This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============5238955696896392619==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="vtpa03g56UHJVP6zDYEmgfgvBQXKPJr4x"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--vtpa03g56UHJVP6zDYEmgfgvBQXKPJr4x
Content-Type: multipart/mixed; boundary="0YizfhGZywpC6FbZiW7eK0zLi4WTa9oxz";
protected-headers="v1"
From: Marc Deslauriers
Reply-To: Ubuntu Security
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <54b46c3a-55eb-fc84-ee33-e86b40b6b894@canonical.com>
Subject: [USN-4053-1] GVfs vulnerabilities
--0YizfhGZywpC6FbZiW7eK0zLi4WTa9oxz
Content-Type: text/plain; charset=utf-8
Content-Language: en-C
Content-Transfer-Encoding: quoted-printable
==========================================================================
Ubuntu Security Notice USN-4053-1
July 09, 2019
gvfs vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.04
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in GVfs.
Software Description:
- gvfs: Userspace virtual filesystem
Details:
It was discovered that GVfs incorrectly handled the admin backend. Files
created or moved by the admin backend could end up with the wrong ownership
information, contrary to expectations. This issue only affected Ubuntu
18.04 LTS, Ubuntu 18.10, and Ubuntu 19.04. (CVE-2019-12447, CVE-2019-12448,
CVE-2019-12449)
It was discovered that GVfs incorrectly handled authentication on its
private D-Bus socket. A local attacker could possibly connect to this
socket and issue D-Bus calls. (CVE-2019-12795)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.04:
gvfs 1.40.1-1ubuntu0.1
gvfs-backends 1.40.1-1ubuntu0.1
Ubuntu 18.10:
gvfs 1.38.1-0ubuntu1.3.2
gvfs-backends 1.38.1-0ubuntu1.3.2
Ubuntu 18.04 LTS:
gvfs 1.36.1-0ubuntu1.3.3
gvfs-backends 1.36.1-0ubuntu1.3.3
Ubuntu 16.04 LTS:
gvfs 1.28.2-1ubuntu1~16.04.3
gvfs-backends 1.28.2-1ubuntu1~16.04.3
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4053-1
CVE-2019-12447, CVE-2019-12448, CVE-2019-12449, CVE-2019-12795
Package Information:
https://launchpad.net/ubuntu/+source/gvfs/1.40.1-1ubuntu0.1
https://launchpad.net/ubuntu/+source/gvfs/1.38.1-0ubuntu1.3.2
https://launchpad.net/ubuntu/+source/gvfs/1.36.1-0ubuntu1.3.3
https://launchpad.net/ubuntu/+source/gvfs/1.28.2-1ubuntu1~16.04.3
--0YizfhGZywpC6FbZiW7eK0zLi4WTa9oxz--
--vtpa03g56UHJVP6zDYEmgfgvBQXKPJr4x
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAl0kiLMACgkQZWnYVadE
vpMzZQ/7B29rhXyvMV/0XMfHiRieTyLVX+o/v8yDbRoDtuZPsIf9S1+ycunXKpKy
JcalPqxb1DHTCJPL6cja2PG/eJBINhk64WqnG0ugtmyylfCXY/h3ZtkF8MHhf0sq
oF5doRv1FZCKqipD5bdjajewTg4ZDtznN8KMPEc2uEd5F7xj4vrfdoxjEvNlPaTq
1ZxJ3JdyC6aku5jA4p3gJ1fa+gc7Pwf+nDEcrrjiuIMEh4J1t3g0BPhi1saS5YRL
Fy7hWycl5x8H1OLDsP3fWvf9mj9h23Vz0NWM9aezv02Q7i68yud5f/WSpawEIAlc
u23LooY5x04uCQCnVYxJG2PLH4Ma/3cpzO4h/vWDrueJto5vOEILCQpWNWN0N6If
YIrJpssxxKxClIwiJ5CwxaAPSpogy55PVF5OmQawjUejDJqJCiVk+yv6kZpfXzow
n4lWbWIuky6cK+YSt11sbCtSvhXQmk64nIjxh1jk8nAa7GXiNRYN8S+8uKl49N6L
MJetw7AvUHlvSACjqGDDiilZZ6oZcdUqR4jJSu1fmYNkQlBMBURRVFvmGfee6UVE
V9Z9h9GXVye8EACYdC+H03oN9SK3ZlVmr1Z8tMLxdlpiVWMHMUKf8bUs8H+FPqiS
S0igFcAgjQx1iGt1oL38PdEne94C6DnLdYkwd0fO8L3OuuAsBBI=
=HjVd
-----END PGP SIGNATURE-----
--vtpa03g56UHJVP6zDYEmgfgvBQXKPJr4x--
--===============5238955696896392619==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline
LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK
--===============5238955696896392619==--
|