Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2019-12795 CVE-2019-12749

Source

Debian Bug report logs - #930376
CVE-2019-12795: gvfsd GetConnection() missing authorization check

Package: gvfs-daemons; Maintainer for gvfs-daemons is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>; Source for gvfs-daemons is src:gvfs (PTS, buildd, popcon).

Reported by: Simon McVittie <smcv@debian.org>

Date: Tue, 11 Jun 2019 16:48:01 UTC

Severity: grave

Tags: fixed-upstream, patch, security

Found in version gvfs/1.14.1-1

Fixed in versions 1.38.1-5, 1.40.1-3

Done: Simon McVittie <smcv@debian.org>

Forwarded to https://gitlab.gnome.org/GNOME/gvfs/commit/70dbfc68a79faac49bd3423e079cb6902522082a

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, debian-lts@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#930376; Package gvfs-daemons. (Tue, 11 Jun 2019 16:48:04 GMT) (full text, mbox, link).

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, debian-lts@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Tue, 11 Jun 2019 16:48:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: gvfs-daemons
Version: 1.14.1-1
Severity: grave
Tags: security fixed-upstream patch
Forwarded: https://gitlab.gnome.org/GNOME/gvfs/commit/70dbfc68a79faac49bd3423e079cb6902522082a

While looking for services that might be vulnerable to CVE-2019-12749
or a similar vulnerability, I noticed that gvfsd has a mechanism to open
a private D-Bus server socket, and does not configure an authorization
check for clients connecting to that socket. An attacker who learns the
abstract socket address from netstat(8) or similar could connect to it
and issue D-Bus method calls.

Mitigation: the attacker would have to win a race with the user owning
gvfsd, who is probably also trying to connect to the same socket. gvfsd
closes the socket after it has accepted one connection.

I have requested a CVE ID from MITRE but not received one yet.

For buster/sid this has been fixed in gvfs 1.38.1-5.

For experimental this has been fixed in gvfs 1.40.1-2.

I do not have a tested patch for stretch or jessie, but the same change
would probably work as-is.

It would probably be a good idea to also backport
https://gitlab.gnome.org/GNOME/gvfs/commit/16a275041de2e70063da8aa5cfb2804de9a2f60a
for additional hardening. This forces authentication to use the
simple, robust EXTERNAL (credentials-passing) mechanism, disabling
DBUS_COOKIE_SHA1, which is somewhat fragile and seems more likely to
contain unknown vulnerabilities.

Regards,
    smcv

Reply sent to Simon McVittie <smcv@debian.org>:
You have taken responsibility. (Tue, 11 Jun 2019 17:03:06 GMT) (full text, mbox, link).

Notification sent to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer. (Tue, 11 Jun 2019 17:03:07 GMT) (full text, mbox, link).

Message #10 received at 930376-done@bugs.debian.org (full text, mbox, reply):

Version: 1.38.1-5

On Tue, 11 Jun 2019 at 17:45:56 +0100, Simon McVittie wrote:
> For buster/sid this has been fixed in gvfs 1.38.1-5.

Reply sent to Simon McVittie <smcv@debian.org>:
You have taken responsibility. (Tue, 11 Jun 2019 17:03:09 GMT) (full text, mbox, link).

Notification sent to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer. (Tue, 11 Jun 2019 17:03:09 GMT) (full text, mbox, link).

Message #15 received at 930376-done@bugs.debian.org (full text, mbox, reply):

Version: 1.40.1-3

On Tue, 11 Jun 2019 at 17:45:56 +0100, Simon McVittie wrote:
> For buster/sid this has been fixed in gvfs 1.40.1-2

Correction: 1.40.1-2 is vulnerable, 1.40.1-3 is fixed.

    smcv

Changed Bug title to 'CVE-2019-12795: gvfsd GetConnection() missing authorization check' from 'gvfsd GetConnection() missing authorization check'. Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Tue, 11 Jun 2019 22:51:03 GMT) (full text, mbox, link).

Changed Bug title to 'gvfs: CVE-2019-12795: gvfsd GetConnection() missing authorization check' from 'CVE-2019-12795: gvfsd GetConnection() missing authorization check'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 12 Jun 2019 08:36:09 GMT) (full text, mbox, link).

Changed Bug title to 'CVE-2019-12795: gvfsd GetConnection() missing authorization check' from 'gvfs: CVE-2019-12795: gvfsd GetConnection() missing authorization check'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 12 Jun 2019 08:39:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:13:53 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2019-12795: gvfsd GetConnection() missing authorization check

Debian Bug report logs - #930376 CVE-2019-12795: gvfsd GetConnection() missing authorization check

Vulmon Search

About

Products

Connect

Debian Bug report logs - #930376
CVE-2019-12795: gvfsd GetConnection() missing authorization check