Bug 24215

Summary: gvfs new polkit authorization security issue (CVE-2019-3827)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, guillomovitch, herman.viaene, marja11, olav, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: gvfs-1.38.1-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-01-21 12:02:56 CET 
Fedora has issued an advisory today (January 21):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Y43CRGATQPYWH2UXO6ZS7PYPCSZGTGED/

Mageia 6 is also affected.
David Walser 2019-01-21 12:03:04 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-01-22 14:48:56 CET 
Assigning to the Gnome maintainers, because this package has:
URL         : http://www.gnome.org/

CC: (none) => guillomovitch, marja11, olav
Assignee: bugsquad => gnome

Comment 2 David Walser 2019-02-02 20:51:32 CET 
Advisory:
========================

Updated gvfs packages fix security vulnerability:

The backend currently allows to access and modify files without prompting for
password if any polkit authentication agent isn't available. This affects only
users which belong to wheel group (i.e. those who are already allowed to use
sudo). It doesn't allow privilege escalation for users, who don't belong to
that group.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Y43CRGATQPYWH2UXO6ZS7PYPCSZGTGED/
========================

Updated packages in core/updates_testing:
========================
gvfs-1.32.1-1.1.mga6
gvfs-devel-1.32.1-1.1.mga6
gvfs-fuse-1.32.1-1.1.mga6
gvfs-smb-1.32.1-1.1.mga6
gvfs-archive-1.32.1-1.1.mga6
gvfs-gphoto2-1.32.1-1.1.mga6
gvfs-iphone-1.32.1-1.1.mga6
gvfs-mtp-1.32.1-1.1.mga6
gvfs-goa-1.32.1-1.1.mga6

from gvfs-1.32.1-1.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Assignee: gnome => qa-bugs

Comment 3 Herman Viaene 2019-02-07 10:20:50 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Ref bug 16916 Comment 1 and 2 , following  the smart boys there, I am OK'ing on clean install.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 4 David Walser 2019-02-13 12:15:32 CET 
Ubuntu has issued an advisory for this on February 12:
https://usn.ubuntu.com/3888-1/

Advisory:
========================

Updated gvfs packages fix security vulnerability:

The backend currently allows to access and modify files without prompting for
password if any polkit authentication agent isn't available. This affects only
users which belong to wheel group (i.e. those who are already allowed to use
sudo). It doesn't allow privilege escalation for users, who don't belong to
that group (CVE-2019-3827).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3827
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Y43CRGATQPYWH2UXO6ZS7PYPCSZGTGED/
https://usn.ubuntu.com/3888-1/

Summary: gvfs new polkit authorization security issue => gvfs new polkit authorization security issue (CVE-2019-3827)
Severity: normal => major

Comment 5 Dave Hodgins 2019-02-14 06:58:32 CET 
Advisory committed to svn. Validating based on comment 3.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2019-02-14 09:40:20 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0080.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED