test/gvfs-test | 11 9 2 - 0 !
1 file changed, 9 insertions( ), 2 deletions(-)

 gvfs-test: don't specify the port if we are running in the sandbox

In this case the smb config is set up using the default port by the
sandbox itself - the config in the testsuite is not used.

(cherry picked from commit dd7abaffa1d1154afd8b27ea83428837d25c9f14)

po/sr.po | 1061 534 527 - 0 !
1 file changed, 534 insertions( ), 527 deletions(-)

 update serbian translation

po/sk.po | 1070 539 531 - 0 !
1 file changed, 539 insertions( ), 531 deletions(-)

 update slovak translation

common/gvfsmountinfo.c | 2 1 1 - 0 !
1 file changed, 1 insertion( ), 1 deletion(-)

 common: prevent crashes on invalid autorun file

GRegex expects valid UTF-8 input by default and libpcre may crash if
it is not valid. GRegex is used to parse autorun file, which doesn't
have to be always valid. Let's use G_REGEX_RAW to prevent the crashes.

Bug: https://gitlab.gnome.org/GNOME/gvfs/issues/344

po/eu.po | 1410 668 742 - 0 !
1 file changed, 668 insertions( ), 742 deletions(-)

 update basque translation

monitor/udisks2/gvfsudisks2utils.c | 6 6 0 - 0 !
monitor/udisks2/gvfsudisks2volumemonitor.c | 21 12 9 - 0 !
2 files changed, 18 insertions( ), 9 deletions(-)

 udisks2: restore support of comment=x-gvfs-* option

Beginning the commit 959db3e0, mtab-based mount options are prioritized
prior to the fstab options. However, "comment" option is not propagated
to mtab and thus mounts with "comment=x-gvfs-show" can be ignored, but
volumes can be still shown for them and vice versa. Consequently, mount
operation fails with the following:

"Mount is denied because the NTFS volume is already exclusively opened.
The volume may be already mounted, or another software may use it which
could be identified for example by the help of the 'fuser' command."

Just a note, that "comment=x-gvfs-*" is wrong as per the docs and it
should be "comment=gvfs-*" instead. However, it seems that the people
started using this after commit 37d4bf32 as workaround on distributions
with old util-linux versions, where plain "x-gvfs-*" option caused the
following error:

"Unrecognized mount option "x-gvfs-show" or missing value"

The workaround using "comment=x-gvfs-*" option worked so far just only
thanks to the "bug" in gvfs_udisks2_utils_lookup_fstab_options_value()
function, which doesn't care about the prefix of the mount option.

Let's prioritize fstab options before mtab-based mount options to fix
this regression. It is maybe less reliable because the assignment of
the corresponding fstab entry is arguable, but the rest of the volume
monitor code relies on it anyway.

Bug: https://gitlab.gnome.org/GNOME/gvfs/issues/348

daemon/gvfsbackendadmin.c | 3 1 2 - 0 !
1 file changed, 1 insertion( ), 2 deletions(-)

 admin: prevent access if any authentication agent isn't available

The backend currently allows to access and modify files without prompting
for password if any polkit authentication agent isn't available. This seems
isn't usually problem, because polkit agents are integral parts of
graphical environments / linux distributions. The agents can't be simply
disabled without root permissions and are automatically respawned. However,
this might be a problem in some non-standard cases.

This affects only users which belong to wheel group (i.e. those who are
already allowed to use sudo). It doesn't allow privilege escalation for
users, who don't belong to that group.

Let's return permission denied error also when the subject can't be
authorized by any polkit agent to prevent this behavior.

Bug: https://gitlab.gnome.org/GNOME/gvfs/issues/355
Bug-CVE: CVE-2019-3827
Bug-Debian: https://bugs.debian.org/921816

daemon/gvfsbackendmtp.c | 1 0 1 - 0 !
1 file changed, 1 deletion(-)

 mtp: don't retry reading an event after failure

This issue has been sitting around for ages without us understanding
what's going on. We finally got a repro scenario which showed that
it happens when another program steals the MTP device out from under
us, so that all MTP calls will start failing. In this case it's clear
that it's futile to keep trying to retry reading the event after a
failure.

I originally wrote the code to retry the read because I expected any
error to be transitory, but if the error is persistent, it's not good
behaviour - even if the memory leak was fixed (as you'd still be
busy-waiting in a tight loop).

So, given the situation, and the fact that I'm not aware of any
occurence of transitory event read failures, let's just say that
if an event read fails, we'll give up and the event is lost.

Note that I'm still not aware of the exact situation where the
problem was first observed (the reporters did not talk about
the use of VM software stealing devices) and so fixing this may
still result in them seeing a situation where they can't access
the device due to whatever the underlying cause is.

