First Last Prev Next    This bug is not in your last search results.
Bug 1136992 - (CVE-2019-12449) VUL-0: CVE-2019-12449: gvfs: mishandling of file's user and group ownership in daemon/gvfsbackendadmin.c due to unavailability of root privileges
(CVE-2019-12449)
VUL-0: CVE-2019-12449: gvfs: mishandling of file's user and group ownership ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/233989/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-05-31 13:14 UTC by Alexandros Toptsoglou
Modified: 2019-07-16 06:02 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-05-31 13:14:27 UTC 
CVE-2019-12449

An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2.
daemon/gvfsbackendadmin.c mishandles a file's user and group ownership during
move (and copy with G_FILE_COPY_ALL_METADATA) operations from admin:// to
file:// URIs, because root privileges are unavailable.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12449
https://gitlab.gnome.org/GNOME/gvfs/commit/d5dfd823c94045488aef8727c553f1e0f7666b90
Comment 1 Alexandros Toptsoglou 2019-05-31 13:15:22 UTC 
Tracked as affected SLE15. 
Upstream fix at [1] 

For openSUSE LEAP 15.0 and 15.1 and TW are also affected.

[1]https://gitlab.gnome.org/GNOME/gvfs/commit/d5dfd823c94045488aef8727c553f1e0f7666b90
Comment 5 Swamp Workflow Management 2019-07-01 13:11:48 UTC 
SUSE-SU-2019:1717-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1125433,1136981,1136986,1136992,1137930
CVE References: CVE-2019-12447,CVE-2019-12448,CVE-2019-12449,CVE-2019-12795
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    gvfs-1.34.2.1-4.13.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    gvfs-1.34.2.1-4.13.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    gvfs-1.34.2.1-4.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2019-07-07 22:12:11 UTC 
openSUSE-SU-2019:1699-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1125433,1136981,1136986,1136992,1137930
CVE References: CVE-2019-12447,CVE-2019-12448,CVE-2019-12449,CVE-2019-12795
Sources used:
openSUSE Leap 15.0 (src):    gvfs-1.34.2.1-lp150.3.10.1
Comment 7 Swamp Workflow Management 2019-07-07 22:13:52 UTC 
openSUSE-SU-2019:1697-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1125433,1136981,1136986,1136992,1137930
CVE References: CVE-2019-12447,CVE-2019-12448,CVE-2019-12449,CVE-2019-12795
Sources used:
openSUSE Leap 15.1 (src):    gvfs-1.34.2.1-lp151.6.3.1
Comment 8 Marcus Meissner 2019-07-16 06:02:43 UTC 
done
First Last Prev Next    This bug is not in your last search results.