Описание
daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.)
Отчет
This issue affects the versions of gvfs as shipped with Red Hat Enterprise Linux 6, 7, and 8. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Low, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | gvfs | Out of support scope | ||
| Red Hat Enterprise Linux 7 | gvfs | Fix deferred | ||
| Red Hat Enterprise Linux 8 | accountsservice | Fixed | RHSA-2019:3553 | 05.11.2019 |
| Red Hat Enterprise Linux 8 | appstream-data | Fixed | RHSA-2019:3553 | 05.11.2019 |
| Red Hat Enterprise Linux 8 | baobab | Fixed | RHSA-2019:3553 | 05.11.2019 |
| Red Hat Enterprise Linux 8 | chrome-gnome-shell | Fixed | RHSA-2019:3553 | 05.11.2019 |
| Red Hat Enterprise Linux 8 | evince | Fixed | RHSA-2019:3553 | 05.11.2019 |
| Red Hat Enterprise Linux 8 | file-roller | Fixed | RHSA-2019:3553 | 05.11.2019 |
| Red Hat Enterprise Linux 8 | gdk-pixbuf2 | Fixed | RHSA-2019:3553 | 05.11.2019 |
| Red Hat Enterprise Linux 8 | gdm | Fixed | RHSA-2019:3553 | 05.11.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.5 Medium
CVSS3
Связанные уязвимости
daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.)
daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.)
daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x bef ...
daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.)
EPSS
4.5 Medium
CVSS3