Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 690144 (CVE-2019-12447, CVE-2019-12448, CVE-2019-12449, CVE-2019-12795) - <gnome-base/gvfs-1.40.2: Multiple vulnerabilities (CVE-2019-{12447,12448,12449,12795})
Summary: <gnome-base/gvfs-1.40.2: Multiple vulnerabilities (CVE-2019-{12447,12448,1244...
Status: RESOLVED FIXED
Alias: CVE-2019-12447, CVE-2019-12448, CVE-2019-12449, CVE-2019-12795
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://mail.gnome.org/archives/ftp-r...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: gnome-3.30-stable
Blocks:
  Show dependency tree
 
Reported: 2019-07-18 12:28 UTC by Kristian Fiskerstrand
Modified: 2020-04-16 07:39 UTC (History)
1 user (show)

See Also:
Package list:
gnome-base/gvfs-1.40.2
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2019-07-18 12:28:46 UTC
From ${URL}:
News
====

* daemon: Only accept EXTERNAL authentication (CVE-2019-12795)
* daemon: Check that the connecting client is the same user (CVE-2019-12795)
* admin: Ensure correct ownership when moving to file:// uri (CVE-2019-12449)
* admin: Use fsuid to ensure correct file ownership (CVE-2019-12447)
* admin: Allow changing file owner (CVE-2019-12447)
* admin: Add query_info_on_read/write functionality (CVE-2019-12448)
* Translation updates
Comment 1 Larry the Git Cow gentoo-dev 2019-07-23 18:34:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=885e8c1e16f17802d657b7c0079aaa4bc18d01e3

commit 885e8c1e16f17802d657b7c0079aaa4bc18d01e3
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2019-07-23 18:20:20 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2019-07-23 18:20:39 +0000

    gnome-base/gvfs: security bump to 1.38.3
    
    Bug: https://bugs.gentoo.org/690144
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 gnome-base/gvfs/Manifest                           |   1 +
 .../gvfs/files/1.38.3-gvfsdaemon-rpath.patch       |  35 ++++++
 gnome-base/gvfs/gvfs-1.38.3.ebuild                 | 136 +++++++++++++++++++++
 3 files changed, 172 insertions(+)
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-07-23 21:24:14 UTC
arm64 stable
Comment 3 Thomas Deutschmann gentoo-dev Security 2019-07-24 20:50:40 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-07-25 13:06:33 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-07-26 09:17:01 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-07-26 09:52:32 UTC
ppc stable
Comment 7 Rolf Eike Beer 2019-07-26 18:42:17 UTC
sparc stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-07-31 12:10:22 UTC
alpha stable
Comment 9 Markus Meier gentoo-dev 2019-08-05 19:59:25 UTC
arm stable
Comment 10 Markus Meier gentoo-dev 2019-08-05 20:15:36 UTC
re-adding arm, since I'm currently unable to push stuff (due to my outdated key) - sorry about that...
Comment 11 Markus Meier gentoo-dev 2019-08-06 04:31:36 UTC
arm stable
Comment 12 Mart Raudsepp gentoo-dev 2020-01-02 07:18:07 UTC
ia64, please wake up
Comment 13 Sergei Trofimovich gentoo-dev 2020-01-12 10:42:18 UTC
commit 354b35983ebf3517f5c7201f600f6181eb9c74ee
Author: Mart Raudsepp <leio@gentoo.org>
Date:   Sat Jan 11 21:48:54 2020 +0200

    gnome-base/gvfs: ia64 stable (bug #685254)
Comment 14 Sam James archtester gentoo-dev Security 2020-03-28 19:44:52 UTC
Tree is clean.
Comment 15 NATTkA bot gentoo-dev 2020-04-06 15:07:17 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev Security 2020-04-16 07:39:09 UTC
    CVE ID: CVE-2019-12447
   Summary: An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid is not used.
 Published: 2019-05-29T17:29:00.000Z
--------------------------------------------------------------------------------
     State: ASSIGNED
      Bugs: https://bugs.gentoo.org/690144

CVE-2019-12448
    CVE ID: CVE-2019-12448
   Summary: An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c has race conditions because the admin backend doesn't implement query_info_on_read/write.
 Published: Not yet published
--------------------------------------------------------------------------------
     State: ASSIGNED
      Bugs: https://bugs.gentoo.org/690144

CVE-2019-12449
    CVE ID: CVE-2019-12449
   Summary: An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles a file's user and group ownership during move (and copy with G_FILE_COPY_ALL_METADATA) operations from admin:// to file:// URIs, because root privileges are unavailable.
 Published: 2019-05-29T17:29:00.000Z
--------------------------------------------------------------------------------
     State: ASSIGNED
      Bugs: https://bugs.gentoo.org/690144

CVE-2019-12795
    CVE ID: CVE-2019-12795
   Summary: daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.)
 Published: Not yet published
--------------------------------------------------------------------------------
     State: ASSIGNED
      Bugs: https://bugs.gentoo.org/690144


__________________________

GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].