(cherry picked from commit 63700b556522cb779fee9b7f45b869df6b178c68)

Bug: https://gitlab.gnome.org/GNOME/gvfs/issues/347

daemon/gvfsbackendadmin.c | 79 67 12 - 0 !
1 file changed, 67 insertions( ), 12 deletions(-)

 admin: add query_info_on_read/write functionality

Admin backend doesn't implement query_info_on_read/write which might
potentially lead to some race conditions which aren't really wanted
especially in case of admin backend. For example, in file_copy_fallback(),
g_file_query_info() is used if g_file_input_stream_query_info() is not
supported, which in theory means that the info might be obtained from

daemon/gvfsbackendadmin.c | 3 2 1 - 0 !
1 file changed, 2 insertions( ), 1 deletion(-)

 admin: allow changing file owner

CAP_CHOWN is dropped together with other privilages and thus the backend
can't change file owner. This might be probably e.g. in case of copy
operation when G_FILE_COPY_ALL_METADATA is used. Let's keep CAP_CHOWN
to fix this.

daemon/gvfsbackendadmin.c | 29 7 22 - 0 !
1 file changed, 7 insertions( ), 22 deletions(-)

 admin: use fsuid to ensure correct file ownership

Files created over admin backend should be owned by root, but they are
owned by the user itself. This is because the daemon drops the uid to
make dbus connection work. Use fsuid and euid to fix this issue.

Bug: https://gitlab.gnome.org/GNOME/gvfs/issues/21

daemon/gvfsbackendadmin.c | 46 46 0 - 0 !
1 file changed, 46 insertions( )

 admin: ensure correct ownership when moving to file:// uri

User and group is not restored properly when moving (or copying with
G_FILE_COPY_ALL_METADATA) from admin:// to file://, because it is handled
by GIO fallback code, which doesn't run with root permissions. Let's
handle this case with pull method to ensure correct ownership.

daemon/gvfsdaemon.c | 36 35 1 - 0 !
1 file changed, 35 insertions( ), 1 deletion(-)

 gvfsdaemon: check that the connecting client is the same user

Otherwise, an attacker who learns the abstract socket address from
netstat(8) or similar could connect to it and issue D-Bus method
calls.

Signed-off-by: Simon McVittie <[email protected]>

daemon/gvfsdaemon.c | 17 17 0 - 0 !
1 file changed, 17 insertions( )

 gvfsdaemon: only accept external authentication

EXTERNAL is the mechanism recommended in the D-Bus Specification for
all platforms where it is supported (including Linux, *BSD, Solaris
and Hurd), and is the only mechanism allowed by the session or system
dbus-daemon in their default configurations. It is considerably simpler
than DBUS_COOKIE_SHA1 and relies on fewer assumptions.

Signed-off-by: Simon McVittie <[email protected]>

daemon/org.gtk.vfs.file-operations.rules | 2 1 1 - 0 !
1 file changed, 1 insertion( ), 1 deletion(-)

 use sudo group instead of the wheel one

since the wheel group doesn't exist on Debian

metadata/metatree.c | 10 9 1 - 0 !
1 file changed, 9 insertions( ), 1 deletion(-)

 nuke the metadata file if magic blob is wrong

daemon/gvfschannel.c | 5 3 2 - 0 !
1 file changed, 3 insertions( ), 2 deletions(-)

 don't try to announce the finish of a null job.

client/gdaemonvfs.c | 2 1 1 - 0 !
1 file changed, 1 insertion( ), 1 deletion(-)

 don't crash when creating volume monitors

if the VFS was never initialized

daemon/gvfschannel.c | 5 3 2 - 0 !
daemon/gvfsdaemon.c | 7 5 2 - 0 !
2 files changed, 8 insertions( ), 4 deletions(-)

 make sure to keep a ref to jobs while they run in a thread

test/gvfs-test | 5 3 2 - 0 !
1 file changed, 3 insertions( ), 2 deletions(-)

 skip the umockdev test

The trace is out of date & needs to be re-recorded by somebody who has
the hardware.

test/gvfs-test | 6 3 3 - 0 !
1 file changed, 3 insertions( ), 3 deletions(-)

 gvfs-test: increase timeout to 10s

In normal operation some operations - particularly unmounting - can take
quite a while. Let's give things a bit longer before giving up.

Patch originally by Andreas Hasenack <[email protected]>

meson.build | 2 1 1 - 0 !
1 file changed, 1 insertion( ), 1 deletion(-)

 remove version from polkit-gobject dependency

It was versioned like this to require the polkit ITS rules, but in
Debian we backported those into 0.105.