Bug 24215 - gvfs new polkit authorization security issue (CVE-2019-3827)
Summary: gvfs new polkit authorization security issue (CVE-2019-3827)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-01-21 12:02 CET by David Walser
Modified: 2019-02-14 09:40 CET (History)
6 users (show)

See Also:
Source RPM: gvfs-1.38.1-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-01-21 12:02:56 CET 
Fedora has issued an advisory today (January 21):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Y43CRGATQPYWH2UXO6ZS7PYPCSZGTGED/

Mageia 6 is also affected.
David Walser 2019-01-21 12:03:04 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-01-22 14:48:56 CET 
Assigning to the Gnome maintainers, because this package has:
URL         : http://www.gnome.org/

CC: (none) => guillomovitch, marja11, olav
Assignee: bugsquad => gnome

Comment 2 David Walser 2019-02-02 20:51:32 CET 
Advisory:
========================

Updated gvfs packages fix security vulnerability:

The backend currently allows to access and modify files without prompting for
password if any polkit authentication agent isn't available. This affects only
users which belong to wheel group (i.e. those who are already allowed to use
sudo). It doesn't allow privilege escalation for users, who don't belong to
that group.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Y43CRGATQPYWH2UXO6ZS7PYPCSZGTGED/
========================

Updated packages in core/updates_testing:
========================
gvfs-1.32.1-1.1.mga6
gvfs-devel-1.32.1-1.1.mga6
gvfs-fuse-1.32.1-1.1.mga6
gvfs-smb-1.32.1-1.1.mga6
gvfs-archive-1.32.1-1.1.mga6
gvfs-gphoto2-1.32.1-1.1.mga6
gvfs-iphone-1.32.1-1.1.mga6
gvfs-mtp-1.32.1-1.1.mga6
gvfs-goa-1.32.1-1.1.mga6

from gvfs-1.32.1-1.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Assignee: gnome => qa-bugs

Comment 3 Herman Viaene 2019-02-07 10:20:50 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Ref bug 16916 Comment 1 and 2 , following  the smart boys there, I am OK'ing on clean install.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 4 David Walser 2019-02-13 12:15:32 CET 
Ubuntu has issued an advisory for this on February 12:
https://usn.ubuntu.com/3888-1/

Advisory:
========================

Updated gvfs packages fix security vulnerability:

The backend currently allows to access and modify files without prompting for
password if any polkit authentication agent isn't available. This affects only
users which belong to wheel group (i.e. those who are already allowed to use
sudo). It doesn't allow privilege escalation for users, who don't belong to
that group (CVE-2019-3827).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3827
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Y43CRGATQPYWH2UXO6ZS7PYPCSZGTGED/
https://usn.ubuntu.com/3888-1/

Summary: gvfs new polkit authorization security issue => gvfs new polkit authorization security issue (CVE-2019-3827)
Severity: normal => major

Comment 5 Dave Hodgins 2019-02-14 06:58:32 CET 
Advisory committed to svn. Validating based on comment 3.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2019-02-14 09:40:20 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0080.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.