Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 690144 (CVE-2019-12447, CVE-2019-12448, CVE-2019-12449, CVE-2019-12795) - <gnome-base/gvfs-1.38.3: Multiple vulnerabilities
Summary: <gnome-base/gvfs-1.38.3: Multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2019-12447, CVE-2019-12448, CVE-2019-12449, CVE-2019-12795
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://mail.gnome.org/archives/ftp-r...
Whiteboard: B3 [stable]
Keywords: STABLEREQ
Depends on: gnome-3.30-stable
Blocks:
  Show dependency tree
 
Reported: 2019-07-18 12:28 UTC by Kristian Fiskerstrand
Modified: 2020-01-12 10:42 UTC (History)
1 user (show)

See Also:
Package list:
gnome-base/gvfs-1.40.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2019-07-18 12:28:46 UTC
From ${URL}:
News
====

* daemon: Only accept EXTERNAL authentication (CVE-2019-12795)
* daemon: Check that the connecting client is the same user (CVE-2019-12795)
* admin: Ensure correct ownership when moving to file:// uri (CVE-2019-12449)
* admin: Use fsuid to ensure correct file ownership (CVE-2019-12447)
* admin: Allow changing file owner (CVE-2019-12447)
* admin: Add query_info_on_read/write functionality (CVE-2019-12448)
* Translation updates
Comment 1 Larry the Git Cow gentoo-dev 2019-07-23 18:34:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=885e8c1e16f17802d657b7c0079aaa4bc18d01e3

commit 885e8c1e16f17802d657b7c0079aaa4bc18d01e3
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2019-07-23 18:20:20 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2019-07-23 18:20:39 +0000

    gnome-base/gvfs: security bump to 1.38.3
    
    Bug: https://bugs.gentoo.org/690144
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 gnome-base/gvfs/Manifest                           |   1 +
 .../gvfs/files/1.38.3-gvfsdaemon-rpath.patch       |  35 ++++++
 gnome-base/gvfs/gvfs-1.38.3.ebuild                 | 136 +++++++++++++++++++++
 3 files changed, 172 insertions(+)
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-07-23 21:24:14 UTC
arm64 stable
Comment 3 Thomas Deutschmann gentoo-dev Security 2019-07-24 20:50:40 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-07-25 13:06:33 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-07-26 09:17:01 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-07-26 09:52:32 UTC
ppc stable
Comment 7 Rolf Eike Beer 2019-07-26 18:42:17 UTC
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-07-31 12:10:22 UTC
alpha stable
Comment 9 Markus Meier gentoo-dev 2019-08-05 19:59:25 UTC
arm stable
Comment 10 Markus Meier gentoo-dev 2019-08-05 20:15:36 UTC
re-adding arm, since I'm currently unable to push stuff (due to my outdated key) - sorry about that...
Comment 11 Markus Meier gentoo-dev 2019-08-06 04:31:36 UTC
arm stable
Comment 12 Mart Raudsepp gentoo-dev 2020-01-02 07:18:07 UTC
ia64, please wake up
Comment 13 Sergei Trofimovich gentoo-dev 2020-01-12 10:42:18 UTC
commit 354b35983ebf3517f5c7201f600f6181eb9c74ee
Author: Mart Raudsepp <leio@gentoo.org>
Date:   Sat Jan 11 21:48:54 2020 +0200

    gnome-base/gvfs: ia64 stable (bug #685254)