Ubuntu has issued an advisory on July 9:
There's a long discussion of related issues and concerns in this thread:
Mageia 6 and Mageia 7 are also affected.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC'ing two submitters.
guillomovitch, marja11, olav
Found six debian patches to address these CVE's. Of the six, five of them were already applied to gvfs on cauldron. The last would apply, but would not build afterward. The build error was "error: redefinition of ‘allow_mechanism_cb’". It appears to be cauldron is not vulnerable to these CVE's. For Mageia 7, the patches for CVE-2019-12447 were both already applied. This update applies the remaining patches. For Mageia 6, the second part of the patch for CVE-2019-12447 was already applied. This update applies the first part of 12447 and all the other patches.
Patched package uploaded for Mageia 7 and Mageia 6.
Updated gvfs package fixes security vulnerabilities:
* daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid is not used (CVE-2019-12447).
* daemon/gvfsbackendadmin.c has race conditions because the admin backend
doesn't implement query_info_on_read/write (CVE-2019-12448).
* daemon/gvfsbackendadmin.c mishandles a file's user and group ownership
during move (and copy with G_FILE_COPY_ALL_METADATA) operations from
admin:// to file:// URIs, because root privileges are unavailable (CVE-2019-12449).
* daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before
1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket
without configuring an authorization rule (CVE-2019-12795).
Updated packages in core/updates_testing:
MGA7TOO, MGA6TOO =>
Cauldron is still affected. It should be updated to 1.40.2.
Cauldron is already 1.40.2. Olav did that a little before I started on it yesterday. I hadn't noticed that but I guess it explains why the patches are already applied.
$ uname -a
Linux localhost 4.14.131-desktop-1.mga6 #1 SMP Thu Jun 27 11:19:36 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
This machine is running gnome
The following 9 packages are going to be installed:
after the install I rebooted the machine to reset daemons and clear any cached objects
Able to connect to a samba server on another machine and transfer files from and to that server. smb is working.
I connected my android phone and established an mtp connection was able to browser files, etc.
MGA7-64 Plasma on Lenovo B50
No installation issues
# urpmq --whatrequires gvfs
$ strace -o gvfs.txt caja
kf5.kio.core: "Kon de map tags:/ niet binnengaan." (Could not enter folder tags)
kf5.kio.core: "Kon de map tags:/ niet binnengaan."
Used caja to access samba shares from my desktop computer, and show pictures in there with gwenview after entering samba user/password. All worked OK.
Trace file shows a lot of refs to gvfs library files.
MGA6TOO MGA6-64-OK =>
MGA6TOO MGA6-64-OK MGA7-64-OK
MGA6TOO MGA6-64-OK MGA7-64-OK =>
MGA6TOO MGA6-64-OK MGA7-64-OK MGA7-32-OK
An update for this issue has been pushed to the Mageia Updates repository.