PublicDateAtUSN: 2019-06-11
Candidate: CVE-2019-12795
PublicDate: 2019-06-11 22:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12795
 https://ubuntu.com/security/notices/USN-4053-1
Description:
 daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before
 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket
 without configuring an authorization rule. A local attacker could connect
 to this server socket and issue D-Bus method calls. (Note that the server
 socket only accepts a single connection, so the attacker would have to
 discover the server and connect to the socket before its owner does.)
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930376
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH]


Patches_gvfs:
 upstream: https://gitlab.gnome.org/GNOME/gvfs/commit/70dbfc68a79faac49bd3423e079cb6902522082a (master)
 upstream: https://gitlab.gnome.org/GNOME/gvfs/commit/d8c9138bf240975848b1c54db648ec4cd516a48f (3.32)
 upstream: https://gitlab.gnome.org/GNOME/gvfs/commit/a0da5f16feda323c29850c495acd86dfc8fbb262 (3.32)
 upstream: https://gitlab.gnome.org/GNOME/gvfs/commit/e3808a1b4042761055b1d975333a8243d67b8bfe (3.30)
 upstream: https://gitlab.gnome.org/GNOME/gvfs/commit/756edf6692aa245faedc9573bf88bfe78af3ead3 (3.30)
upstream_gvfs: released (1.40.2,1.41.3)
precise/esm_gvfs: DNE
trusty_gvfs: ignored (out of standard support)
trusty/esm_gvfs: DNE
xenial_gvfs: released (1.28.2-1ubuntu1~16.04.3)
esm-infra/xenial_gvfs: released (1.28.2-1ubuntu1~16.04.3)
bionic_gvfs: released (1.36.1-0ubuntu1.3.3)
cosmic_gvfs: released (1.38.1-0ubuntu1.3.2)
disco_gvfs: released (1.40.1-1ubuntu0.1)
devel_gvfs: released (1.40.1-1ubuntu1)