Bug 25114 - gvfs new security issues CVE-2019-1244[7-9] and CVE-2019-12795
Summary: gvfs new security issues CVE-2019-1244[7-9] and CVE-2019-12795
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO MGA6-64-OK MGA7-64-OK MGA7-32...
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-07-12 01:35 CEST by David Walser
Modified: 2019-07-21 20:18 CEST (History)
9 users (show)

See Also:
Source RPM: gvfs-1.40.1-4.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-07-12 01:35:42 CEST
Ubuntu has issued an advisory on July 9:
https://usn.ubuntu.com/4053-1/

There's a long discussion of related issues and concerns in this thread:
https://www.openwall.com/lists/oss-security/2019/07/09/3

Mageia 6 and Mageia 7 are also affected.
David Walser 2019-07-12 01:35:50 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Marja Van Waes 2019-07-12 18:10:46 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing two submitters.

Assignee: bugsquad => pkg-bugs
CC: (none) => guillomovitch, marja11, olav

Comment 2 Mike Rambo 2019-07-17 23:28:17 CEST
Found six debian patches to address these CVE's. Of the six, five of them were already applied to gvfs on cauldron. The last would apply, but would not build afterward. The build error was "error: redefinition of ‘allow_mechanism_cb’". It appears to be cauldron is not vulnerable to these CVE's. For Mageia 7, the patches for CVE-2019-12447 were both already applied. This update applies the remaining patches. For Mageia 6, the second part of the patch for CVE-2019-12447 was already applied. This update applies the first part of 12447 and all the other patches.

Patched package uploaded for Mageia 7 and Mageia 6.

Advisory:
========================

Updated gvfs package fixes security vulnerabilities:

* daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid is not used (CVE-2019-12447).
* daemon/gvfsbackendadmin.c has race conditions because the admin backend
doesn't implement query_info_on_read/write (CVE-2019-12448).
* daemon/gvfsbackendadmin.c mishandles a file's user and group ownership
during move (and copy with G_FILE_COPY_ALL_METADATA) operations from
admin:// to file:// URIs, because root privileges are unavailable (CVE-2019-12449).
* daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before
1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket
without configuring an authorization rule (CVE-2019-12795).


References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12447
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12448
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12449
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12795
https://usn.ubuntu.com/usn/usn-4053-1
========================

Updated packages in core/updates_testing:
========================
gvfs-1.40.1-4.1.mga7.x86_64.rpm
gvfs-archive-1.40.1-4.1.mga7.x86_64.rpm
gvfs-devel-1.40.1-4.1.mga7.x86_64.rpm
gvfs-fuse-1.40.1-4.1.mga7.x86_64.rpm
gvfs-goa-1.40.1-4.1.mga7.x86_64.rpm
gvfs-google-1.40.1-4.1.mga7.x86_64.rpm
gvfs-gphoto2-1.40.1-4.1.mga7.x86_64.rpm
gvfs-iphone-1.40.1-4.1.mga7.x86_64.rpm
gvfs-mtp-1.40.1-4.1.mga7.x86_64.rpm
gvfs-smb-1.40.1-4.1.mga7.x86_64.rpm

from gvfs-1.40.1-4.1.mga7.src.rpm

gvfs-1.32.1-1.2.mga6.x86_64.rpm
gvfs-archive-1.32.1-1.2.mga6.x86_64.rpm
gvfs-devel-1.32.1-1.2.mga6.x86_64.rpm
gvfs-fuse-1.32.1-1.2.mga6.x86_64.rpm
gvfs-goa-1.32.1-1.2.mga6.x86_64.rpm
gvfs-gphoto2-1.32.1-1.2.mga6.x86_64.rpm
gvfs-iphone-1.32.1-1.2.mga6.x86_64.rpm
gvfs-mtp-1.32.1-1.2.mga6.x86_64.rpm
gvfs-smb-1.32.1-1.2.mga6.x86_64.rpm

from gvfs-1.32.1-1.2.mga6.src.rpm

Version: Cauldron => 7
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
CC: (none) => mrambo

Comment 3 David Walser 2019-07-18 16:29:28 CEST
Cauldron is still affected.  It should be updated to 1.40.2.
Comment 4 Mike Rambo 2019-07-18 18:28:08 CEST
Cauldron is already 1.40.2. Olav did that a little before I started on it yesterday. I hadn't noticed that but I guess it explains why the patches are already applied.
Comment 5 Brian Rockwell 2019-07-18 23:39:40 CEST
$ uname -a
Linux localhost 4.14.131-desktop-1.mga6 #1 SMP Thu Jun 27 11:19:36 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux


This machine is running gnome

The following 9 packages are going to be installed:

- gvfs-1.32.1-1.2.mga6.x86_64
- gvfs-archive-1.32.1-1.2.mga6.x86_64
- gvfs-devel-1.32.1-1.2.mga6.x86_64
- gvfs-fuse-1.32.1-1.2.mga6.x86_64
- gvfs-goa-1.32.1-1.2.mga6.x86_64
- gvfs-gphoto2-1.32.1-1.2.mga6.x86_64
- gvfs-iphone-1.32.1-1.2.mga6.x86_64
- gvfs-mtp-1.32.1-1.2.mga6.x86_64
- gvfs-smb-1.32.1-1.2.mga6.x86_64


after the install I rebooted the machine to reset daemons and clear any cached objects


Able to connect to a samba server on another machine and transfer files from and to that server.  smb is working.

I connected my android phone and established an mtp connection was able to browser files, etc.

CC: (none) => brtians1
Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK

Comment 6 Herman Viaene 2019-07-19 12:01:28 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues
# urpmq --whatrequires gvfs
caja
andsome more
So trying
$ strace -o gvfs.txt caja
kf5.kio.core: "Kon de map tags:/ niet binnengaan." (Could not enter folder tags)
kf5.kio.core: "Kon de map tags:/ niet binnengaan."
Used caja to access samba shares from my desktop computer, and show pictures in there with gwenview after entering samba user/password. All worked OK.
Trace file shows a lot of refs to gvfs library files.

CC: (none) => herman.viaene
Whiteboard: MGA6TOO MGA6-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK

nathan giovannini 2019-07-21 14:03:03 CEST

Keywords: (none) => validated_update
CC: (none) => nathan95, sysadmin-bugs

nathan giovannini 2019-07-21 14:04:36 CEST

Whiteboard: MGA6TOO MGA6-64-OK MGA7-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK MGA7-32-OK

Thomas Backlund 2019-07-21 14:31:13 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 7 Mageia Robot 2019-07-21 20:18:46 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0214.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.