Your message dated Tue, 11 Jun 2019 18:00:41 +0100 with message-id <[email protected]> and subject line Re: Bug#930376: gvfsd GetConnection() missing authorization check has caused the Debian Bug report #930376, regarding gvfsd GetConnection() missing authorization check to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 930376: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930376 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: gvfs-daemons Version: 1.14.1-1 Severity: grave Tags: security fixed-upstream patch Forwarded: https://gitlab.gnome.org/GNOME/gvfs/commit/70dbfc68a79faac49bd3423e079cb6902522082a While looking for services that might be vulnerable to CVE-2019-12749 or a similar vulnerability, I noticed that gvfsd has a mechanism to open a private D-Bus server socket, and does not configure an authorization check for clients connecting to that socket. An attacker who learns the abstract socket address from netstat(8) or similar could connect to it and issue D-Bus method calls. Mitigation: the attacker would have to win a race with the user owning gvfsd, who is probably also trying to connect to the same socket. gvfsd closes the socket after it has accepted one connection. I have requested a CVE ID from MITRE but not received one yet. For buster/sid this has been fixed in gvfs 1.38.1-5. For experimental this has been fixed in gvfs 1.40.1-2. I do not have a tested patch for stretch or jessie, but the same change would probably work as-is. It would probably be a good idea to also backport https://gitlab.gnome.org/GNOME/gvfs/commit/16a275041de2e70063da8aa5cfb2804de9a2f60a for additional hardening. This forces authentication to use the simple, robust EXTERNAL (credentials-passing) mechanism, disabling DBUS_COOKIE_SHA1, which is somewhat fragile and seems more likely to contain unknown vulnerabilities. Regards, smcv
--- End Message ---
--- Begin Message ---Version: 1.40.1-3 On Tue, 11 Jun 2019 at 17:45:56 +0100, Simon McVittie wrote: > For buster/sid this has been fixed in gvfs 1.40.1-2 Correction: 1.40.1-2 is vulnerable, 1.40.1-3 is fixed. smcv
--- End Message ---
