16916 – gvfsd-dav crash on files with percent sign in filename

Bug 16916 - gvfsd-dav crash on files with percent sign in filename

Summary: gvfsd-dav crash on files with percent sign in filename

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:
Whiteboard:	MGA5-32-OK MGA5-64-OK advisory
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-10-06 20:49 CEST by David Walser
Modified:	2015-10-25 15:38 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	gvfs-1.22.3-2.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-10-06 20:49:32 CEST

Upstream committed a fix in January for a crash in gvfsd-dav:
https://bugzilla.gnome.org/show_bug.cgi?id=743298

A CVE was requested for this:
http://openwall.com/lists/oss-security/2015/10/06/3

The fix was already in Cauldron.

Patched package uploaded for Mageia 5.

Advisory:
----------------------------------------

Applications using gvfs to browse remote WebDAV file shares could crash if
the share contained filenames which gvfs mistook as URL-encoded (bgo#743298).

References:
https://bugzilla.gnome.org/show_bug.cgi?id=743298
----------------------------------------

Updates packages in core/updates_testing:
----------------------------------------
gvfs-1.22.3-2.1.mga5
gvfs-devel-1.22.3-2.1.mga5
gvfs-fuse-1.22.3-2.1.mga5
gvfs-smb-1.22.3-2.1.mga5
gvfs-archive-1.22.3-2.1.mga5
gvfs-gphoto2-1.22.3-2.1.mga5
gvfs-iphone-1.22.3-2.1.mga5
gvfs-mtp-1.22.3-2.1.mga5
gvfs-goa-1.22.3-2.1.mga5

from gvfs-1.22.3-2.1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:

Thierry Vignaud 2015-10-07 08:46:18 CEST

CC: (none) => olav

Dave Hodgins 2015-10-09 02:49:51 CEST

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 1 David Walser 2015-10-15 21:09:59 CEST

I haven't tested any functionality, but I verified that they upgrade cleanly.

Comment 2 Lewis Smith 2015-10-19 22:23:50 CEST

Mag5 x64

Same as Comment 1, perhaps even less. I installed all the gvs packages cited (except dev) from issued repos, version 1.22.3-2. Nothing resulted, and I could not make anything happen: no daemon running, nor startable by normal means.
# systemctl start gvfsd        [or gvsd or gvs]
Failed to start gvfsd.service: Unit gvfsd.service failed to load: No such file or directory.
# gvsd      [or gvs]
bash: gvsd: command not found

Updated all pkgs from Updates Testing to version 1.22.3-2.1 . Nothing untoward happened, so like David: they upgrade cleanly.

Discussion of this update suggested that this may have to suffice to OK it. I hesitate to do so in the hope that something better can be tried. If not - OK.

CC: (none) => lewyssmith

David Walser 2015-10-23 16:45:06 CEST

Whiteboard: advisory => MGA5-32-OK MGA5-64-OK advisory

Comment 3 William Kenney 2015-10-25 15:21:07 CET

Validating this update

Keywords: (none) => validated_update
CC: (none) => wilcal.int, sysadmin-bugs

Comment 4 Mageia Robot 2015-10-25 15:38:55 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGAA-2015-0160.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.