Package gvfs updated to version 1.40.2-alt1 for branch p9 in task 235498.

Published: 2019-05-29

BDU:2019-02514

Уязвимость компонента daemon/gvfsbackendadmin.c подсистемы GVFS среды рабочего стола GNOME операционных систем Linux, позволяющая нарушителю оказать воздействие на целостность, конфиденциальность и доступность защищаемой информации

Severity: CRITICAL (9.8) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

CVE-2019-12447

Published: 2019-05-29

BDU:2019-02515

Severity: HIGH (8.1) Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

CVE-2019-12448

Published: 2019-05-29

BDU:2019-02516

Severity: CRITICAL (9.8) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

CVE-2019-12449

Published: 2019-05-29

BDU:2019-02517

Уязвимость компонента daemon/gvfsbackendadmin.c подсистемы GVFS среды рабочего стола GNOME операционных систем Linux, позволяющая нарушителю подключиться к D-Bus серверу

Severity: HIGH (7.8) Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

CVE-2019-12795

Published: 2019-05-29
Modified: 2024-11-21

CVE-2019-12447

An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid is not used.

Severity: HIGH (7.3) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

References:

Published: 2019-05-29
Modified: 2024-11-21

CVE-2019-12448

An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c has race conditions because the admin backend doesn't implement query_info_on_read/write.

Severity: HIGH (8.1) Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References:

Published: 2019-05-29
Modified: 2024-11-21

CVE-2019-12449

An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles a file's user and group ownership during move (and copy with G_FILE_COPY_ALL_METADATA) operations from admin:// to file:// URIs, because root privileges are unavailable.

Severity: MEDIUM (5.7) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

References:

Published: 2019-06-12
Modified: 2024-11-21

CVE-2019-12795

daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.)

Severity: HIGH (7.8) Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References:

Version: 2.1.0

Package gvfs update in p9 on 2019-08-07

ALT-PU-2019-2406-1

Closed vulnerabilities

BDU:2019-02514

BDU:2019-02515

BDU:2019-02516

BDU:2019-02517

CVE-2019-12447

CVE-2019-12448

CVE-2019-12449

CVE-2019-12795