Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2019:1717-1

Опубликовано: 01 июл. 2019
Источник: suse-cvrf

Описание

Security update for gvfs

This update for gvfs fixes the following issues:

Security issues fixed:

  • CVE-2019-12795: Fixed a vulnerability which could have allowed attacks via local D-Bus method calls (bsc#1137930).
  • CVE-2019-12447: Fixed an improper handling of file ownership in daemon/gvfsbackendadmin.c due to no use of setfsuid (bsc#1136986).
  • CVE-2019-12449: Fixed an improper handling of file's user and group ownership
    in daemon/gvfsbackendadmin.c (bsc#1136992).
  • CVE-2019-12448: Fixed race conditions in daemon/gvfsbackendadmin.c due to implementation of query_info_on_read/write at admin backend (bsc#1136981).

Other issue addressed:

  • Drop polkit rules files that are only relevant for wheel group (bsc#1125433).

Список пакетов

SUSE Linux Enterprise Module for Desktop Applications 15
gvfs-1.34.2.1-4.13.1
gvfs-backend-afc-1.34.2.1-4.13.1
gvfs-backend-samba-1.34.2.1-4.13.1
gvfs-backends-1.34.2.1-4.13.1
gvfs-devel-1.34.2.1-4.13.1
gvfs-fuse-1.34.2.1-4.13.1
gvfs-lang-1.34.2.1-4.13.1
SUSE Linux Enterprise Module for Desktop Applications 15 SP1
gvfs-1.34.2.1-4.13.1
gvfs-backend-afc-1.34.2.1-4.13.1
gvfs-backend-samba-1.34.2.1-4.13.1
gvfs-backends-1.34.2.1-4.13.1
gvfs-devel-1.34.2.1-4.13.1
gvfs-fuse-1.34.2.1-4.13.1
gvfs-lang-1.34.2.1-4.13.1

Ссылки

Описание

An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid is not used.

Затронутые продукты
SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-1.34.2.1-4.13.1
SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backend-afc-1.34.2.1-4.13.1
SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backend-samba-1.34.2.1-4.13.1
SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backends-1.34.2.1-4.13.1
Ссылки

Описание

An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c has race conditions because the admin backend doesn't implement query_info_on_read/write.

Затронутые продукты
SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-1.34.2.1-4.13.1
SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backend-afc-1.34.2.1-4.13.1
SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backend-samba-1.34.2.1-4.13.1
SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backends-1.34.2.1-4.13.1
Ссылки

Описание

An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles a file's user and group ownership during move (and copy with G_FILE_COPY_ALL_METADATA) operations from admin:// to file:// URIs, because root privileges are unavailable.

Затронутые продукты
SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-1.34.2.1-4.13.1
SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backend-afc-1.34.2.1-4.13.1
SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backend-samba-1.34.2.1-4.13.1
SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backends-1.34.2.1-4.13.1
Ссылки

Описание

daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.)

Затронутые продукты
SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-1.34.2.1-4.13.1
SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backend-afc-1.34.2.1-4.13.1
SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backend-samba-1.34.2.1-4.13.1
SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backends-1.34.2.1-4.13.1
Ссылки