:26:32 ajacoutot Exp $
+
+From 111a1327bd55b8f81a44ac37b3af399eb0121126 Mon Sep 17 00:00:00 2001
+From: Stef Walter <stefw@gnome.org>
+Date: Wed, 08 Aug 2012 04:06:58 +0000
+Subject: gpg-agent: Hook up the TTL cache option
+
+--- daemon/gpg-agent/gkd-gpg-agent-ops.c.orig	Mon Apr  9 10:27:35 2012
+++ daemon/gpg-agent/gkd-gpg-agent-ops.c	Mon Aug 13 11:19:08 2012
+@@ -322,17 +322,6 @@ load_unlock_options (GcrPrompt *prompt)
+ 	g_free (method);
+ }
+ 
+-static void
+-save_unlock_options (GcrPrompt *prompt)
+-{
+-	GSettings *settings;
+-
+-	settings = gkd_gpg_agent_settings ();
+-
+-	if (gcr_prompt_get_choice_chosen (prompt))
+-		g_settings_set_string (settings, "gpg-cache-method", GCR_UNLOCK_OPTION_ALWAYS);
+-}
+-
+ static GcrPrompt *
+ open_password_prompt (GckSession *session,
+                       const gchar *keyid,
+@@ -405,11 +394,14 @@ do_get_password (GckSession *session, const gchar *key
+                  const gchar *prompt_text, const gchar *description, gboolean confirm)
+ {
+ 	GckBuilder builder = GCK_BUILDER_INIT;
+	GSettings *settings;
+ 	GckAttributes *attrs;
+ 	gchar *password = NULL;
+ 	GcrPrompt *prompt;
+ 	gboolean chosen;
+ 	GError *error = NULL;
+	gint lifetime;
+	gchar *method;
+ 
+ 	g_assert (GCK_IS_SESSION (session));
+ 
+@@ -430,21 +422,39 @@ do_get_password (GckSession *session, const gchar *key
+ 	}
+ 
+ 	if (password != NULL && keyid != NULL) {
+		settings = gkd_gpg_agent_settings ();
+ 
+ 		/* Load up the save options */
+ 		chosen = gcr_prompt_get_choice_chosen (prompt);
+ 
+-		if (chosen)
+		if (chosen) {
+			g_settings_set_string (settings, "gpg-cache-method", GCR_UNLOCK_OPTION_ALWAYS);
+ 			gck_builder_add_string (&builder, CKA_G_COLLECTION, "login");
+-		else
+
+		} else {
+			method = g_settings_get_string (settings, "gpg-cache-method");
+			lifetime = g_settings_get_int (settings, "gpg-cache-ttl");
+
+			if (g_strcmp0 (method, GCR_UNLOCK_OPTION_IDLE) == 0) {
+				gck_builder_add_boolean (&builder, CKA_GNOME_TRANSIENT, TRUE);
+				gck_builder_add_ulong (&builder, CKA_G_DESTRUCT_IDLE, lifetime);
+
+			} else if (g_strcmp0 (method, GCR_UNLOCK_OPTION_TIMEOUT) == 0) {
+				gck_builder_add_boolean (&builder, CKA_GNOME_TRANSIENT, TRUE);
+				gck_builder_add_ulong (&builder, CKA_G_DESTRUCT_AFTER, lifetime);
+
+			} else if (g_strcmp0 (method, GCR_UNLOCK_OPTION_SESSION)){
+				g_message ("Unsupported gpg-cache-method setting: %s", method);
+			}
+
+ 			gck_builder_add_string (&builder, CKA_G_COLLECTION, "session");
+			g_free (method);
+		}
+ 
+ 		/* Now actually save the password */
+ 		attrs = gck_attributes_ref_sink (gck_builder_end (&builder));
+ 		do_save_password (session, keyid, description, password, attrs);
+ 		gck_attributes_unref (attrs);
+-
+-		save_unlock_options (prompt);
+ 	}
+ 
+ 	g_clear_object (&prompt);
--- a/x11/gnome/keyring/patches/patch-pkcs11_secret-store_gkm-secret-item_c
+++ b/x11/gnome/keyring/patches/patch-pkcs11_secret-store_gkm-secret-item_c
@ -0,0 +1,17 @@
+$OpenBSD: patch-pkcs11_secret-store_gkm-secret-item_c,v 1.1 2012/08/13 09:26:32 ajacoutot Exp $
+
+From 979bf3c2a3a264630eace3ba2da0db14c59a67de Mon Sep 17 00:00:00 2001
+From: Stef Walter <stefw@gnome.org>
+Date: Wed, 08 Aug 2012 13:08:22 +0000
+Subject: secret-store: Mark a secret item as 'used' when accessed
+
+--- pkcs11/secret-store/gkm-secret-item.c.orig	Mon Apr  9 10:27:37 2012
+++ pkcs11/secret-store/gkm-secret-item.c	Mon Aug 13 11:19:10 2012
+@@ -224,6 +224,7 @@ gkm_secret_item_real_get_attribute (GkmObject *base, G
+ 		identifier = gkm_secret_object_get_identifier (GKM_SECRET_OBJECT (self));
+ 		secret = gkm_secret_data_get_raw (sdata, identifier, &n_secret);
+ 		rv = gkm_attribute_set_data (attr, secret, n_secret);
+		gkm_object_mark_used (base);
+ 		g_object_unref (sdata);
+ 		return rv;
+ 
--- a/x11/gnome/keyring/patches/patch-schema_org_gnome_crypto_cache_gschema_xml
+++ b/x11/gnome/keyring/patches/patch-schema_org_gnome_crypto_cache_gschema_xml
@ -0,0 +1,21 @@
+$OpenBSD: patch-schema_org_gnome_crypto_cache_gschema_xml,v 1.1 2012/08/13 09:26:32 ajacoutot Exp $
+
+From 3de11dd0c8929a93b6f3069ef78ed484274a8e86 Mon Sep 17 00:00:00 2001
+From: Stef Walter <stefw@gnome.org>
+Date: Wed, 08 Aug 2012 04:06:24 +0000
+Subject: schema: Update description for gpg-cache-method
+
+--- schema/org.gnome.crypto.cache.gschema.xml.orig	Mon Apr  9 10:27:39 2012
+++ schema/org.gnome.crypto.cache.gschema.xml	Mon Aug 13 11:19:05 2012
+@@ -3,7 +3,10 @@
+ 		<key name="gpg-cache-method" type="s">
+ 			<default>'session'</default>
+ 			<summary>Cache Method</summary>
+-			<description>The method to use for caching passphrases typed into the GPG agent.</description>
+			<description>The method to use for caching passphrases typed into the GPG agent.
+			Should be one of: 'always' caches permanently, 'session' caches until session end,
+			'idle' caches until the not used for gpg-cache-ttl seconds, 'timeout' caches until
+			gpg-cache-ttl seconds.</description>
+ 		</key>
+ 		<key name="gpg-cache-ttl" type="i">
+ 			<default>300</default>