[ubuntu/eoan-proposed] gvfs 1.40.1-1ubuntu1 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Fri Jul 5 13:06:14 UTC 2019 

gvfs (1.40.1-1ubuntu1) eoan; urgency=medium

  * SECURITY UPDATE: file ownership mishandling
    - debian/patches/CVE-2019-12447-1.patch: allow changing file owner in
      daemon/gvfsbackendadmin.c.
    - debian/patches/CVE-2019-12447-2.patch: use fsuid to ensure correct
      file ownership in daemon/gvfsbackendadmin.c.
    - CVE-2019-12447
  * SECURITY UPDATE: race conditions in admin backend
    - debian/patches/CVE-2019-12448.patch: add query_info_on_read/write
      functionality in daemon/gvfsbackendadmin.c.
    - CVE-2019-12448
  * SECURITY UPDATE: user and group ownership mishandling during move
    - debian/patches/CVE-2019-12449.patch: ensure correct ownership when
      moving to file:// uri in daemon/gvfsbackendadmin.c.
    - CVE-2019-12449
  * SECURITY UPDATE: incorrect D-Bus server socket restrictions
    - debian/patches/CVE-2019-12795-1.patch: check that the connecting
      client is the same user in daemon/gvfsdaemon.c.
    - debian/patches/CVE-2019-12795-2.patch: only accept EXTERNAL
      authentication in daemon/gvfsdaemon.c.
    - CVE-2019-12795

Date: Fri, 05 Jul 2019 08:31:52 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/gvfs/1.40.1-1ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 05 Jul 2019 08:31:52 -0400
Source: gvfs
Architecture: source
Version: 1.40.1-1ubuntu1
Distribution: eoan
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
 gvfs (1.40.1-1ubuntu1) eoan; urgency=medium
 .
   * SECURITY UPDATE: file ownership mishandling
     - debian/patches/CVE-2019-12447-1.patch: allow changing file owner in
       daemon/gvfsbackendadmin.c.
     - debian/patches/CVE-2019-12447-2.patch: use fsuid to ensure correct
       file ownership in daemon/gvfsbackendadmin.c.
     - CVE-2019-12447
   * SECURITY UPDATE: race conditions in admin backend
     - debian/patches/CVE-2019-12448.patch: add query_info_on_read/write
       functionality in daemon/gvfsbackendadmin.c.
     - CVE-2019-12448
   * SECURITY UPDATE: user and group ownership mishandling during move
     - debian/patches/CVE-2019-12449.patch: ensure correct ownership when
       moving to file:// uri in daemon/gvfsbackendadmin.c.
     - CVE-2019-12449
   * SECURITY UPDATE: incorrect D-Bus server socket restrictions
     - debian/patches/CVE-2019-12795-1.patch: check that the connecting
       client is the same user in daemon/gvfsdaemon.c.
     - debian/patches/CVE-2019-12795-2.patch: only accept EXTERNAL
       authentication in daemon/gvfsdaemon.c.
     - CVE-2019-12795
Checksums-Sha1:
 9cf995b540a44486044680d3ed9dc261d6ee1ccc 3448 gvfs_1.40.1-1ubuntu1.dsc
 48bceddc9ef5ddb13d4b38a77de4a8364f94d798 26944 gvfs_1.40.1-1ubuntu1.debian.tar.xz
 838967897e529d0d49ba19b56fb29f4a8c93dcdd 21912 gvfs_1.40.1-1ubuntu1_source.buildinfo
Checksums-Sha256:
 f6546a28938c7b016bf959bc5f1b54726b6854b1b9f1902623c730038644989d 3448 gvfs_1.40.1-1ubuntu1.dsc
 a3c81179df2473d54c074e74ff535d14723303474bef82c3e9cdacaf0256df19 26944 gvfs_1.40.1-1ubuntu1.debian.tar.xz
 7663c43cc6f428ae73830fe290976e58b42f9e8947b38fcba4b6ad5b88ad5cb2 21912 gvfs_1.40.1-1ubuntu1_source.buildinfo
Files:
 ea71a066040628b3b68cd2e91270da9f 3448 gnome optional gvfs_1.40.1-1ubuntu1.dsc
 4fdce951d7d0f6905677c5048723733a 26944 gnome optional gvfs_1.40.1-1ubuntu1.debian.tar.xz
 c1e5ceebf45d57d9f963967da539afa1 21912 gnome optional gvfs_1.40.1-1ubuntu1_source.buildinfo
Original-Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers at lists.alioth.debian.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl0fSrYACgkQZWnYVadE
vpOL8A/8DDtlDjhd+rt8GOcPbTQZvlZYDDI2TUgHxV1MNdyyTiqJctBXosG0Xsmr
YHhjEP3qvIMUq8B27K3fBCanNOFoACPx9ll09BiPtbwHNL7zih9p/qqAC6Sr/utG
00I+j+5Oo6L/zNFmWBHvo3/6FTZubSqQC9Z5QAUfE9x+zh8OBqacsHIECuOCSCGs
wcumnbH2JO6skF4giIY3fiGqZepcNprCkNMo8UF52s/36l6A7u4PHTSrA15ONjLt
t78m/SY3o4Vs9vq+mej2Mwj+j95vgSq36BQO9E41ja6ClTs32Q9389ks6YZpo3jt
1F1kzMBjzvaxIFMIFqlTr2/Qfja8uS68RLchS9pW9aAT1Y+hfD+fLHKvlE3YY48N
LEAm3mwXDpsBM97j2HiI0MyLILxPWRpx+EYmPxyjYWgTrJm6nuwfKf+q108R5Lix
9mfFAWOvecpgvoJm5hEprdRBoTx2oFO+pyclB8n75cHoQSIqPp7lj5/Gqyy/5sg0
0y3rZMox2o7KIX0V62SP5FFbD85gJzQypQ4Rp3em9H+xUiKOAsiCy0tCvoDswmQP
IHbt1zC0h8OZu7kzTdC5kdGmxqJkBQcsyf+xoPyKs1Bav5sWwezPTtzGNiGZED1m
QWagqu5d7rnxBX2afk//fBW+8Jo8XwEr7kM+Lz7otleXI9QK07w=
=VM+c
-----END PGP SIGNATURE-----

More information about the Eoan-changes mailing list