CVE-2019-12795

Published: 11 June 2019

daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.)

Priority

CVSS 3 base score: 7.8

Status

Package	Release	Status
gvfs Launchpad, Ubuntu, Debian	Upstream	Released (1.40.2,1.41.3)



	Ubuntu 18.04 LTS (Bionic Beaver)	Released (1.36.1-0ubuntu1.3.3)
	Ubuntu 16.04 LTS (Xenial Xerus)	Released (1.28.2-1ubuntu1~16.04.3)
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
	Patches: Upstream: https://gitlab.gnome.org/GNOME/gvfs/commit/70dbfc68a79faac49bd3423e079cb6902522082a (master) Upstream: https://gitlab.gnome.org/GNOME/gvfs/commit/d8c9138bf240975848b1c54db648ec4cd516a48f (3.32) Upstream: https://gitlab.gnome.org/GNOME/gvfs/commit/a0da5f16feda323c29850c495acd86dfc8fbb262 (3.32) Upstream: https://gitlab.gnome.org/GNOME/gvfs/commit/e3808a1b4042761055b1d975333a8243d67b8bfe (3.30) Upstream: https://gitlab.gnome.org/GNOME/gvfs/commit/756edf6692aa245faedc9573bf88bfe78af3ead3 (3.30)

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930376

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM