From ${URL} : Robert Rottscholl reported that when creating a new file via X File Explorer (xfe) on a Samba or NFS share, the user's mask was used for the permissions instead of that specified by the Samba or NFS configuration. Full details and patches are available from the following: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739536 From brief testing on Fedora with Samba and the "create mask" smb.conf option, this issue only presented when running xfe as the root user. The intended mask was used when running xfe as an unprivileged user. I don't the equivalent NFS option. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Debian has (of course) patched this behaviour out. Red Hat has decided this is not a security issue. Upstream shows no patches/issues related to these changes. So it's just Debian carrying the patch. And the only thing Debian's patch changes is to add this check: if(getuid()>0) when setting the umask. I don't think it's possible to determine what a safe UID would be in this case. >0 certainly isn't it. Also note that at this point you're still running as root a graphical tool intended to manipulate and execute files. Anything could happen.
Per previous comments and the reports from various distributions this is not a security issue, but a policy issue on the proper use of root logins.