Ubuntu has issued an advisory on July 9: https://usn.ubuntu.com/4053-1/ There's a long discussion of related issues and concerns in this thread: https://www.openwall.com/lists/oss-security/2019/07/09/3 Mageia 6 and Mageia 7 are also affected.
Whiteboard: (none) => MGA7TOO, MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing two submitters.
Assignee: bugsquad => pkg-bugsCC: (none) => guillomovitch, marja11, olav
Found six debian patches to address these CVE's. Of the six, five of them were already applied to gvfs on cauldron. The last would apply, but would not build afterward. The build error was "error: redefinition of ‘allow_mechanism_cb’". It appears to be cauldron is not vulnerable to these CVE's. For Mageia 7, the patches for CVE-2019-12447 were both already applied. This update applies the remaining patches. For Mageia 6, the second part of the patch for CVE-2019-12447 was already applied. This update applies the first part of 12447 and all the other patches. Patched package uploaded for Mageia 7 and Mageia 6. Advisory: ======================== Updated gvfs package fixes security vulnerabilities: * daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid is not used (CVE-2019-12447). * daemon/gvfsbackendadmin.c has race conditions because the admin backend doesn't implement query_info_on_read/write (CVE-2019-12448). * daemon/gvfsbackendadmin.c mishandles a file's user and group ownership during move (and copy with G_FILE_COPY_ALL_METADATA) operations from admin:// to file:// URIs, because root privileges are unavailable (CVE-2019-12449). * daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule (CVE-2019-12795). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12447 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12448 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12449 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12795 https://usn.ubuntu.com/usn/usn-4053-1 ======================== Updated packages in core/updates_testing: ======================== gvfs-1.40.1-4.1.mga7.x86_64.rpm gvfs-archive-1.40.1-4.1.mga7.x86_64.rpm gvfs-devel-1.40.1-4.1.mga7.x86_64.rpm gvfs-fuse-1.40.1-4.1.mga7.x86_64.rpm gvfs-goa-1.40.1-4.1.mga7.x86_64.rpm gvfs-google-1.40.1-4.1.mga7.x86_64.rpm gvfs-gphoto2-1.40.1-4.1.mga7.x86_64.rpm gvfs-iphone-1.40.1-4.1.mga7.x86_64.rpm gvfs-mtp-1.40.1-4.1.mga7.x86_64.rpm gvfs-smb-1.40.1-4.1.mga7.x86_64.rpm from gvfs-1.40.1-4.1.mga7.src.rpm gvfs-1.32.1-1.2.mga6.x86_64.rpm gvfs-archive-1.32.1-1.2.mga6.x86_64.rpm gvfs-devel-1.32.1-1.2.mga6.x86_64.rpm gvfs-fuse-1.32.1-1.2.mga6.x86_64.rpm gvfs-goa-1.32.1-1.2.mga6.x86_64.rpm gvfs-gphoto2-1.32.1-1.2.mga6.x86_64.rpm gvfs-iphone-1.32.1-1.2.mga6.x86_64.rpm gvfs-mtp-1.32.1-1.2.mga6.x86_64.rpm gvfs-smb-1.32.1-1.2.mga6.x86_64.rpm from gvfs-1.32.1-1.2.mga6.src.rpm
Version: Cauldron => 7Assignee: pkg-bugs => qa-bugsWhiteboard: MGA7TOO, MGA6TOO => MGA6TOOCC: (none) => mrambo
Cauldron is still affected. It should be updated to 1.40.2.
Cauldron is already 1.40.2. Olav did that a little before I started on it yesterday. I hadn't noticed that but I guess it explains why the patches are already applied.
$ uname -a Linux localhost 4.14.131-desktop-1.mga6 #1 SMP Thu Jun 27 11:19:36 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux This machine is running gnome The following 9 packages are going to be installed: - gvfs-1.32.1-1.2.mga6.x86_64 - gvfs-archive-1.32.1-1.2.mga6.x86_64 - gvfs-devel-1.32.1-1.2.mga6.x86_64 - gvfs-fuse-1.32.1-1.2.mga6.x86_64 - gvfs-goa-1.32.1-1.2.mga6.x86_64 - gvfs-gphoto2-1.32.1-1.2.mga6.x86_64 - gvfs-iphone-1.32.1-1.2.mga6.x86_64 - gvfs-mtp-1.32.1-1.2.mga6.x86_64 - gvfs-smb-1.32.1-1.2.mga6.x86_64 after the install I rebooted the machine to reset daemons and clear any cached objects Able to connect to a samba server on another machine and transfer files from and to that server. smb is working. I connected my android phone and established an mtp connection was able to browser files, etc.
CC: (none) => brtians1Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK
MGA7-64 Plasma on Lenovo B50 No installation issues # urpmq --whatrequires gvfs caja andsome more So trying $ strace -o gvfs.txt caja kf5.kio.core: "Kon de map tags:/ niet binnengaan." (Could not enter folder tags) kf5.kio.core: "Kon de map tags:/ niet binnengaan." Used caja to access samba shares from my desktop computer, and show pictures in there with gwenview after entering samba user/password. All worked OK. Trace file shows a lot of refs to gvfs library files.
CC: (none) => herman.viaeneWhiteboard: MGA6TOO MGA6-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK
Keywords: (none) => validated_updateCC: (none) => nathan95, sysadmin-bugs
Whiteboard: MGA6TOO MGA6-64-OK MGA7-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK MGA7-32-OK
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0214.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED