Bug#929755: gvfs: CVE-2019-12447 CVE-2019-12448 CVE-2019-12449

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Bug#929755: gvfs: CVE-2019-12447 CVE-2019-12448 CVE-2019-12449

Salvatore Bonaccorso-4
Source: gvfs
Version: 1.38.1-3
Severity: important
Tags: security upstream
Control: found -1 1.30.4-1

Hi,

The following vulnerabilities were published for gvfs.

CVE-2019-12447[0]:
| An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2.
| daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid
| is not used.


CVE-2019-12448[1]:
| An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2.
| daemon/gvfsbackendadmin.c has race conditions because the admin
| backend doesn't implement query_info_on_read/write.


CVE-2019-12449[2]:
| An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2.
| daemon/gvfsbackendadmin.c mishandles a file's user and group ownership
| during move (and copy with G_FILE_COPY_ALL_METADATA) operations from
| admin:// to file:// URIs, because root privileges are unavailable.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-12447
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12447
[1] https://security-tracker.debian.org/tracker/CVE-2019-12448
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12448
[2] https://security-tracker.debian.org/tracker/CVE-2019-12449
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12449

Please adjust the affected versions in the BTS as needed, please do
though check (all versions in Debian should be affected).

Regards,
Salvatore