Debian Bug report logs -
#921816
gvfs: CVE-2019-3827: Incorrect authorization in admin backend allows privileged users to read and modify arbitrary files without prompting for password
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#921816; Package src:gvfs.
(Sat, 09 Feb 2019 04:51:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Sat, 09 Feb 2019 04:51:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gvfs
Version: 1.38.1-2
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/gvfs/issues/355
Control: found -1 1.30.4-1
Hi,
The following vulnerability was published for gvfs.
CVE-2019-3827[0]:
|Incorrect authorization in admin backend allows privileged users to
|read and modify arbitrary files without prompting for password
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-3827
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3827
[1] https://gitlab.gnome.org/GNOME/gvfs/issues/355
Regards,
Salvatore
Marked as found in versions gvfs/1.30.4-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Sat, 09 Feb 2019 04:51:05 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#921816.
(Sat, 09 Feb 2019 13:03:03 GMT) (full text, mbox, link).
Message #10 received at 921816-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #921816 in gvfs reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/gnome-team/gvfs/commit/15b1c62868af18d00f61d0ae36abc800dec8dfcf
------------------------------------------------------------------------
Add patch from upstream to fix CVE-2019-3827
Prevent members of the sudo group from bypassing the intended password
check for privileged access to files via the admin: backend if no
polkit authentication agents are available (CVE-2019-3827)
Closes: #921816
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/921816
Added tag(s) pending.
Request was from Simon McVittie <>
to 921816-submitter@bugs.debian.org.
(Sat, 09 Feb 2019 13:03:03 GMT) (full text, mbox, link).
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Sat, 09 Feb 2019 13:21:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 09 Feb 2019 13:21:08 GMT) (full text, mbox, link).
Message #17 received at 921816-close@bugs.debian.org (full text, mbox, reply):
Source: gvfs
Source-Version: 1.38.1-3
We believe that the bug you reported is fixed in the latest version of
gvfs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 921816@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated gvfs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 09 Feb 2019 12:02:33 +0000
Source: gvfs
Architecture: source
Version: 1.38.1-3
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 921816
Changes:
gvfs (1.38.1-3) unstable; urgency=high
.
* Team upload
* d/p/admin-Prevent-access-if-any-authentication-agent-isn-t-av.patch:
Add patch from upstream to prevent members of the sudo group from
bypassing the intended password check for privileged access to files
via the admin: backend if no polkit authentication agents are
available (CVE-2019-3827, Closes: #921816)
* d/p/*: Update to upstream gnome-3-30 branch, commit 1.38.1-9-gd4dab113
- admin: Fix CVE-2019-3827 (see above)
- autorun: Don't crash if an autorun file is not valid UTF-8
- mtp: Don't busy-loop retrying reading an event after failure
- udisks2: Reinstate support for deprecated comment=x-gvfs-show fstab
option syntax (but please use x-gvfs-show instead)
- tests: Use the right SMB port if running in the sandbox
- Update translations: eu, sk, sr
* d/gbp.conf: Configure for debian/buster and upstream/1.38.x branches
* d/control: Use debian/buster branch in Vcs-Git
Checksums-Sha1:
63068733b36a9cb18b17f410456c806dfc0ad754 3392 gvfs_1.38.1-3.dsc
89bc952bb5e38731ee3dd03510b8ced6cc3d498b 59108 gvfs_1.38.1-3.debian.tar.xz
3d46aadcb3d28ae25d2055d9aab1cc0ba49df611 18639 gvfs_1.38.1-3_source.buildinfo
Checksums-Sha256:
3b385c16680a828148a61cec7b05f60410bd088ff7711128d3fb962627d5a797 3392 gvfs_1.38.1-3.dsc
766fa4fc44a491d4ceb466122d4d7dcdd63005410269b955f3bf2011f7b3d9a0 59108 gvfs_1.38.1-3.debian.tar.xz
b24a3c620bc2fdfec55994010d745ff00a794d71ca97da847633967d7ed062c9 18639 gvfs_1.38.1-3_source.buildinfo
Files:
b915fefe4cbe56f359b2141c36dd3675 3392 gnome optional gvfs_1.38.1-3.dsc
4e1fbd51872839437faffaf366708509 59108 gnome optional gvfs_1.38.1-3.debian.tar.xz
6a63d135ff6e0783975e112c9b9067ee 18639 gnome optional gvfs_1.38.1-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlxezsgACgkQ4FrhR4+B
TE8SeA/6AlwCRypT6meBP56FjMX74lHx4u5HO+xP7wrkRrqoaxgWHf1XWgpWyb63
EWgaIehfGN4qErgahju3BGJO1tRTF4viNUhaxF94u2mQscyttgaCMSHbAaGa37A+
Mg9n9tgYua5gJxa1XnWQ5dh/aZ9adIbFgWdhjpXSe+rsgabzG6R3MVcPDtT9Lm9n
4o30OaEwn+mSfbQMKTFEF+yI03qEWbtTr3GUpNVCqWg9pVwkqvxYDMNyamxGhQaQ
HjxFLK1kihfb/1oHuC3h4og9+wC1pdI+czdSJIjMhrkcejr5t+SaqlfAaPImc2fI
SEzz21lOeuPXwW0nXjCww/GKDPxXS5x01iR1m/es4+O5DB3vCOg0+Mx7rExu/tva
CdAhm5dK6M+OPVHZjwOKv+xqrG3X7j3/p7vFE54XPfY+qsSazhAesf8LkRSBpDxt
LEwQcXIbSSqmaUJjaSrH0Mqs5I8cHa+fa8RWiasg3/aGZQ9dBK6gGRMLos8A4skA
vxTPwmv4/2FgOrIf8mPqMOeXlL5mwFFgPZthWymhEazir5cdzj7Xx/w7mImopbj5
XZhZwofW/5x3bZ9vHpji2ntjMerQ1ifj3xwU3pylX2nLbSxaiGcn4dO6ADPkz5XM
Pmrx4tyfgVZWmXGYNe46OCzPwzlCtUiAZEi30xum/6BXvPAVCWk=
=sbkk
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:19:09 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon