From 60fe281f1c24ac9efb5bdbc4414434e4a7681bab Mon Sep 17 00:00:00 2001
From: technology208 <technology@208suo.com>
Date: Mon, 20 May 2024 18:08:15 +0800
Subject: [PATCH] fix CVE-2023-5557

---
 CVE-2023-5557.patch  | 126 +++++++++++++++++++++++++++++++++++++++++++
 tracker3-miners.spec |   6 ++-
 2 files changed, 131 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-5557.patch

diff --git a/CVE-2023-5557.patch b/CVE-2023-5557.patch
new file mode 100644
index 0000000..48b2411
--- /dev/null
+++ b/CVE-2023-5557.patch
@@ -0,0 +1,126 @@
+From 8523cc78c18d13f1b2f278ac86a5031b95bc739e Mon Sep 17 00:00:00 2001
+From: technology208 <technology@208suo.com>
+Date: Mon, 20 May 2024 16:32:52 +0800
+Subject: [PATCH] CreatePatch
+
+---
+ .../tracker-seccomp.c                         | 23 +++++++++++++++++++
+ src/tracker-extract/tracker-extract.c         |  5 ----
+ src/tracker-extract/tracker-main.c            | 19 +++++++++++----
+ 3 files changed, 38 insertions(+), 9 deletions(-)
+
+diff --git a/src/libtracker-miners-common/tracker-seccomp.c b/src/libtracker-miners-common/tracker-seccomp.c
+index 01887e8..a2b7ed9 100644
+--- a/src/libtracker-miners-common/tracker-seccomp.c
++++ b/src/libtracker-miners-common/tracker-seccomp.c
+@@ -100,6 +100,7 @@ tracker_seccomp_init (void)
+ 	ALLOW_RULE (lstat);
+ 	ALLOW_RULE (lstat64);
+ 	ALLOW_RULE (statx);
++        ALLOW_RULE (fstatfs);
+ 	ALLOW_RULE (access);
+ 	ALLOW_RULE (getdents);
+ 	ALLOW_RULE (getdents64);
+@@ -168,6 +169,23 @@ tracker_seccomp_init (void)
+ 	ALLOW_RULE (getpeername);
+ 	ALLOW_RULE (shutdown);
+ 
++       ERROR_RULE (inotify_init1, EINVAL);
++       ERROR_RULE (inotify_init, EINVAL);
++
++       ERROR_RULE (mkdir, EPERM);
++       ERROR_RULE (rename, EPERM);
++       ERROR_RULE (unlink, EPERM);
++       ERROR_RULE (ioctl, EBADF);
++       ERROR_RULE (bind, EACCES);
++       ERROR_RULE (setsockopt, EBADF);
++       ERROR_RULE (sched_getattr, EPERM);
++
++       /* Allow prlimit64, only if no new limits are being set */
++       if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(prlimit64), 1,
++                             SCMP_CMP(2, SCMP_CMP_EQ, 0)) < 0)
++               goto out;
++
++
+ 	/* Special requirements for socket/socketpair, only on AF_UNIX/AF_LOCAL */
+ 	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
+ 	                      SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)) < 0)
+@@ -175,6 +193,11 @@ tracker_seccomp_init (void)
+ 	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
+ 	                      SCMP_CMP(0, SCMP_CMP_EQ, AF_LOCAL)) < 0)
+ 		goto out;
++
++       if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(socket), 1,
++                             SCMP_CMP(0, SCMP_CMP_EQ, AF_NETLINK)) < 0)
++               goto out;
++
+ 	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 1,
+ 	                      SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)) < 0)
+ 		goto out;
+diff --git a/src/tracker-extract/tracker-extract.c b/src/tracker-extract/tracker-extract.c
+index 3406164..209c76b 100644
+--- a/src/tracker-extract/tracker-extract.c
++++ b/src/tracker-extract/tracker-extract.c
+@@ -30,8 +30,6 @@
+ #include <gio/gunixinputstream.h>
+ #include <gio/gunixfdlist.h>
+ 
+-#include <libtracker-miners-common/tracker-common.h>
+-
+ #include <libtracker-extract/tracker-extract.h>
+ 
+ #include "tracker-extract.h"
+@@ -523,9 +521,6 @@ get_metadata (TrackerExtractTask *task)
+ static gpointer
+ single_thread_get_metadata (GAsyncQueue *queue)
+ {
+-	if (!tracker_seccomp_init ())
+-		g_assert_not_reached ();
+-
+ 	while (TRUE) {
+ 		TrackerExtractTask *task;
+ 
+diff --git a/src/tracker-extract/tracker-main.c b/src/tracker-extract/tracker-main.c
+index 2a646cc..484be22 100644
+--- a/src/tracker-extract/tracker-main.c
++++ b/src/tracker-extract/tracker-main.c
+@@ -292,7 +292,7 @@ get_cache_dir (TrackerDomainOntology *domain_ontology)
+ }
+ 
+ int
+-main (int argc, char *argv[])
++do_main (int argc, char *argv[])
+ {
+ 	GOptionContext *context;
+ 	GError *error = NULL;
+@@ -311,9 +311,6 @@ main (int argc, char *argv[])
+ 	bind_textdomain_codeset (GETTEXT_PACKAGE, "UTF-8");
+ 	textdomain (GETTEXT_PACKAGE);
+ 
+-	/* This makes sure we don't steal all the system's resources */
+-	initialize_priority_and_scheduling ();
+-
+ 	/* Translators: this message will appear immediately after the  */
+ 	/* usage string - Usage: COMMAND [OPTION]... <THIS_MESSAGE>     */
+ 	context = g_option_context_new (_("— Extract file meta data"));
+@@ -487,3 +484,17 @@ main (int argc, char *argv[])
+ 
+ 	return EXIT_SUCCESS;
+ }
++
++int
++main (int argc, char *argv[])
++{
++       /* This function is untouchable! Add things to do_main() */
++
++       /* This makes sure we don't steal all the system's resources */
++       initialize_priority_and_scheduling ();
++
++       if (!tracker_seccomp_init ())
++               g_assert_not_reached ();
++
++       return do_main (argc, argv);
++}
+-- 
+2.33.0
+
diff --git a/tracker3-miners.spec b/tracker3-miners.spec
index 0839861..348f32e 100644
--- a/tracker3-miners.spec
+++ b/tracker3-miners.spec
@@ -2,7 +2,7 @@
 
 Name:           tracker3-miners
 Version:        3.0.5
-Release:        4
+Release:        5
 Summary:        One of two parts of tracker mainly contains the indexer daemon and tools. 
 
 License:        GPLv2+ and LGPLv2+
@@ -10,6 +10,7 @@ URL:            https://wiki.gnome.org/Projects/Tracker
 Source0:        https://download.gnome.org/sources/tracker-miners/3.0/tracker-miners-%{version}.tar.xz
 Source1: 	tracker3-miners.conf
 Patch1:         tracker-miners-3.0.5-sw.patch
+Patch2:         CVE-2023-5557.patch
 
 BuildRequires:  asciidoc libxslt coreutils glib2 glib2-devel gcc giflib-devel meson systemd
 BuildRequires:  pkgconfig(tracker-sparql-3.0) pkgconfig(tracker-testutils-3.0)
@@ -90,6 +91,9 @@ sed -i 's/lib64/lib/g' %{buildroot}%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.
 
 
 %changelog
+* Mon May 20 2024 technology208 <technology@208suo.com> - 3.0.5-5
+- fix CVE-2023-5557
+
 * Wed Oct 26 2022 wuzx<wuzx1226@qq.com> - 3.0.5-4
 - Add sw64 architecture
 
-- 
Gitee