Bug 16916

Summary: gvfsd-dav crash on files with percent sign in filename
Product: Mageia Reporter: David Walser <luigiwalser>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, lewyssmith, olav, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Source RPM: gvfs-1.22.3-2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-10-06 20:49:32 CEST 
Upstream committed a fix in January for a crash in gvfsd-dav:
https://bugzilla.gnome.org/show_bug.cgi?id=743298

A CVE was requested for this:
http://openwall.com/lists/oss-security/2015/10/06/3

The fix was already in Cauldron.

Patched package uploaded for Mageia 5.

Advisory:
----------------------------------------

Applications using gvfs to browse remote WebDAV file shares could crash if
the share contained filenames which gvfs mistook as URL-encoded (bgo#743298).

References:
https://bugzilla.gnome.org/show_bug.cgi?id=743298
----------------------------------------

Updates packages in core/updates_testing:
----------------------------------------
gvfs-1.22.3-2.1.mga5
gvfs-devel-1.22.3-2.1.mga5
gvfs-fuse-1.22.3-2.1.mga5
gvfs-smb-1.22.3-2.1.mga5
gvfs-archive-1.22.3-2.1.mga5
gvfs-gphoto2-1.22.3-2.1.mga5
gvfs-iphone-1.22.3-2.1.mga5
gvfs-mtp-1.22.3-2.1.mga5
gvfs-goa-1.22.3-2.1.mga5

from gvfs-1.22.3-2.1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Thierry Vignaud 2015-10-07 08:46:18 CEST

CC: (none) => olav

Dave Hodgins 2015-10-09 02:49:51 CEST

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 1 David Walser 2015-10-15 21:09:59 CEST 
I haven't tested any functionality, but I verified that they upgrade cleanly.
Comment 2 Lewis Smith 2015-10-19 22:23:50 CEST 
Mag5 x64

Same as Comment 1, perhaps even less. I installed all the gvs packages cited (except dev) from issued repos, version 1.22.3-2. Nothing resulted, and I could not make anything happen: no daemon running, nor startable by normal means.
# systemctl start gvfsd        [or gvsd or gvs]
Failed to start gvfsd.service: Unit gvfsd.service failed to load: No such file or directory.
# gvsd      [or gvs]
bash: gvsd: command not found

Updated all pkgs from Updates Testing to version 1.22.3-2.1 . Nothing untoward happened, so like David: they upgrade cleanly.

Discussion of this update suggested that this may have to suffice to OK it. I hesitate to do so in the hope that something better can be tried. If not - OK.

CC: (none) => lewyssmith

David Walser 2015-10-23 16:45:06 CEST

Whiteboard: advisory => MGA5-32-OK MGA5-64-OK advisory

Comment 3 William Kenney 2015-10-25 15:21:07 CET 
Validating this update

Keywords: (none) => validated_update
CC: (none) => wilcal.int, sysadmin-bugs

Comment 4 Mageia Robot 2015-10-25 15:38:55 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGAA-2015-0160.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED