From e559d48f011e686b18f9355aa91e5e9aae711bb5 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 30 2018 06:30:05 +0000 Subject: import PackageKit-1.1.10-1.el7 --- diff --git a/.PackageKit.metadata b/.PackageKit.metadata index e174da1..dd5f809 100644 --- a/.PackageKit.metadata +++ b/.PackageKit.metadata @@ -1 +1 @@ -b7805e8ddd6cee697575afe0931f10ab2e09aed0 SOURCES/PackageKit-1.1.5.tar.xz +f749fa7a4e2c88f705ba80bae309ae257d7027fb SOURCES/PackageKit-1.1.10.tar.xz diff --git a/.gitignore b/.gitignore index b5a0163..3ee46b6 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/PackageKit-1.1.5.tar.xz +SOURCES/PackageKit-1.1.10.tar.xz diff --git a/SOURCES/0001-Do-not-set-JUST_REINSTALL-on-any-kind-of-auth-failur.patch b/SOURCES/0001-Do-not-set-JUST_REINSTALL-on-any-kind-of-auth-failur.patch deleted file mode 100644 index cb98d62..0000000 --- a/SOURCES/0001-Do-not-set-JUST_REINSTALL-on-any-kind-of-auth-failur.patch +++ /dev/null @@ -1,55 +0,0 @@ -From bb9f9a8fb451d7a2d81f7390993db75491224729 Mon Sep 17 00:00:00 2001 -From: Richard Hughes -Date: Mon, 9 Apr 2018 16:39:56 +0100 -Subject: [PATCH] Do not set JUST_REINSTALL on any kind of auth failure - -If we try to continue the auth queue when it has been cancelled (or failed) -then we fall upon the obscure JUST_REINSTALL transaction flag which only the -DNF backend actually verifies. - -Many thanks to Matthias Gerstner for spotting the problem. ---- - src/pk-transaction.c | 27 ++++++++------------------- - 1 file changed, 8 insertions(+), 19 deletions(-) - -diff --git a/src/pk-transaction.c b/src/pk-transaction.c -index 1d006c782..ffee29f6f 100644 ---- a/src/pk-transaction.c -+++ b/src/pk-transaction.c -@@ -2351,25 +2351,14 @@ pk_transaction_authorize_actions_finished_cb (GObject *source_object, - - /* did not auth */ - if (!polkit_authorization_result_get_is_authorized (result)) { -- if (g_strcmp0 (action_id, "org.freedesktop.packagekit.package-install") == 0 && -- pk_bitfield_contain (priv->cached_transaction_flags, -- PK_TRANSACTION_FLAG_ENUM_ALLOW_REINSTALL)) { -- g_debug ("allowing just reinstallation"); -- pk_bitfield_add (priv->cached_transaction_flags, -- PK_TRANSACTION_FLAG_ENUM_JUST_REINSTALL); -- } else { -- priv->waiting_for_auth = FALSE; -- /* emit an ::StatusChanged, ::ErrorCode() and then ::Finished() */ -- pk_transaction_status_changed_emit (data->transaction, PK_STATUS_ENUM_FINISHED); -- pk_transaction_error_code_emit (data->transaction, PK_ERROR_ENUM_NOT_AUTHORIZED, -- "Failed to obtain authentication."); -- pk_transaction_finished_emit (data->transaction, PK_EXIT_ENUM_FAILED, 0); -- -- syslog (LOG_AUTH | LOG_NOTICE, -- "uid %i failed to obtain auth", -- priv->uid); -- goto out; -- } -+ priv->waiting_for_auth = FALSE; -+ /* emit an ::StatusChanged, ::ErrorCode() and then ::Finished() */ -+ pk_transaction_status_changed_emit (data->transaction, PK_STATUS_ENUM_FINISHED); -+ pk_transaction_error_code_emit (data->transaction, PK_ERROR_ENUM_NOT_AUTHORIZED, -+ "Failed to obtain authentication."); -+ pk_transaction_finished_emit (data->transaction, PK_EXIT_ENUM_FAILED, 0); -+ syslog (LOG_AUTH | LOG_NOTICE, "uid %i failed to obtain auth", priv->uid); -+ goto out; - } - - if (data->actions->len <= 1) { --- -2.17.0 - diff --git a/SOURCES/CentOS-Vendor-Branding.patch b/SOURCES/CentOS-Vendor-Branding.patch deleted file mode 100644 index 0eca3b6..0000000 --- a/SOURCES/CentOS-Vendor-Branding.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -uNrp PackageKit-1.1.5.orig/etc/Vendor.conf PackageKit-1.1.5/etc/Vendor.conf ---- PackageKit-1.1.5.orig/etc/Vendor.conf 2016-01-05 09:48:43.000000000 +0000 -+++ PackageKit-1.1.5/etc/Vendor.conf 2018-05-09 12:02:03.199032600 +0000 -@@ -12,7 +12,7 @@ - # If the value is set to 'none' then no link is shown. - # - # default=http://www.packagekit.org/pk-package-not-found.html --DefaultUrl=http://www.packagekit.org/pk-package-not-found.html -+DefaultUrl=none - - # The URL which is shown to the user when a codec could not be found. - # It should explain why certain codecs cannot be used, and perhaps show diff --git a/SPECS/PackageKit.spec b/SPECS/PackageKit.spec index aae9b50..a00e2f9 100644 --- a/SPECS/PackageKit.spec +++ b/SPECS/PackageKit.spec @@ -5,17 +5,14 @@ Summary: Package management service Name: PackageKit -Version: 1.1.5 -Release: 2%{?dist} +Version: 1.1.10 +Release: 1%{?dist} License: GPLv2+ and LGPLv2+ URL: http://www.freedesktop.org/software/PackageKit/ Source0: http://www.freedesktop.org/software/PackageKit/releases/%{name}-%{version}.tar.xz # Fedora-specific: set Vendor.conf up for Fedora. - -# CVE-2018-1106 -Patch1: 0001-Do-not-set-JUST_REINSTALL-on-any-kind-of-auth-failur.patch -Patch0: CentOS-Vendor-Branding.patch +Patch0: PackageKit-0.3.8-Fedora-Vendor.conf.patch Requires: %{name}-glib%{?_isa} = %{version}-%{release} Requires: PackageKit-backend @@ -160,8 +157,7 @@ using PackageKit. %prep %setup -q -%patch1 -p1 -b .CVE-2018-1106 -%patch0 -p1 +%patch0 -p1 -b .fedora %build %configure \ @@ -304,13 +300,13 @@ systemctl disable packagekit-offline-update.service > /dev/null 2>&1 || : %{_datadir}/vala/vapi/packagekit-glib2.vapi %changelog -* Tue Apr 24 2018 CentOS Sources - 1.1.5-2.el7.centos -- remove old branding patch -- Update Vendor patch to reference CentOS +* Mon Apr 23 2018 Richard Hughes - 1.1.10-1 +- New upstream release +- Resolves: #1576494 * Tue Apr 17 2018 Richard Hughes - 1.1.5-2 - Fixes CVE-2018-1106 -- Resolves: rhbz#1566425 +- Resolves: rhbz#1566426 * Tue Feb 28 2017 Richard Hughes - 1.1.5-1 - Update to 1.1.5