MGASA-2019-0214

See a problem?
Please try reporting it to the source first.
Source
https://advisories.mageia.org/MGASA-2019-0214.html
Import Source
https://advisories.mageia.org/MGASA-2019-0214.json
JSON Data
https://api.osv.dev/v1/vulns/MGASA-2019-0214
Related
Published
2019-07-21T18:17:27Z
Modified
2019-07-21T12:42:25Z
Summary
Updated gvfs packages fix security vulnerabilities
Details

Updated gvfs package fixes security vulnerabilities:

  • daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid is not used (CVE-2019-12447).
  • daemon/gvfsbackendadmin.c has race conditions because the admin backend doesn't implement queryinfoon_read/write (CVE-2019-12448).
  • daemon/gvfsbackendadmin.c mishandles a file's user and group ownership during move (and copy with GFILECOPYALLMETADATA) operations from admin:// to file:// URIs, because root privileges are unavailable (CVE-2019-12449).
  • daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule (CVE-2019-12795)
References
Credits

Affected packages

Mageia:6 / gvfs

Package

Name
gvfs
Purl
pkg:rpm/mageia/gvfs?distro=mageia-6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.32.1-1.2.mga6

Ecosystem specific 

{
    "section": "core"
}

Mageia:7 / gvfs

Package

Name
gvfs
Purl
pkg:rpm/mageia/gvfs?distro=mageia-7

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.40.1-4.1.mga7

Ecosystem specific 

{
    "section": "core"
}