Source: gvfs Version: 1.38.1-3 Severity: important Tags: security upstream Control: found -1 1.30.4-1
Hi, The following vulnerabilities were published for gvfs. CVE-2019-12447[0]: | An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. | daemon/gvfsbackendadmin.c mishandles file ownership because setfsuid | is not used. CVE-2019-12448[1]: | An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. | daemon/gvfsbackendadmin.c has race conditions because the admin | backend doesn't implement query_info_on_read/write. CVE-2019-12449[2]: | An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. | daemon/gvfsbackendadmin.c mishandles a file's user and group ownership | during move (and copy with G_FILE_COPY_ALL_METADATA) operations from | admin:// to file:// URIs, because root privileges are unavailable. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-12447 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12447 [1] https://security-tracker.debian.org/tracker/CVE-2019-12448 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12448 [2] https://security-tracker.debian.org/tracker/CVE-2019-12449 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12449 Please adjust the affected versions in the BTS as needed, please do though check (all versions in Debian should be affected). Regards, Salvatore