Debian Bug report logs -
#929755
gvfs: CVE-2019-12447 CVE-2019-12448 CVE-2019-12449
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 30 May 2019 14:03:02 UTC
Severity: important
Tags: security, upstream
Found in versions gvfs/1.38.1-3, gvfs/1.30.4-1
Fixed in versions gvfs/1.38.1-4, gvfs/1.40.1-2
Done: Simon McVittie <smcv@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#929755; Package src:gvfs.
(Thu, 30 May 2019 14:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Thu, 30 May 2019 14:03:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gvfs
Version: 1.38.1-3
Severity: important
Tags: security upstream
Control: found -1 1.30.4-1
Hi,
The following vulnerabilities were published for gvfs.
CVE-2019-12447[0]:
| An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2.
| daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid
| is not used.
CVE-2019-12448[1]:
| An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2.
| daemon/gvfsbackendadmin.c has race conditions because the admin
| backend doesn't implement query_info_on_read/write.
CVE-2019-12449[2]:
| An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2.
| daemon/gvfsbackendadmin.c mishandles a file's user and group ownership
| during move (and copy with G_FILE_COPY_ALL_METADATA) operations from
| admin:// to file:// URIs, because root privileges are unavailable.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-12447
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12447
[1] https://security-tracker.debian.org/tracker/CVE-2019-12448
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12448
[2] https://security-tracker.debian.org/tracker/CVE-2019-12449
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12449
Please adjust the affected versions in the BTS as needed, please do
though check (all versions in Debian should be affected).
Regards,
Salvatore
Marked as found in versions gvfs/1.30.4-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 30 May 2019 14:03:05 GMT) (full text, mbox, link).
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Wed, 05 Jun 2019 08:49:23 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 05 Jun 2019 08:49:23 GMT) (full text, mbox, link).
Message #12 received at 929755-close@bugs.debian.org (full text, mbox, reply):
Source: gvfs
Source-Version: 1.38.1-4
We believe that the bug you reported is fixed in the latest version of
gvfs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 929755@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated gvfs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 05 Jun 2019 08:34:17 +0100
Source: gvfs
Architecture: source
Version: 1.38.1-4
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 927221 929755
Changes:
gvfs (1.38.1-4) unstable; urgency=high
.
* Team upload
* Update from upstream gnome-3-30 branch to fix the admin backend
(Closes: #929755)
- Implement query_info_on_read/write to fix some race conditions
(CVE-2019-12448)
- Ensure that created files get the correct ownership (CVE-2019-12247)
- Ensure that copied files get the correct ownership (CVE-2019-12449)
* Remove obsolete version number from fuse dependency.
gvfs needs fuse (>= 2.8.4), but that version is older than oldstable,
so we can safely simplify to "Depends: fuse".
The versioned dependency is not satisfied by fuse3's unversioned
"Provides: fuse", but the unversioned dependency is. (Closes: #927221)
Checksums-Sha1:
0a20e5deca4d41f356440d22525244938e75dbc7 3392 gvfs_1.38.1-4.dsc
234c4e67894d4c7b367e2368fc81c6066bb76499 61796 gvfs_1.38.1-4.debian.tar.xz
cd17ef82c20092a655b4c7e079952341ee9cae79 18685 gvfs_1.38.1-4_source.buildinfo
Checksums-Sha256:
238c177834943fe12c4dde3c1a5143fcc7223c6e3adb4a967e201346c22166dd 3392 gvfs_1.38.1-4.dsc
3ebbd285adaf0afccf38cdbcd8bc8d91eae4dea19dfff00903d7d31db4a9f55e 61796 gvfs_1.38.1-4.debian.tar.xz
e5b09ebac116477f6833e49b7307fc7426cb54f0ee867bda4fd4902000632963 18685 gvfs_1.38.1-4_source.buildinfo
Files:
5b6ba25ceaab4078586c61b68a008de4 3392 gnome optional gvfs_1.38.1-4.dsc
4556da0a9d4e0f16d1236b0b31aafcbb 61796 gnome optional gvfs_1.38.1-4.debian.tar.xz
74f490ae3acf50249368652205cbe444 18685 gnome optional gvfs_1.38.1-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlz3eSkACgkQ4FrhR4+B
TE9JwRAApKKxa2Ck/klnFJbFwpsoGkVDS+MQ4fkITBoGVeu5cTxOc3mW87wlhwP3
vItW8MbdesvKExBT8IucA4IQjufT7N/OgKePNde5Hjg+9JONaAvDGv/EZJSvcmUc
CWvXgIszLODVvzwFztiZGrikFwKuzH8XL2APdynBgeq8BZCnzzJE1rfqALccLRLl
Fo8SECgcYntp1eMnyxpE4aHY3I+GF+kI78zdrHv5qg+kPVsw8RvRmROyk+oWJPgz
yJD2KMaP4uB5LT3Hg4De0gNv3zrArbzBT0Bj7/v/qlCsNwr4wdbSAA8/paAiT8rH
LNgssXu3X6eLMBcJrNooSLJX2LE3Dj30taVVUytsC0cSAZ+fkKYhI1AU6Gy81oM/
e5y07VIdOmYtjoKboDaBIEK8HKokBG9dU2xrgp4u11S46KRQfUYmvBfGw+QHJkd6
cv2srgYhbqggCl1PDNGYnn1ypfA+V6gDWN1LfzYtC0m5V9IKvQh5OXWch4zRJeOP
ZUUFLnxozGqDDlHBshh7oTEpQ+W995hurCGH5RfVsHNgwCGQGLK8nDDKIfrrg/nX
dXSmHFxiC3a/H5BXFeypq0Ky1jjLflKb7bXGdwyVsDf0ba7dF+va4OnlNIcAlNNy
qykhKUT3u/12pwn4kaziBYUe6BRtD1bffCnR6TGBVQaRTzju8uA=
=eOW7
-----END PGP SIGNATURE-----
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#929755.
(Wed, 05 Jun 2019 08:49:29 GMT) (full text, mbox, link).
Message #15 received at 929755-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #929755 in gvfs reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/gnome-team/gvfs/commit/be847cc6aa6757e9d134365d702c0832c90de1f3
------------------------------------------------------------------------
Update from upstream gnome-3-30 branch to fix the admin backend
- Implement query_info_on_read/write to fix some race conditions
(CVE-2019-12448)
- Ensure that created files get the correct ownership (CVE-2019-12247)
- Ensure that copied files get the correct ownership (CVE-2019-12449)
Closes: #929755
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/929755
Added tag(s) pending.
Request was from Simon McVittie <noreply@salsa.debian.org>
to 929755-submitter@bugs.debian.org.
(Wed, 05 Jun 2019 08:49:29 GMT) (full text, mbox, link).
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Thu, 06 Jun 2019 21:27:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 06 Jun 2019 21:27:07 GMT) (full text, mbox, link).
Message #22 received at 929755-close@bugs.debian.org (full text, mbox, reply):
Source: gvfs
Source-Version: 1.40.1-2
We believe that the bug you reported is fixed in the latest version of
gvfs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 929755@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated gvfs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 06 Jun 2019 18:37:25 +0100
Source: gvfs
Architecture: source
Version: 1.40.1-2
Distribution: experimental
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Closes: 927221 929755
Changes:
gvfs (1.40.1-2) experimental; urgency=medium
.
* Team upload
* Update from upstream gnome-3-32 branch, commit 1.40.1-9-gec939a01,
to fix the admin backend
(Closes: #929755)
- Implement query_info_on_read/write to fix some race conditions
(CVE-2019-12448)
- Ensure that created files get the correct ownership (CVE-2019-12247)
- Ensure that copied files get the correct ownership (CVE-2019-12449)
- Fix deadlocks in synchronous API
- Various fixes for afc backend
- Update translation: zh_CN
* Remove obsolete version number from fuse dependency.
gvfs needs fuse (>= 2.8.4), but that version is older than oldstable,
so we can safely simplify to "Depends: fuse".
The versioned dependency is not satisfied by fuse3's unversioned
"Provides: fuse", but the unversioned dependency is. (Closes: #927221)
Checksums-Sha1:
2eed030080b7e430c4dd88ceb51fac243048b426 3341 gvfs_1.40.1-2.dsc
9a7d6ca6b105b29f578a7bf0a38cf4971840306a 53172 gvfs_1.40.1-2.debian.tar.xz
955757f11952faac11effd13f10d9ebc4399ee20 18648 gvfs_1.40.1-2_source.buildinfo
Checksums-Sha256:
6ac076a14b7bd11079bee31fe63bc2c2e440b8b1582427f7c46d63c9292bb408 3341 gvfs_1.40.1-2.dsc
cdc6eb93888f6970dd828cc467aaef29495bec52751649caa0a802c01c9dbfdf 53172 gvfs_1.40.1-2.debian.tar.xz
04ae66519940e2591a5986fb2a03e7bda05c858afa04db1f9212646904ffef0c 18648 gvfs_1.40.1-2_source.buildinfo
Files:
f1d05d21825f55ef0d8ba53b5144396f 3341 gnome optional gvfs_1.40.1-2.dsc
224067e15639abcbbe28ea05c0e908e6 53172 gnome optional gvfs_1.40.1-2.debian.tar.xz
bc0305c20c0b479eb159a126cb3c34bc 18648 gnome optional gvfs_1.40.1-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlz5fGUACgkQ4FrhR4+B
TE95cA/+M0Usk3PhU+8Y30KwyO5zqN3qRTMy5RxklEwc8Y9hsFkOVyxAral+2kZQ
9sHL9CnjigIeaWymvKrCxLL+qYfg4iyGJX88zG3nd9V9RxRX5CZphW+MDvYvpCpM
UY8GGZxwEryIkhpxlKwlT7StoF+pZQkrtZEG47ws1moCqht+r2gk/o5HMYL11nUm
7S0dn2/hgA88fVp2xGW+400HL9h6vLBZsKZtHp8umT5b00gsT3/7n+q/f13mWqXG
/DLP4k3Bsf+H8V1SdLNtGYDOvyxu5zXAlQPSXjmqEzVZUJkR0enQSGf5dWaLGnte
CIlgVPLGy4jhM7Yk8bJtcgJnaW4mz8qtuorlxE5Gv0pbYgA2DCynh+vveUxHaGo3
A1sdCmEIIYLWC0IMYHVabmu4m0/KfNizbmgDOVji2lCxmPnAX4Xvko9AOjaQjmPu
WiYa2DzimMJj6oJawWv1RCXP9ro/IjEfbm0cekBXIbaSxPeWdx7YHNRe1USU/BnS
1UwD/0tAxpgqs8/xd4uo30vZ3XSCnE9f9I4XmNIaVv2bn8CH/pmAevQ4ZzmTisAF
r0grNP11rP3KIZwPx30g/3kt2iq5shV3O5l3D9ZnL/03cj8eqZB3V010mpbEXlW0
4/uo221XaKZJK9RfyS9Drs7FDRf9qhi1oJvz7lCuec2/0mXArYc=
=0NJL
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:47:40 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon