Security update for gvfs SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:1717-1 Final 1 1 2019-07-01T10:02:10Z current 2019-07-01T10:02:10Z 2019-07-01T10:02:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for gvfs This update for gvfs fixes the following issues: Security issues fixed: - CVE-2019-12795: Fixed a vulnerability which could have allowed attacks via local D-Bus method calls (bsc#1137930). - CVE-2019-12447: Fixed an improper handling of file ownership in daemon/gvfsbackendadmin.c due to no use of setfsuid (bsc#1136986). - CVE-2019-12449: Fixed an improper handling of file's user and group ownership in daemon/gvfsbackendadmin.c (bsc#1136992). - CVE-2019-12448: Fixed race conditions in daemon/gvfsbackendadmin.c due to implementation of query_info_on_read/write at admin backend (bsc#1136981). Other issue addressed: - Drop polkit rules files that are only relevant for wheel group (bsc#1125433). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2019-1717,SUSE-SLE-Module-Desktop-Applications-15-2019-1717,SUSE-SLE-Module-Desktop-Applications-15-SP1-2019-1717,SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-1717 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20191717-1/ Link for SUSE-SU-2019:1717-1 https://lists.suse.com/pipermail/sle-security-updates/2019-July/005636.html E-Mail link for SUSE-SU-2019:1717-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1125433 SUSE Bug 1125433 https://bugzilla.suse.com/1136981 SUSE Bug 1136981 https://bugzilla.suse.com/1136986 SUSE Bug 1136986 https://bugzilla.suse.com/1136992 SUSE Bug 1136992 https://bugzilla.suse.com/1137930 SUSE Bug 1137930 https://www.suse.com/security/cve/CVE-2019-12447/ SUSE CVE CVE-2019-12447 page https://www.suse.com/security/cve/CVE-2019-12448/ SUSE CVE CVE-2019-12448 page https://www.suse.com/security/cve/CVE-2019-12449/ SUSE CVE CVE-2019-12449 page https://www.suse.com/security/cve/CVE-2019-12795/ SUSE CVE CVE-2019-12795 page SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Desktop Applications 15 SP1 gvfs-1.34.2.1-4.13.1 gvfs-32bit-1.34.2.1-4.13.1 gvfs-64bit-1.34.2.1-4.13.1 gvfs-backend-afc-1.34.2.1-4.13.1 gvfs-backend-samba-1.34.2.1-4.13.1 gvfs-backends-1.34.2.1-4.13.1 gvfs-devel-1.34.2.1-4.13.1 gvfs-fuse-1.34.2.1-4.13.1 gvfs-lang-1.34.2.1-4.13.1 gvfs-1.34.2.1-4.13.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 gvfs-backend-afc-1.34.2.1-4.13.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 gvfs-backend-samba-1.34.2.1-4.13.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 gvfs-backends-1.34.2.1-4.13.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 gvfs-devel-1.34.2.1-4.13.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 gvfs-fuse-1.34.2.1-4.13.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 gvfs-lang-1.34.2.1-4.13.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 gvfs-1.34.2.1-4.13.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP1 gvfs-backend-afc-1.34.2.1-4.13.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP1 gvfs-backend-samba-1.34.2.1-4.13.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP1 gvfs-backends-1.34.2.1-4.13.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP1 gvfs-devel-1.34.2.1-4.13.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP1 gvfs-fuse-1.34.2.1-4.13.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP1 gvfs-lang-1.34.2.1-4.13.1 as a component of SUSE Linux Enterprise Module for Desktop Applications 15 SP1 An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid is not used. CVE-2019-12447 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backend-afc-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backend-samba-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backends-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-devel-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-fuse-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-lang-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-backend-afc-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-backend-samba-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-backends-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-devel-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-fuse-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-lang-1.34.2.1-4.13.1 critical 4.9 AV:N/AC:M/Au:S/C:P/I:P/A:N 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20191717-1/ https://www.suse.com/security/cve/CVE-2019-12447.html CVE-2019-12447 https://bugzilla.suse.com/1136986 SUSE Bug 1136986 An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c has race conditions because the admin backend doesn't implement query_info_on_read/write. CVE-2019-12448 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backend-afc-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backend-samba-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backends-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-devel-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-fuse-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-lang-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-backend-afc-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-backend-samba-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-backends-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-devel-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-fuse-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-lang-1.34.2.1-4.13.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20191717-1/ https://www.suse.com/security/cve/CVE-2019-12448.html CVE-2019-12448 https://bugzilla.suse.com/1136981 SUSE Bug 1136981 An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles a file's user and group ownership during move (and copy with G_FILE_COPY_ALL_METADATA) operations from admin:// to file:// URIs, because root privileges are unavailable. CVE-2019-12449 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backend-afc-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backend-samba-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backends-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-devel-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-fuse-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-lang-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-backend-afc-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-backend-samba-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-backends-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-devel-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-fuse-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-lang-1.34.2.1-4.13.1 critical 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N 5.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20191717-1/ https://www.suse.com/security/cve/CVE-2019-12449.html CVE-2019-12449 https://bugzilla.suse.com/1136992 SUSE Bug 1136992 daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.) CVE-2019-12795 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backend-afc-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backend-samba-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-backends-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-devel-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-fuse-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15 SP1:gvfs-lang-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-backend-afc-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-backend-samba-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-backends-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-devel-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-fuse-1.34.2.1-4.13.1 SUSE Linux Enterprise Module for Desktop Applications 15:gvfs-lang-1.34.2.1-4.13.1 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P 5.9 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20191717-1/ https://www.suse.com/security/cve/CVE-2019-12795.html CVE-2019-12795 https://bugzilla.suse.com/1137930 SUSE Bug 1137930 https://bugzilla.suse.com/1209876 SUSE Bug 1209876